Managing information policy

Policy last updated 1 October 2025.

See change log for recent updates to this webpage.

Find out what's changed and why in the most recent updates to this policy. 

Giving girls great guiding experiences means that we may have to handle personal data.

Whether it’s about our young members or our ambassadors, it’s really important that we manage the personal data we have properly.

This policy applies to all adult volunteers and adult members (all referred to as volunteers in policies), and staff in Girlguiding.

It explains how we collect and use data fairly, responsibly, and in line with the law, and our expectations when managing personal data.

Volunteers should read this policy alongside the managing information procedure. Girlguiding employees should use the staff procedure on the intranet.

Definitions used in this policy

Our glossary lays out a few definitions of key terms that are used across our policies - take a look.

• Data breach – when data is used in a way that it shouldn’t be, for example emailing personal data like a phone number to the wrong person.
• Data processing - doing anything with personal data, like collecting, storing or sharing it.
• Data processor – a person or organisation processing personal data on behalf of Girlguiding.
• Data protection – making sure people can trust you to use their data fairly and responsibly.
• Data subject - the person the data is about, like a young member. Data subjects have individual rights (see the next section for further information).
• Personal data – any information about a person. This includes names, addresses, phone numbers, photographs or characteristics of their identity, like their ethnicity. When we use 'data' in this policy, we mean personal data.
• Special category data – personal data revealing racial or ethnic origin, health information, or religious beliefs.

Girlguiding’s commitment to data protection

We’re committed to making sure we use and manage personal data in line with data protection law. We make sure that all personal data is collected, used, and stored responsibly, transparently and securely.

As a data controller, Girlguiding processes data in line with the key principles of data protection outlined in legislation:

• Lawfulness, fairness and transparency – we only process data in line with the law, for example, when we have someone’s consent to do so. We’re transparent about how and why we process personal data, and we only do so in a way and for reasons that people would reasonably expect.
• Purpose limitation - we’re clear about why we process personal data and what we’ll use it for. If we use personal data for a different reason to why it was collected, we'll only do so lawfully, fairly and transparently.
• Data minimisation - we only process the data we need for the reason it was collected. We never store or use more personal data than we need.
• Accuracy – we take all reasonable steps to make sure that the personal data we hold is correct, and we respect the right of rectification (see the next section for further information).
• Storage limitation – we only keep personal data for as long as we need it. We always have a defined retention period for the data we collect, based on clear and recorded reasons. If the reasons for keeping the data no longer applies, or the retention period has passed, we securely delete the information.
• Integrity and confidentiality (security) - we take all reasonable steps to make sure that personal data is protected against data breaches and accidental damage and loss.
• Accountability - we take responsibility for the personal data we handle, and follow these data protection principles, this policy, and the relevant procedures.

Girlguiding respects the rights of all data subjects. The rights are:

• The right to be informed – we give clear information about what data we collect, how we use it, and who it will be shared with.
• The right of access – seeing a copy of their data.
• The right of rectification – correcting their data if they think it’s wrong.
• The right of erasure – deleting their data.
• The right to restrict processing – limiting the way we use their data, if they believe the data we hold is inaccurate, or we’re not using it legitimately.
• The right of portability – having a copy of their data in a way that other organisations can use.
• The right to object to processing – they can object to their personal data being used for a specific purpose, like direct marketing.
• Rights around automated decision making and profiling – Girlguiding doesn’t use any fully automated decision making or profiling systems. However, we respect the right that people can object to an automated decision being made about them. We’ll notify people as soon as possible that an automated decision has been made about them. If they’re unhappy with this, they can contact us to request it’s reconsidered, or that we make a new decision on a different basis.
• The right to make a complaint to the ICO – if they’re dissatisfied with how we’ve handled their complaint or request, they can make a complaint to the Information Commissioner's Office.

We may not be able to meet every data subject rights request. For example, we can’t delete someone’s data if they’re still a member. But, we always let them know if we can’t carry out their request, and will explain why.

For more information on your individual rights and how we manage them, and for any other questions on data protection, get in touch by emailing [email protected].

Girlguiding only processes personal data when there’s a legal reason to do so. These legal reasons (called ‘lawful bases’) are:

• Consent – when someone has given us clear permission for us to process their personal data. For example, a parent gives consent for us to take and use photos of their child at a Girlguiding event. They can withdraw this permission at any time.
• Contract – when we need to process data to carry out a contract with someone, or because they’ve asked us to take steps before making an agreement. For example, processing payment and contact details for someone attending a paid training course we’re running.
• Legal obligation – when we must process data to comply with the law. For example, keeping records of safeguarding concerns or incidents, as required by child protection laws.
• Vital interests – when the processing is necessary to protect someone’s life. For example, sharing a girl’s allergy or medical information with emergency services if she becomes seriously unwell at a camp.
• Public task – when processing is needed for us to carry out a task in the public interest, or in our official role. And the task has a clear legal basis. For example, keeping records of who attends meetings as part of our responsibilities under charity regulations.
• Legitimate interests – when the processing is necessary for our own legitimate interests or the legitimate interests of a third party – unless there’s good reason to protect someone’s personal data that overrides these legitimate interests. For example, using member feedback to improve how we run activities or communicate with volunteers.

You can find out more about why Girlguiding collects and uses personal data in our privacy notice.

Expectations

If you access or use personal data as part of your role you must:

• Have a clear reason and lawful basis for collecting personal data, like someone’s consent, a contract, or legal obligation. Make sure that people are fully informed about how and why their personal data will be collected, used, protected and destroyed. If you have any questions, contact the data protection team.
• Think about why you need to collect or use personal data, and only collect or use the data you need to do your task. Never collect someone’s data for one reason and use it for another reason without their permission, a clear reason, or other lawful basis.
• Only collect, hold, and use the minimum amount of personal data that’s needed to complete a task. Before collecting data, consider whether you really need to collect it, and don’t collect data ‘just in case’, or hold on to it longer than necessary.
• Treat special category data extra carefully and make sure it’s protected appropriately.
• Keep the personal data you use in your role up to date and accurate by periodically reviewing it, updating when relevant, and reminding people to keep their information on Girlguiding digital platforms (like GO) up to date. Make sure personal data is only kept for as long as it is needed. Keep your relevant data retention schedule up to date, and make sure you delete or safely destroy personal data in line with it.
• Be responsible and accountable for the personal data you use in your role, and able to demonstrate that you’re using personal data lawfully in line with this policy and relevant procedures.
• Manage data responsibly to reduce, as much as possible, the likelihood of a data breach. Use an email account that only you, or other staff or volunteers with the same level of access to personal data, can access.
• Respect the rights of data subjects, and cooperate with all individual rights requests, such as subject access requests. If you receive a request about someone’s data rights, you must forward to the data protection team immediately by emailing [email protected]. Volunteers can find out more in the personal data requests procedure, and staff must refer to the staff managing information procedure on the intranet.
• Follow the photos and videos procedure to take and store images correctly.
• Send marketing and service messages separately. Find out what this means in our procedure.
• Share personal data safely and securely. Only share personal data when necessary, and always check the recipient is authorised to receive it.
• Follow our personal data requests procedure if a data subject asks for the information we hold on them.
• Report any data breaches or concerns (for example, data is lost, or you sent an email with personal data in it to the wrong person), to our data protection team immediately as soon as you discover them, in line with our reporting a data breach procedure.

How Girlguiding protects personal data

• We implement this managing information policy and make sure it's in line with current data protection legislation.
• We co-operate with relevant regulatory bodies, including the Information Commissioner’s Office.
• We give all volunteers and employees relevant and up-to-date training to help them comply with this policy, including our safer guiding training. For staff we have a GDPR course within our policy and compliance e-learning.
• We have safeguards and security measures in place to keep data secure. These include protections against the unlawful or unauthorised processing of data, as well as accidental loss or damage to data.
• Breaches of this policy by adult volunteers will be managed under the managing concerns about adult volunteers policy and procedure. Staff breaches will be managed in line with the relevant HR policy and/or procedure.