Frequently asked questions about data protection

We answer your questions about the UK Data Protection Act 2018, also known as GDPR

To help you understand what the law means for you as a volunteer or member, we’re developing some FAQs. Please keep checking back as these will change over time.

What is GDPR?

The UK Data Protection Act 2018 replaces the UK Data Protection Act 1998. It’s also known as the General Data Protection Regulation (GDPR). It gives you more control over how your data is used and how you’re contacted. It also means that organisations like ours must review how we manage your personal data.

What happens if I ignore the UK Data Protection Act 2018?

This is something that can’t be ignored. If you’re a volunteer then you’ll have responsibility for other people’s data which means that you’ll need to follow the seven data principles. We’re developing tools to help you so that you’re in line with the law.

Does this affect everyone or just registered members?

The new data protection law affects everyone and has an impact on all organisations in Europe that collect, use and store people's personal information. At Girlguiding HQ we've updated our data protection procedures and have ensured that all our communications meet the data collection requirements.

I went to a data protection seminar and was told that every business or charity that processes data has to pay an annual fee of £40 to ICO. Are all units expected to pay this?

No - because units access data on GO and as Girlguiding is the data controller we're registered nationally. If you own or manage property you may have to register independently.

Can I still use my private email address to send guiding emails?

Yes you can but make sure you blind copy people into the email, that you don't share personal information and information you do share is secure. Make sure that no one else can access your email account.

How do I communicate with parents?

We're currenly producing some guidance for you and this will be hosted on the website. We'll let you know when it's there but keep an eye out on the data protection hub.

Can we send group emails with all addresses showing?

No - you must make sure you blind copy (Bcc) people into the email. Never show all addresses in either the To or Cc box unless you're sending to one individual.

Can I still have a WhatsApp group/Facebook group to communicate with other members/parents?

With WhatsApp you need to contact the individuals and ask their permission to join the group. They'll then be able to leave at any time. With Facebook they have to opt in anyway. When using any social media platform please do not share any personal information.

Can we use a girl's first name in emails addressed only to their own parent/s and my assistant leader?

Yes - as long as the parents know the assistant leader and she has a legitimate reason to be copied into the email.

Can we have a closed Facebook group or WhatsApp group for Guides?

No - our policy states that you can only directly contact girls aged over 14. If you want to contact Guides or younger girls you would need to go through their parents.

If you're planning a trip and want to confirm who is going, can you share this with parents?

You would only be able to share names only but if a parent objects to this you'll have to remove the child's name.

Are we allowed to keep a copy of parents email address in an excel spreadsheet? I usually post reminders on Facebook and then send separate emails to those not on Facebook.

No - all parent data must stay in GO. This is so you're using the most up to date information. You can email parents direct from GO by clicking on their email address.

What do you do if a parent doesn't consent to their details being stored?

GO data is collected and stored using legitimate interest, because it's necessary for us to have that information. If a parent refuses this, they'd have to withdraw their daughter's membership.

If we get written permission from parents, can we save their email addresses in our own email system?

It's acceptable to save their email addresses in an email address book  - you don't need permission for that. However, when emailing a group of parents, always make sure you blind copy (Bcc) them into the email and never share personal data.

When a girl leaves your unit remember to remove her parents email address from your email address book.

If you have a mailing list for parents and carers - do you have to get everyone to confirm that they want to stay on the list?

You shouldn't be using lists outside of GO unless it's a group address book that is kept up to date in your email account.

Do I always need consent and/or permissions when I send anything to do with marketing? 

For anything related to digital, eg. email or text - yes you would. However if it's hard copy that you're sending through the post - then no you don't.

I use a generic information and consent form for  activity/event notification at the start of each year to cover events such as visits to the park. Can I still do this?

You shouldn't do a consent form for the whole year. Instead we'd advise you to do one on a termly basis. You'll need to list all the activities and dates for that term and keep the data up-to-date. You can do this by emailing each parent separately asking whether the information has changed. When the events are over please destory securely unless there was an incident.

What constitutes written consent? Can it be an email or text?

Yes it can. Consent must be evidenced, meaning you have to be able to prove you have it. An email, a ticked box on a form or a text message is evidence. However, you must provide clear information for what a person is consenting to, to make sure the consent is valid, for example: 'Do you want to join the WhatsApp group?'

Can we create a county directory?

No. This is now held on GO so there's no need for a hard copy. It's a really easy process. Click on the Directory button in GO and this will give you your county directory.

We send out a county newsletter to all our members. We use mailchimp and take the email addresses from GO. Can we still do this?

We’re currently working on guidance to help you with this. We’ll notify all commissioners in the monthly service newsletter Making guiding happen.

What is a data breach?

A data breach is an incident that results in a loss, theft, deletion, unauthorised sharing or unauthorised access to personal data, for example, leaving unit health forms on the bus, letting someone else use your GO account or sending a group email without bcc-ing the contacts.

Will I be held responsible for any data breach that I may make?

We understand that sometimes things go wrong. If you inappropriately share data deliberately eg by not following policies and procedures or selling data on, then that is a breach of the Code of Conduct which may affect your membership. However, if it was a genuine accident, for example something got stolen or you sent an email by mistake to the wrong person, then we’ll do our best to help you. Our Data protection team will be able to advise you.

How soon after I notice a breach do I have to report it?

Ideally straight away but no longer than 48 hours after the breach. Contact our Data Protection team who'll be able to help you [email protected]

Will an individual be held personally liable if they break the law?

If it was an unintentional breach, for example where something got stolen, then we would support that individual. Our Data protection team will be able to advise. If the breach was intentional then that could affect the individual's membership.

If one of our volunteers causes a data breach, does the fine land on the county?

If there is a fine, then we'll work with counties on a case-by-case basis.

When do I need to keep a form and when do I destroy it? 

Many of our forms, when completed, have personal data for a specific reason such as an event. Once that reason is over the form can be securely destroyed unless there was an accident in which case email it to [email protected]. Or if there was a safeguarding concern send it to [email protected].

An example is the starting form, pages 1-2 are given to the parent, pages 3-5 include personal information that needs to be added to GO. Once this has happened pages 3 and 4 can be destroyed but page 5 holds photo preferences and must be kept for the duration of the girl’s membership + 1 year (pages 5 and 6 for the Rangers form). Don't forget to log any medical issues onto GO. The gift aid form is valid for seven years so please keep that with your unit's finance records. 

For more information on how long to keep forms, check out our unit retention schedule.

Do I still keep health and consent forms for seven years?

Consent forms should be kept for one month from the date of the event and then securely destroyed. However, if someone had an accident please send it to [email protected] at HQ. It's always a good idea to take a copy before sending it in just in case we don't receive it. We'll then let you know when we receive it so you can destroy the copy.

What do you do with old registers?

Unit registers should be kept for one year. When they're no longer needed please despose of them securely. The only exception is if they hold financial records, such as Gift Aid, in which case keep it with your unit's finances for seven years.

When a new girl joins a unit her parents complete a starting form. We then put the information on GO and destroy the form. What happens if a parent disputes the information we hold on GO?

In these cases you just need to update GO with the relevant information. For example, if a parent disagrees with the photo permissions then you change them to what they want.

What are we meant to do with the information collected on starting forms that isn't collected on GO, like parents volunteering options, school, ethnicity etc?

The starting forms will be changing this month and there will no longer be a requirement to collect this information.

I normally keep a copy of the REN forms from my unit's camps. Do I now have to shred these after every camp?

REN forms should be kept for one year from the date of the event.

Why is it ok to shred forms with parents' signatures on them? How can they prove they've given consent?

The starting forms will be changing and you'll be able to keep the part of the form that has the parents' signatures on.

I was told that we had to keep new starter forms for six years because they evidenced Gift Aid if we were ever audited. How do we satisfy business law whilst following GDPR?

The Gift Aid form is needed for seven years (after the last donation) so please keep that with your unit's finance records.

What are we meant to do about Gift Aid declarations on old starting forms?

See above. If the Gift Aid form has not been used for seven years, it can be securely destroyed.

In the 'how to claim gift aid' information pack, it recommends setting up a gift aid register to keep track of payments. This includes dates of birth and addresses. Are these ok to keep on computers for 7 years as it's evidence for the HMRC?

Yes, you can still keep these as they're a record of financial transactions.

What do we do with health forms where there wasn't an incident or safeguarding issue but treatment was given?

In these cases you would need to report back to the parents the TLC provided, let them know what happened and then securely destroy the form.

What do we do if a parent questions treatment after an accident and we've already sent the forms to trading?

Just ask the parent to contact HQ and we'll deal with the enquiry on your behalf.

What is the definition of an accident? Do I have to send any for papercuts for example?

An accident is where there is injury or illness or serious damage. Volunteers should use their judgement on what they report based on the severity of the situation or outcome. If significant medical treatment is given, a form should be sent in.

Equally, if it is a small incident but the injured person experiences ongoing symptoms or later needs treatment, this should be reported. If you are in any doubt, please report it. Papercuts and similar incidents would count as TLC and therefore you don't need to send those. If a minor cut becomes infected you could fill in a form retrospectively.

Is it ok for the home contact to be a non-guiding person?

No, because they're privy to personal information which is only for Girlguiding's use. The Compliance team is managing this process and the new procedure now states that the home contact has to be a member.

What implications will GDPR have on photos and videos of members?

We're working on it and are developing some guidance. However, please make sure you still get the relevant consent as recorded on the starting forms.

Can we still have photographs of girls on our unit website? Parents have ticked the 'national publicity' part of the starting form.

If you can connect a photo to a consent then it's fine to use. If you can't prove the consent then you'll have to remove it. We're changing the starting form so you can keep a copy of the parental permission.

How can we prove parents have provided photo permissions if we have destroyed the form?

We're changing the starting form so you'll be able to keep a copy of the photo permission. These will be available later on in May 2018.

Can we still use photos of girls that have left guiding but gave us photo permissions at the time?

No - as the photos wouldn't be used for the same reasons. The photo permission finishes when a girl leaves the unit. However, you can still keep the photo in your unit archives but can't use them publicly.

What platforms and tools are volunteers allowed to use and do you have guidance on these (eg SLACK/dropbox/google docs/surveymonkey/eventbrite)?

We're developing some guidelines for this and will let you know when they're on the website.

Why do I have to send historic information about incidents and safeguarding to Trading? What are you going to do with the information and who's paying the postage?

We're hosting it at trading as they have space to securely store it. We'll be logging everything that comes in. The postage is a legitimate cost that you can claim back from your unit. Our previous data protection guidance required leaders to hold forms which they no longer do as part of the new UK Data Protection Act 2018 (also known as GDPR) requirements. Therefore, any forms held from previous years need to be sent in or securely destroyed

What information do HQ need when they ask for incidents to be sent to trading? 

You only need to send information on accidents that potentially needed hospitalisation or professional medical care from previous years. Paperwork related to current incidents should be sent in to the appropriate department at HQ.

Are Trefoil Guild dealing with this separately or as part of the same campaign?

They're a separate charity. We're supplying them with guidance on how to become GDPR compliant.

Where we meet doesn't have WiFi so I can’t access GO. What can I take to a meeting?

As you know, you still need to access certain information for your meeting. This may include an attendance register, health form or emergency contact list. You can have them as password protected files on your laptop or tablet or you can have paper documents.

If using paper copies, make sure that the information is up-to-date for current members and is kept safe during the meeting. After the meeting keep it in a secure place in your home and don't leave it in your car.

I don't have internet access at my unit meeting. If I have an emergency at my meeting place and I've destroyed the starting forms what do I do?

See the above answer. You can still print out an emergency contact list from GO but you must make sure the information is up-to-date for current members and is kept safe during the meeting.

How do we store paperwork whilst we need it, like on a trip or for a unit register at the meeting?

Make sure it's not left unattended so that it can't be seen or read by people that don't have a reason to see it. Keep it in a safe place during the trip orunit meeting so you can easily access it.

To help manage the waiting list, are we able to download some information on Excel but remove personal data, only having first name and date of birth?

No - this information should all be stored on GO so it can easily be updated and remains secure.

What about retired volunteers?

If they hold information then they should pass it to the relevant leader/commissioner who will then follow the checklist. If you hold data on a retired volunteer then please dispose of it in the usual way unless they've given you permission to hold onto it.

We have an anniversary coming up and I was keeping the records to invite people. How do I invite them if I have to get rid of their details?

If they've given you permission to keep their records then that's ok - but it must be recent. If not, you'll have to securely destroy the records. You can use your local area to advertise the event by asking people to get in contact with you via Twitter, Facebook, local shops or papers.

Are commissioners responsible if the volunteers they support don’t comply with data protection?

Commissioners are responsible for ensuring the volunteers they support know about the data protection guidance and know that they must comply with Girlguiding data protection policy and procedures. As long as you've done this you won't be held responsible for your volunteers not complying with data protection.

All volunteers agree to the Girlguiding Code of Conduct, which stipulates they must adhere to all Girlguiding's policies and procedures including data protection. If a volunteer doesn't do this they may have a disciplinary action taken against them. A commissioner wouldn't face disciplinary action for a volunteer unless they've been negligent in their responsibility to support volunteers to know about data protection guidance or have been non-compliant themselves.

How can I get my volunteers to get data compliant?

All volunteers are expected to keep up to date on Girlguiding's policies and procedures. It's part of their membership conditions - they must follow the Code of Conduct. Keep reminding them of their responsibilities and also to do the Keeping information safe e-learning

Can we still keep registers that only show names as part of our unit history?

Yes - but only keep a selection of them, don't keep them all.

What can I keep as archive material?

Archives, by definition, involve the long-term storage of documents and items that records an organisation’s history. So your archives should only contain selected information that makes up a summary of your unit history. It's not an excuse to be able to retain everything.  

As part of an archive you can keep minimised personal information. You don't need to remove all personal information for archiving, but there must be a visible and transparent process  which makes sure that the archive can achieve it's purpose and ensure an individual’s rights and freedoms are protected.

If you do include personal information, an individual can firstly request copies of any personal information you retain in an archive with an access request (SAR) so it will need to be able to be easily accessible and able to be copied within a few days of being asked for.

Secondly an individual can object to the use of their personal data for an archive and you would have to demonstrate that you are not putting our archive interest above that of the individual.

We run a joint guiding and scouting charity sale and email/post order forms. How can we store this data?

You can't share Girlguiding data without additional consent. If you need to collect data for a specific joint event you'll need to ask parents for additional consent. Make sure you securely destroy the data after the event is over.

I'm a Baden-Powell coordinator and was advised to set up a database to keep track of Guides working on award. It contains names, date of birth, membership number, leader and commissioner contact details. Is this still allowed?

If this is information that can't currently be stored on GO make sure you password protect the document and only use the minimum amount of data needed. Always make sure you securely destroy the data once a girl has completed her award or has left.

Can I use Online Guide Manager?

The use of Online Guide Manager (OGM) represents a non-compliant sharing of GO or personal data collected for Girlguiding use.  The use of OGM and other similar online platforms do not allow Girlguiding to retain sufficient control over the data to meet our legal requirements as a data controller under data protection law.

Do we have to buy lockable filing cabinets?

No - it's not essential. As long as your current records are kept safe in your home then that's ok.

Is there a recommendation as to what sort of lockable box we should be using and how many keyholders should we have?

See above.

What do you mean by 'secure'? It's in my house but not locked up, is this still ok?

Yes that's fine!  Keep it where it can't be seen by people that shouldn't be seeing it.

Where do we keep health care plans in the meeting place? We have a copy inside a cupboard which is locked and the building is alarmed when we're not there. Is that still ok?

Only if the cupboard is accessed by Girlguiding volunteers and no one else. If people outside of guiding have access then you should take them home with you every week.