Frequently asked questions about data protection
We answer your questions about the UK Data Protection Act 2018, also known as GDPR
Page last updated January 2021
To help you understand what the law means for you as a volunteer or member, we’re developing some FAQs. Please keep checking back as these will change over time.
What is GDPR?
It’s also known as the General Data Protection Regulation (GDPR). It gives you more control over how your data is used and how you’re contacted. The Information Commissioner’s Office (ICO). It explains the Regulation in more detail and how it affects you. The UK Data Protection Act 2018 is the UK’s implementation of the EU’s GDPR legislation.
What happens if I ignore the UK Data Protection Act 2018?
Not following the UK Data Protection Act is a breach of Girlguiding policy and may result in withdrawal of your membership. As a volunteer you have a legal responsibility for other people’s data, which means that you need to follow the seven data principles.
Does this affect everyone or just registered members?
Data protection law affects everyone and has an impact on all organisations in Europe that collect, use and store people's personal information. At Girlguiding HQ we've updated our data protection procedures and have ensured that all our communications meet the data collection requirements.
Does every unit have to pay an annual fee to the ICO because we process data?
No - we’re registered nationally covering all units accessing data via GO. If you own or manage property you may have to register independently.
What is the impact of Brexit on the Data Protection Act 2018 and GDPR?
We still expect all Girlguiding volunteers to abide by our policies and procedures. This includes managing people’s information responsibly according to the managing information policy and procedure.
Can I still use my private email address to send guiding emails?
Yes but make sure to blind copy people into the email using the Bcc field to avoid sharing personal information. Make sure that no one else can access your email account.
As a leader, how do I communicate with parents?
If you’re collecting personal information this should be done using an email account that is not shared with anyone else (including family members or other leaders or helpers in your unit).
When sending emails to multiple people/parents remember:
- Use the Bcc field
- If asking for information, explain who you are and why you are collecting the data.
- Always create a new email. Do not ask for personal information on an existing chain.
- When using email to collect personal information, do not then use that email chain for discussing something else.
Can we send group emails with all addresses showing?
No - you must make sure you blind copy (Bcc) people into the email. Personal email addresses are personal information and a disclosure of these is a data breach.
Why can’t I use a shared email account to run my unit?
A joint email account, including unit email accounts, which are used to collect personal information is a data security risk. Just because someone else is involved with Girlguiding it doesn’t mean that they should have access to the same personal data as you.
Can I still have a WhatsApp group/Facebook group to communicate with other members/parents?
Yes. When using WhatsApp, you’ll need to contact the individuals and ask their permission to join the group and let them know they can leave at any time. When using Facebook, they must opt in.
Volunteers should never contact volunteers under the age of 14 directly using social media (via their personal accounts) without their parents or carers permission. When using any social media platform, you should not share personal information.
What do you do if a parent doesn't consent to their details being stored?
GO data is collected and stored using legitimate interest, because it's necessary for us to have that information. If a parent refuses this, they'd have to withdraw their daughter's membership.
Can we save parent email addresses in our own email system?
It's acceptable to save parent email addresses in an email address book. When emailing a group of parents, always make sure you blind copy (Bcc) them into the email and never share personal data. Make sure you're using the most up to date information for individuals and that the information is kept secure. When a girl leaves your unit remember to remove her parents email address from your email address book.
What should I do if I want to unsubscribe from Girlguiding newsletters I’ve been sent?
You can unsubscribe from marketing communications (the Discover, grow newsletter) by following the steps on the our member newsletters page.
If you’re still registered as an active member on GO you will receive the Making guiding happen newsletter which you cannot unsubscribe from. When volunteers sign up to be a member of Girlguiding they have agreed to terms and conditions of membership. This includes a legal right of ‘legitimate interest’ for Girlguiding to contact members with ‘essential information’ about their membership and their role in Girlguiding. This includes the Making guiding happen newsletter and other service emails.
What is the difference between marketing and service communications?
Our member newsletters are examples of service and marketing communications. Making guiding happen is a service message, and Discover, grow is a marketing message.
A service message is anything which is vital to the individual’s membership, their role in guiding or information they must know. This includes essential training opportunities, policy and procedure changes, or information linked to the running of a unit. Examples of this include policies and procedures, essential training, like A Safe Space and 1st Response, and county/division/districts days/meetings which have training elements attached to them. You can’t use marketing messages in these emails.
A marketing message has content which isn’t essential information to the volunteers’ role. This includes a message selling an event (eg training session which has a cost attached, camp, BBQ etc), promoting a product (eg challenge badges), or asking for fundraising. Other examples of this include selling items and products from the Girlguiding shop or another shop, chances for members to have their say: surveys, questionnaires (that are not about service-related material), and partner activity opportunities/discounts/sponsorships.
Complying with data protection means that these types of messaging should be kept separate. Speak to the Data Protection team who can advise you if you are unsure of content can be included.
Do I always need consent and/or permissions when I send anything to do with marketing?
For anything related to marketing sent through digital communications, eg email or text - yes you would. However, if it's hard copy that you're sending through the post - then no you don't.
I send the information and consent for activity/event form at the start of each year to cover multiple small visits eg going to the part. Is this allowed?
You should not do a consent form for the whole year. Instead we'd advise you to do one on a termly basis. You'll need to list all the activities and dates for that term and keep the data up to date. You can do this by emailing each parent separately asking whether the information has changed. When the events are over please destroy securely according to the retention schedule.
What constitutes written consent? Can it be an email or text?
Yes. Consent must be evidenced, meaning you have to be able to prove you received it. An email, a ticked box on a form or a text message is evidence. However, you must provide clear information for what a person is consenting to, to make sure the consent is valid, for example: 'Do you want to join the WhatsApp group?'
Can we create a county directory?
No. This is now held on GO so there's no need for a hard copy. It's a really easy process. Click on the Directory button in GO and this will give you your county directory.
We send out a county newsletter to all our members. We use Mailchimp and take the email addresses from GO. Can we still do this?
Members can be contacted through the use an email platform such as Mailchimp. Best practise for contacting members should still be followed, this includes:
- Always using BCC for email addresses – this protects individual email addresses from being shared.
- Always using an up to date distribution list when sending emails, and deleting the previous list. Distribution lists can be pulled through GO.
- Only using those from the marketing list if it's a marketing email.
- Include an option to opt-out if it is a marketing email. This could be a sentence at the bottom explaining how to be unsubscribed from receiving emails. For example: If you no longer wish to receive these emails, please log on to GO and change your communication preferences in the preference centre.
I use my personal email in my role as commissioner, what will happen to the information that was shared while I was in this role once I have finished?
We recommend commissioners create a generic email for their role that can then be passed on once this role has ended. As a commissioner your email address will be shared with members in your area in order for them to be supported fully. If you’re not happy with your personal email address being shared please create a new email address for this role.
Once your role has ended, you can get in touch with places that may have published your email address (such as county websites, or in newsletters) and ask them to remove your email address. If you’ve set up a generic email eg [email protected] you can pass this on to your successor.
What is a data breach?
A data breach is an incident that results in a loss, theft, deletion, unauthorised sharing or unauthorised access to personal data, this includes:
- leaving unit health forms on the bus
- letting someone else use your GO account
- sending a group email without using Bcc
Will I be held responsible for any data breach that I may make?
Yes, if you cause a breach by not following Girlguiding policies and procedures or selling data on, this is a breach of the Code of Conduct which may affect your membership. However, if the breach was the result of an accident then we’ll do our best to help you. All breaches should be reported to the Data Protection team.
How soon after I notice a breach do I have to report it?
Immediately, but no longer than 24 hours after the breach has occurred. To report this contact our Data Protection team at [email protected] or call us on 020 7834 6242 ext. 3060.
I’ve lost my phone which contains member and parent data. What should I do?
This is a data breach and must be reported to the Data Protection team immediately. Please fill out the data breach notification form and provide as much information as possible. Phones and other electronic devices that hold Girlguiding data must be password protected as they hold personal information of members or parents.
When do I need to keep a document and when do I destroy it?
Retention of different documents can vary, please check the unit retention schedule for details. If in doubt about how long a form or document is to be kept, please contact the Data Protection team for guidance.
What happens if a parent disputes the information we hold on GO?
In these cases, you must update GO with the relevant information the parent provides. You should regularly check with parents that the details on GO are up to date.
What is the process where there wasn't an incident or accident, but treatment was given, and what accidents should be reported?
The guidance given for minor incidents is to complete the notification of accident or incident form. This will then be sent to the Insurance team who’ll acknowledge they have received it. At this point the original document should then be securely destroyed by the person who initially sent it in.
You should fill in the form when an accident has occurred – this is where there is injury or illness or serious damage. Volunteers should use their judgement on what they report based on the severity of the situation or outcome. If significant medical treatment is given, a form should be sent in. If parents question the treatment after an accident, but the form has already been sent off, ask the parents to contact HQ and we’ll deal with the enquiry on your behalf. If treatment was given, but there wasn’t an incident or safeguarding issue, you need to report this back to the parents and then securely destroy the form. If there is a small incident but the injured person experiences ongoing symptoms or later needs treatment, this should be reported. If a minor cut becomes infected, you could fill in a form retrospectively. If you are in any doubt, please report it.
Is it ok for the home contact to be a non-guiding person?
No, because they're privy to personal information which is only for Girlguiding's use. The Compliance team manages this process, and the Girlguiding procedure now states that the home contact has to be a member of Girlguiding. If there are any questions regarding the home contact process, please contact the Compliance team for guidance.
What is the current guidance surrounding photography?
If you take a photograph or video of a person this is personal data. For this reason, Girlguiding asks for permission to use photographs or video on the unit starting form. Please note that photo permissions differ for large scale events.
Make sure to always be aware of members photo preferences. You can’t use a photograph or video if there is no photographic preference in place.
Make sure anyone taking photographs or video of unit activities is aware of the photo permission preferences of the group.
Delete pictures from your personal device once they have been used for the purpose that they were taken for or 14 days after the event has taken place. You must check personal cloud backups and make sure that pictures are deleted from here as well.
The sharing photos and videos webpage has more information on permissions and how to share photo and videos safely.
How long am I allowed to keep photos for?
Please visit the photography hints and tips for counties, divisions and districts page for more information on photo permissions and how long to store these.
Can we still use photos of girls that have left guiding but gave us photo permissions at the time?
No - as the photos wouldn't be used for the same reasons. The photo permission finishes when a girl leaves the unit. You can keep some photos in your unit archives, but these can't be used publicly.
If I have to delete photos from my personal device where can I store them before removing them as required?
Photos must be deleted from personal devices within 14 days as outlined in the digital safeguarding policy. Photos can be stored on a password protected device in a secure folder until they need to be deleted.
What if I want to keep photos for longer to record our unit history? Can I not do this anymore?
You can still store photos in archive form for various reasons, such as to demonstrate the history of Girlguiding. These must be stored in an archive on a password protected device and in a secure folder until they are deleted. Please see the Archives – what can we keep? section for more information.
If the photos are not being kept for the purposes of archiving they need to be used for the purpose in which they were taken, and then deleted from any personal devices.
What is the guidance around using SurveyMonkey?
If you contact members regarding completing a SurveyMonkey (or any other survey) this this is likely to be marketing. If it’s about any content outside the ‘essential’ topics covered under service messages then it would be marketing. This means only those on the marketing list can be sent a link to complete this. If those that want to use this survey method don’t have access to the marketing list, they should contact their local commissioner who can assist them. All original surveys should be deleted once the information has been collected and the purpose has been fulfilled. Summary data can be kept from the survey but should be anonymised and stored securely.
What is the guidance around using online platforms to organise events?
Events can be managed using third party platforms as GO cannot be used. If you choose to use this method please remember that the information and consent for event/activity form must still be completed by parents or carers when any members under the age of 18 are attending an event or doing an adventurous activity.
Can I use a virtual platform to organise my meeting?
Yes. You must gain written permission from a parent/carer for girls to join in and virtual meetings must not be recorded. The virtual meeting organiser must check meeting settings to ensure that this facility is turned off. Please visit the getting started with online guiding and virtual unit meetings page for more information.
Where we meet doesn't have Wi-Fi, so I can’t access GO. What can I take to a meeting?
You can bring paper documents so long as they are kept secure during meetings, and the information required is absolutely necessary. Information on these should be kept up to date. We advise all information on electronic devices (eg laptops or tablets) are kept password protected. After the meeting keep these forms in a secure place and don't leave them in your car.
How do we store paperwork, for example when on a trip?
Make sure it's not left unattended so that it can't be seen or read by people that don't have a reason to see it. Keep it in a safe place during the trip or unit meeting so you can easily access it.
What about retired volunteers?
Any retired/retiring volunteer must handover all historic records to the relevant leader or commissioner. If you hold data on a retired volunteer, please dispose of it as normal (per the unit retention schedule) unless otherwise advised.
Can I keep past members contact details in order to invite them to anniversary/milestone events?
If they've given you permission to keep their records, then this is ok - but they must have given permission. If not, you’ll have to have to destroy their records.
Alternatively, you can advertise events such as these on social media, where you can include contact information for those interested.
Are commissioners responsible if the volunteers they support don’t comply with data protection?
All volunteers agree to the Code of Conduct, which includes policies and procedures regarding data protection. If a volunteer breaches this policy or procedure, they may have a disciplinary action taken against them.
However, commissioners are responsible for ensuring the volunteers they support know about the data protection guidance and that they must comply with Girlguiding data protection policy and procedures.
How can I ensure my volunteers are compliant?
As part of their membership all volunteers are expected to keep up to date on Girlguiding's policies and procedures, they must also all follow the Code of Conduct they signed up to when becoming a member. You should remind them of their responsibilities and advise them to complete the Keeping information safe e-learning.
If you are concerned about a volunteer not following policy and procedures, please contact the Compliance team.
I’m looking to start an archive of photos; can these be kept on the cloud?
Archived digital photos can be stored in a limited access cloud account, or physically separate device. Photos could be stored in cloud storage if this is linked to a unit email address as this can be inherited by current leaders.
Photos could also be stored on a password protected hard drive that could be stored with any physical photos or records kept.
What can I keep as archive material?
Your archives should only contain selected information that makes up a summary of your unit history. It's not an excuse to retain everything!
Information kept in an archive should be minimised. There must be a genuine purpose for the archive, for example to keep a historic record for the public interest.
Individuals can also object to the use of their personal data for an archive. If they do this, you will need to demonstrate that you are not putting the archive interest above that of the individual.
We’re running a joint guiding and scouting event. How can we store this data?
You can't share Girlguiding data or give others access without additional consent. If you need to collect or share data for a specific joint event, you'll need to ask parents/guardians for additional consent. Make sure you securely destroy all data after the event is over in line with the managing information policy and unit retention schedule.
Can I use Online Guide Manager? What if I get consent from parents to use it?
It is a breach of the managing information policy to add GO data into a third party application or on-line services such as on-line Guide Manager (OGM) to manage unit administration where GO can be used (Examples include managing the unit member sign up process, training info, achievements).
To read more about unacceptable uses of GO data please see the Managing information procedure.
What do you mean by storing securely? It's in my house but not locked up, is this still ok?
Yes that's fine! However, it should be kept where it can't be seen by others for example family members. Even if someone else is involved with Girlguiding it doesn’t mean that they should have access to the same personal data as you.
Where do we keep health care plans at our unit meeting place? We keep a copy inside a cupboard which is locked, is that alright?
Yes, but only if the cupboard is accessible by Girlguiding volunteers and no one else. If people outside of guiding have access to this, then you should take them home with you every week. Make sure to keep information on these forms up to date.