Data protection legislation will impact on many of your guiding duties, so find out how to keep data safe
No matter what your guiding role, you will be working with data
This means it's vital that you understand the core principles of data protection, and know how to implement them in everyday guiding.
The data that you manage may come in the form of:
- personal data - information that relates to a living individual that identifies them, eg name, address, date of birth.
- sensitive data - information about a person's religion, sexuality, medical history.
Understand your role in keeping data secure
Our Keeping Data Safe leaflet explains more about how to look after members’ personal and sensitive data.
The eight principles of data protection
Our Data Protection policy sets out eight principles which need to be considered by all bodies responsible for managing people's personal and sensitive information. Consider how these principles relate to your role in handling members' data.
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and kept up to date.
- Personal data processed shall not be kept for longer than necessary.
- Personal data shall be processed in accordance with the rights of the data subject.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
- Personal data shall not be transferred to a country outside the EU unless an adequate level of protection exists.
There are four key areas - discussed below - where data could be stored outside of Girlguiding's membership systems. If your area or level collects data in two or more of the below areas, it is strongly recommended that you register with the Information Commissioners Office (ICO) - the UK's regulating body that looks after Data Protection. Visit the ICO's website for more information.
Even though Girlguiding is a voluntary organisation, some Counties and levels who own property employ staff. The principles of the Data Protection Act apply whether an individual is a volunteer or a paid staff member.
When handling staff information, consider:
- could the payroll and supporting data be outsourced to a specialist company of the Country/Region?
- how much employment information is stored? For example, is there documentation linked to staff performance, and do staff have a copy of this documentation?
- where is employee data stored and who has access to it?
- how is it shared? For example, application forms shared between an interview panel
- how is access managed when there is a change of Commissioner or manager?
More details on employment and data protection can be found on the ICO website.
Website with a secure members' area
Local websites are a great way to keep members informed of relevant events, share activity ideas or ask for help. When planning your website's design and management, ask yourself:
- are there skills within the County to develop and maintain a website or would it be better to outsource to a specialist company?
- if the website is designed and maintained by a volunteer, do you have a contingency plan should they leave guiding?
If the website has a members area that requires users to log in, key points to consider are:
- what is the purpose of the secure area, and does it have to be secure?
- do you store personal details in this area rather than use the Area Contact Detail report [Membership admin> Using Go! > Reports and exports] available from Go! - if so why?
- how does a member access the members area - are you gathering additional information outside of Go! to grant access?
- how do you remove access from those who are no longer members?
Regardless of who is managing your website, you must have a non-disclosure agreement with them. If you don't already have one of these, use our template agreement as a starting point.
Guiding is fortunate to have many supporters who are not members of guiding. The principles of the Data Protection Act apply whether an individual is a member or not. As with all personal data, keep the following in mind:
- do you have the individual’s permission to hold their data?
- is the information adequate and up to date?
- is the information relevant?
- is the information in excessive in relation to the purposes for which they are processed?
If you hire out your meeting venue, you'll need to consider how you handle member data on the premises. You'll also need to ensure that information about other tenants - both guiding groups and non-members - is kept safe. Get more guidance on data protection.
Communicating with members and supporters about data
It's important to let members and supporters know what's going to happen to their personal information once you've collected it. To help you do this, we've pulled together a list of statements on data protection, which covers everything from employee data to donor information.
We hold lots of different types of data at Girlguiding - some of which needs to be kept indefinitely, and some of which can be disposed of soon after use. The following items should be kept according to our guidelines.
- Starting... forms - must be put on Go! as soon as possible. Retain the Gift Aid declaration and shred the rest of the form.
- Unit meeting register - keep until no longer required.
- Notification of Accident form - - forms should be sent to HQ. All copies should be kept securely for three years along with any health forms or additional documentation like risk assessments.
- Accounts - as Gift Aid claims are valid for a number of years and can be backdated by four years, they should be kept longer than other financial records. Keep these forms for six years after the end of the last accounting period the claims relate to.
- Information and Consent forms – keep until the related event has taken place.
- Health Information forms - kept by the First Aider. If no treatment is given, destroy the form after the event. If treatment is given make sure you retain it for three years.
- Emergency Contact report - kept at the appropriate level and with the home contact. Destroy once event has taken place.
We have create a template retention schedule to suggest how long you should keep additional data for.
We understand that many of our members sometimes work from home, or from locations outside of Girlguiding premises. To ensure member data stays secure in these environments, all members must adhere to appendix 3 of our Data Protection policy.