Data Protection Support for Organisations

VCSE organisations of all shapes and sizes handle a wide range of information and data, Including the information of people who use their services and are members of their groups. It is important to ensure that this is done safely, securely and lawful. Which is why this page on Data Protection was created as a starting point...

What information does Data Protection Legislation apply to?

Data Protection applies to ‘personal data’, Personal Data is any information relating to a person (a ‘data subject’ in the legislation/guidance) who can be identified, directly or indirectly, in particular by reference to an identifier such as:-

  • Their name,
  • An identification number (NHS number, NI number or something specific to your service),
  • Location data (address, postcode, GPS etc) 
  • An online identifier (IP address, cookies etc) 
  • Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Isn't this just for big charities and organisations?

Good Information Governance is important to organisations, charities and groups of all shapes and sizes. For example, if you have a membership, send a newsletter to your users, fundraise or have to provide data to a funder or commissioners then these are all examples of work that requires good information governance and are affected by data protection legislation.

What is GDPR and the Data Protection Act?

Data protection legislation isn’t a new thing. The new legislation builds on rules we have had in place for a number of years but refreshes to reflect new technologies and ways we use data and information.

  • The General Data Protection Regulations (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.
  • The Data Protection Act 2018 controls how your personal information is used by organisations and is the UK’s implementation of the General Data Protection Regulation (GDPR).

Pre Brexit the two pieces of legislation essentially worked together to cover how we should treat personal data. Post Brexit we have –

  • UK GDPR (the Data Protection Act 2018) – Applies to all UK data controllers
  • EU GDPR (The existing GDPR) – Applies as it to EU controllers etc. and if processing data about people based in the EU

For the majority of groups and organisations who are UK based and handle data about UK residents the focus is on the Data Protection Act 2018. For more information about Data Protection and Brexit visit our Brexit resource page.

Although the Data Protection Act and GDPR are the two main pieces of legislation there are others that organisations should be aware of including PECR (Privacy and Electronic Communication Regulations) which covers things like electronic marketing as well as the Freedom of Information Act (although it doesn’t often apply to VCSE organisations it is often used by the sector to get information from public sector bodies).

But isn't this just all about IT and Computers? 

Cyber security does play a part in Information Governance and ensuring compliance with data protection legislation. But it's more about how we use IT and computer systems than what computer programme you have in place. 

Cyber Essentials is a government back schemed and working through their free checklist will help your organisation have the basic controls in place to protect your organisations and its data - click here for more information. Also the National Cyber Security Centre has produced a free guide aimed at small charities that can be downloaded here.

Salford CVS / 10GM also do deliver an introduction to Cyber Security Training courses. Please contact us or check out our events page for more information.

Where should I start?

As an organisation, you can’t deal with what you don’t know so the first thing is to check and make a record of all the personal data you hold include –

  • What the data you hold is?
  • Why you hold it?
  • Where it’s kept?
  • Who has access to it?
  • Do you share it with anyone?
  • Do you know how long you’re keeping it for?

Producing a record of what information you hold is a great start to identify where you may need to make changes or improvements.  It also helps inform your policies and procedures

Don’t panic if you have gaps but collecting that information will make everything else you need to do much easier!

And what do I do once I know that!?

Instead of going over every step in detail here, we have produced in partnership with 10GM an Information Governance Toolkit to support small organisations. Based on the ICO Guidance for Small Organisations, it asks the most common questions organisations need to consider and signposts you to more information.

But what policies and procedures?

The toolkit mentions above provides guidance and resource surrounding the two main policies we get queries about – your umbrella data protection policy which covers how your organisation handles and protects data and your privacy notice which details how you tell people how you collect and use their personal data.

Do I need to register with the ICO? 

The ICO registration fee for charities is currently £40. Most small organisations and charities are currently exempt from registration (as a Not for Profit) will probably continue to be exempt. However, the not for profit exemption is narrow and has conditions to it so as your organisations grows and evolves you do need to reconsider registration. The exception applies if you only process data to

  • establish or maintain your membership
  • supporting a not-for-profit body or association; or
  • providing or administering activities for either the members or those who have regular contact with it. (it doesn’t cover drop-in centres or one off / isolated support)

But you will need to consider registering if you –

  • Trade (selling goods / hiring your venue etc)
  • Significantly fundraise including direct marketing campaigns
  • Have buildings where you monitor and use CCTV
  • If you want to win contracts / deliver commissioned services.

You can check if you need to register under current Data Protection Legislation by using the ICO free self-assessment (it doesn't ask for your organisation's name or contact details). If in doubt contact the ICO helpline as they can help clarify the situation for you!

I’ve been told I need a Data Protection Officer?

Certain organisations have a legal responsibility to appoint a Data Protection Officer (DPO).

  • If you are a public body or authority
  • If you do large scale regular and systematic monitoring and tracking of individuals (such as on the internet or CCTV observation).
  • If you process large scale special category data or criminal convictions/offenses data

The debate tends to be on the definition of large scale as there is no clear definition. The European Data Protection Board has given examples of large scale which scale include hospitals, transport system, bank or internet provider. It also states a single GP is not large scale (and based on current insight they handle 1800-2000 people’s info). Essentially this means that a lot of organisations do not legally have to have one.

Don’t appoint a data protection officer for the sake of it or because you think it makes your organisation or member of staff sound good as there are specific criteria linked to the post about their expertise, independence and resources. BUT you should have someone who is your data protection lead to act as a key point of contact and to support your organisation (and to make sure you don't forget about things!).

What about Fundraising? How is it affected? 

Fundraising is effected as it handles personal data. But its also a really broad topic but to help get you started the Institute of Fundraising has produced a range of guidance documents to help. There is also this brilliant guide by 2040 Training that is really user friendly too. 

Is there specific things I need to know about Children & Young People?

If your charity or community group offers services directly to children or collects the information about children in a household receiving a service, you should carefully consider what data you collect about children and how it is used. This is for two reasons - 

  1. Data Protection legislation does have specific implications for processing the data of young people (in particular those under 13 years).
  2. Children do not have the same level of understanding as adults, you need to address the particular protection needs for their data. This goes beyond simply considering whether to get consent from a parent.

The ICO website has more information on this topic.

Where can I get more training, help and support?

You can contact Salford CVS where our development team can offer help, support and guidance. Salford CVS / 10GM are running an online training course in the early part of 2021. In the meantime, you can access training through a variety of online providers including Future Learn who have developed this Introduction to GDPR Course with the University of Central London

Alternatively, you can contact the Information Commissioner's Office directly with your queries. The ICO has a dedicated advice line aimed at people running small businesses or charities. To access the new service dial the ICO helpline on 0303 123 1113 and select option to be diverted to staff who can offer support.

10GM has also formed a Greater Manchester VCSE IG Forum. The forum sends out regular updates regarding data protection and information governance as well as meeting regular to discuss issues and topics. If you have responsibility for data protection within your organisation and would like to join the forum please email Marie Wilson for more information

 

contact us

sign up


Join us

Get In Touch

Salford CVS & Volunteer Centre
Registered address 
The Old Town Hall 
5 Irwell Place 
Salford, M30 0FN

Tel: 0161 787 7795 
Email: office@salfordcvs.co.uk

About

Salford CVS is the city-wide infrastructure organisation for the voluntary, community and social enterprise sector; providing specialist information, advice, development support and opportunities for influence and collaboration.

Latest Blogs

If you told me a year ago that I would be delivering risk assessment training I wouldn't have be

A short but sweet blog from me (compared to my usual ramblings!) on #ClickZero.

This blog by our Volunteer Centre Coordinator, Claire, was first published in May 2020.