Managing information procedure
Use this procedure to make sure you are handling personal data lawfully
Personal data is used everywhere
As Girlguiding volunteers or staff you use personal information or data all the time - we all do. It’s important to know how to manage personal information safely, and legally.
The managing information procedure shows you how to do this. You must follow this so you can be sure that all the information held by Girlguiding is protected, and that you are following data protection legislation.
Who is responsible for carrying out this procedure?
Any Girlguiding volunteer or staff member aged 18 or over. If you are supervising a volunteer who is under 18 you are responsible for making sure they know to report breaches to you.
Why must I use this procedure?
When you handle personal data, you must do so lawfully. By using this procedure, you will make sure you are following both the Girlguiding managing information policy and UK legislation.
Breach of the data protection legislation: If you don’t follow this procedure, your actions may make you personally liable for any data loss, disclosure or breach. Not following procedure is a breach of the managing information policy, the Girlguiding Code of Conduct, and data protection legislation.
What is personal data?
Personal data (or personal information) is information that allows you to identify an individual. Personal data includes information about an identifiable individual. Examples are: name, address, date of birth, email address, social media handle, photos and videos. Personal data also includes things like a person’s religion, beliefs, health issues and gender identity. For more on types of personal data go to the ICO website.
How to handle data
Explore the sections below to find out what you need to do when handling data in different ways.
When you collect personal information about an individual you normally use one of these ways:
- You receive it in a Girlguiding data collection form
- You take information over the phone or by email.
- You take photographs or video.
How do I use a Girlguiding data collection form?
Our data collection forms (e.g. a starting form, consent from, a health form or a REN form) are all designed to comply with UK legislation.
- You must always use the current version of the form provided by Girlguiding.
- Do not make up your own local version as this is against Girlguiding policy.
- Each form to be used for a specific purpose. They only collect the personal information necessary for a purpose.
You must keep all forms safe for the duration of the activity they have been completed for. If you take forms from one place to another keep them in a secure bag, with a zip or lock. When the forms are taken to location like an activity centre, keep them with a nominated person and in a secure place.
The most common data collection forms in use are the unit starter form, the activity/event consent form and the health form. You can find specific guidance for using each of these forms in our forms and resources section.
Different forms must be kept for different amounts of time.
How do I collect personal data by phone or in person?
Sometimes you need to collect personal information in person or by phone. Data protection legislation still applies when we collect personal information face-to-face or when speaking on the phone. When speaking to someone on the phone, you must explain who you are and why you are collecting the personal information.
Whenever you collect personal information on a form that needs to be uploaded on GO, keep it safe until to upload it onto GO.
- Remember, be precise. Only ask for what you need and record it. Make clear and concise notes.
- Avoid discussing personal data in places where you may be overheard. If you allow personal information to be disclosed by talking in front of other people, you may cause a data breach.
- Make sure you’ve collected information accurately. Read it back to the person giving the information, to make sure it’s correct.
- Make sure you are sharing personal data with the person you are expecting to share it with. Try to call them, or if they call you, use caller id to confirm you are talking to the correct person.
How do I collect personal data by email?
- If you are asking for personal information by email, use an email account which is not shared with anyone else, (including family members or other leaders or helpers in your unit). This is because:
- A joint email account which is used to collect personal information is a data security risk.
- Just because someone else is involved with Girlguiding it doesn’t mean that they should have access to the same personal data as you.
- When sending emails to multiple people do not put all the email addresses in the ‘to’ field. This would mean everyone will be able to see everybody else’s email addresses, which is personal information and a personal data breach. Use the BCC field on the email address bar to send an email to more than one person so people can’t see each other’s addresses.
- When you ask for data over email you must explain who you are and why you are collecting the data.
- Always create a new email. Don’t ask for personal data on an existing email chain.
- When using email to collect personal information, do not then use that email chain for discussing something else.
- Girlguiding has to make sure that we do not retain personal data for longer than it is necessary, and this includes any personal information we send or receive via email. Don’t keep emails for longer than necessary.
- If you are sending personal data by email you must send the information as an attachment in a password-protected document. It is not to be in the text of the email.
- You could share the password by calling or texting the individual. You could share the password in a separate email. Do not include the password in the original email.
How do I take photographs or video?
If you take a photograph or video of a person this is personal data. For this reason, Girlguiding asks for permission to use photographs or video on the unit starting form.
- Be aware of member photo preferences.
- You can’t use a photograph or video if there is no photographic preference in place.
- Make sure anyone taking photographs or video of unit activities is aware of the photo permission preferences of the group.
- When taking photographs or video on a personal device make sure you delete any copies of the photos or videos that may have been back up automatically to the cloud.
- When you have finished using the photos or video remove/delete them from your device.
How do I keep data up to date?
When you collect personal data, you must make sure it is accurate and up to date. If you allow collected data to become out of date or inaccurate this is a breach of the data protection legislation. You must plan regular data accuracy reviews for members’ and parent/carer data.
You must make sure your personal details, and those of other volunteers at your unit, are accurate and up to date on GO. You must review and correct at least once a year, but if you have had a lot of transitions, new starters or leavers you may need to do this accuracy review more often.
Delete or destroy any documentation to do with unit activity at the end of each term.
Accessing personal data
You must have authorised access to GO to use personal data collected by Girlguiding.
To make sure Girlguiding complies with UK law and keeps personal data safe, Girlguiding provides access to only the data that you need for your role. This lowers the risk of accidentally using data incorrectly. The specific GO access you are given is personal to you and must not be shared with anyone else, even if they are a member of Girlguiding.
Using personal data
When you use personal data collected by Girlguiding, you can only use it for the specific purpose it was collected for. Girlguiding collects personal data for the purposes of administrating membership of Girlguiding and enabling members to participate in guiding activities.
Guiding activities include:
- Contacting people about arrangements for their daughter’s unit meetings and associatedactivities.
- Informing members and parents about Girlguiding’s rules and policies, including our uniform and other conditions of membership.
- Caring for members and administering any medication or emergency treatment.
- Informing members and parents about events, activities, and learning opportunities that support the guiding programme for girls and young women. Examples include opportunities for international travel, adventure or skills development.
- Planning events.
Unacceptable uses of GO data includes
- Using GO data to communicate with people about non-guiding related activities. For example, you must not use GO data to tell people about another organisation or any other non-guiding activity that you are a part of.
- Adding GO data into a third party application or on-line services such as on-line Guide Manager (OGM) to manage unit administration where GO can be used (Examples include managing the unit member sign up process, training info, achievements).
- Sharing data with third parties without consent.
- Sharing GO data with anyone else, including other Girlguiding volunteers, if you do not have consent to do so.
- Continuing to use data obtained from GO after you have left Girlguiding.
If you’re not sure, ask us first at [email protected]
What is the difference between marketing and service emails?
Service emails contain essential information needed for taking part in Girlguiding. These messages can include information about:
- Essential training, like A Safe Space, 1st Response and data protection
- Policies and procedures
- Changes to national programme
- Subscription information
- Membership system changes
- Changes in leadership
These are all messages which do not fall into essential information. For example, messages that promote the sale of goods, services or organisational ideals and anything that falls outside of essential information. Marketing emails can only be sent to members who have opted into those preferences in the preference centre.
You can find more information about how to communicate service and marketing information by speaking to your county commissioner or the data protection team.
What about fundraising?
If you want to talk about fundraising activities by email, be aware that there are regulations within data protection legislation which apply. The law only allows Girlguiding to send fundraising emails to people who have specifically said that they agree for us to do so. Fundraising emails can only be sent to members who have ticked the box in the preference centre and have given explicit consent (opt-in) to receive the emails.
Unless an individual has agreed to be sent fundraising messages by email, you cannot send them specific fundraising messages via email or in your newsletter.
Using financial data
Unit leaders are responsible for looking after unit finances. Most of this financial data is not personal data, but there will be references to individuals within these records (for example the names of those who have paid subs), so that particular data is personal information).
You must apply the same data security measures to financial records as to other forms of personal data. You should only keep financial data for seven years. See the data retention framework.
What is data sharing?
- One person to another person, for example, a leader sharing with another leader.
- A person to an organisation, for example, a leader booking attendance at an event.
- An organisation to a person, for example, HQ sharing compliance information about a member to an investigator.
- An organisation with itself, for example, HQ sharing personal information with trading.
- An organisation to another organisation, for example, Girlguiding sharing with the Scouts.
Data protection legislation does not prevent the sharing of personal information, but it does regulate it.
The following guidelines will help you share information within the law:
- You can share personal information for purposes to administer and manage Girlguiding membership as agreed with the parent/carer. For example, you can share personal information with another leader if a young member is moving up to a new section.
- You cannot share volunteer or member personal informationthat is not for the purposes of managing Girlguiding membership. This might include requests for personal data from other parents.
- You can only share a member personal information where the person making the request is listed as a GO contact. For example, if a Brownie’s father drops her off each week, but is not listed as a GO contact, you could not share that Brownie’s address or phone number without getting permission to do so from the GO contact listed on her record.
- When you share data, only provide information that is necessary. For example, if the data is to be used for a printed attendance list, you would only need to include the young member’s first name(s), or their initial and family name.
- Girlguiding members can share information with the HQ safeguarding team when it is in the public interest to do so, such as passing on an allegation or a disclosure. We may share personal data without permission if there is imminent risk of harm to a person. This could mean sharing the data with police, children’s services or other statutory agencies. For more information please contact the data protection team.
- In exceptional circumstances, you can share data in a way that wasn’t agreed to. For example, it must be within the vital interests of an individual such as a medical emergency.
How do I share personal information by post?
- If you are sending sensitive personal data (For example, accident forms), use a ‘tracked service’ such as special delivery.
How should I download personal information?
- If you do need to download an electronic list on to a laptop or a tablet where you can’t access GO, make sure the document is password-protected.
- Printing GO data should only be done when necessary, for example if your meeting hall has no WIFI access and you can’t use a laptop or tablet.
- If you print documents from GO you must keep them secure.
- Remember also to delete the downloaded copy of the data when it is no longer needed. Check you don’t have a duplicate of the data in the downloads folder on your computer.
- If you share your computer or other device with anyone then you must make sure they cannot access Girlguiding data. If you collect personal data on an account shared with a family member for example, and they read the personal data you collected, you have caused a data breach.
At local levels of Girlguiding, we need to keep personal data where we are required to do so by law. There is only a minimum amount of personal data which needs to be kept by units. This includes unit financial records and risk assessments.
For information on how long to keep forms, check out the unit retention schedule.
How do I destroy forms?
As forms are designed for a specific purpose, when that purpose is finished you must securely destroy the form by shredding or ripping it so that it could not be put back together and read.
Using electronic devices
You may process Girlguiding personal information on your personal devices such as smartphones and tablets. If copies of data (such as email attachments) are stored on many different devices, there’s an increased risk that it’ll become out-of-date or inaccurate over time. There’s also an increased risk that it’ll be retained for longer than necessary because it’s difficult to keep track of copies. It is important to regularly review and delete the data that is held on devices.
- Make sure that devices are password protected
- Regularly delete the information on the device if it is no longer needed
- If the device is lost or stolen, can you remotely locate it and wipe the data?
- Be aware of automatic updates to cloud storage and delete documents regularly.
Girlguiding policies and procedures are reviewed and updated from time to time as part of a review cycle.