On 25 May 2018 the European General Data Protection Regulation (GDPR) came into force. It strengthens and extends data protection law, and has a greater focus on individual rights. Among the changes are a stronger requirement for explicit consent to use someone’s information, more rights to access and ask for information to be deleted, and the right for someone to object to the way their information is used. The Information Commissioner’s Office has guidance on the new Regulation.
Organisations need to keep details about their volunteers (unless they are volunteering at an informal, one-off activity). If these details are included in the Data Protection Act 1998’s definition of ‘personal data’, the organisation must follow the rules about how it collects, stores, uses and discloses this information. It may need to ‘notify’ (register with) the Information Commissioner. There is a self-assessment tool for organisations to check whether they need to register on the Information Commissioner’s Office website.
The Data Protection Act 1998 has eight data protection principles, which give guidance on what organisations should do. However, it’s not always clear from them what action should be taken – for example, where a duty to disclose information about a person conflicts with someone else’s right to confidentiality.
There have been a number of cases where charities have been fined by the ICO for failing to comply with data protection law, specifically the handling of personal data. It is imperative that organisations train their volunteers if they are to handle personal data. This can include personal information of service users, other volunteers, staff and trustees. Volunteers should receive as part of their induction the eight principles of data protection so they can be clear about their responsibilities in complying with legislation.
The act uses certain words for information and individuals or organisations, depending on their roles and responsibilities under the act.
- The act applies to ‘personal data’, which is information that can identify a living individual. This includes information that can be combined with other information that an organisation has or is likely to have.
- The act applies to personal data that is or is going to be stored on a computer or storage device or in ‘relevant filing systems’ (manual filing systems where information is kept in a structured, retrievable way).
- Organisations or individuals who collect or hold personal data are referred to as ‘data controllers’.
- Any other organisations or individuals who use the information on behalf of the data controller are ‘data processors’.
- A person whose personal data is processed is called a ‘data subject’.
- Doing virtually anything with data is known as ‘processing’. The act defines this:
‘processing’, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
d) alignment, combination, blocking, erasure or destruction of the information or data.’
The Information Commissioner’s legal guidance on the act says: ‘it is difficult to envisage any action involving data which does not amount to processing within this definition’.
Data is defined in section 1 of the act as:
‘…information which –
a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
b) is recorded with the intention that it should be processed by means of such equipment,
c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)’
Personal data is defined as
‘…data which relate to a living individual who can be identified –
a) from those data, or
b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual’
The data protection principles
Section 4 and Schedule 1 of the act set out the eight data protection principles. Personal data must be:
- used in a fair and lawful way
- collected for a lawful reason and not be used for anything that is not part of this reason
- adequate, relevant and not excessive for the reason for which it was collected
- accurate and kept up to date
- not kept longer than needed
- collected and stored in ways that respect the data subjects’ rights
- kept with appropriate security measures
- not moved to a country or territory outside the European Economic Area unless the country or territory has laws that protect data subjects from their personal data being used inappropriately.
Personal data should only be used for one or more of the following reasons.
- The individual has given consent for the data to be used. This means: he or she knows who is using the information, what for and who it is likely to be given to. Consent can be implied if it is obvious what the information will be used for – eg application forms.
- It is needed to carry out a contract that the individual is a part of or to make a contract that the data subject has asked to be a part of.
- The processing is necessary to comply with a legal obligation that the data controller is under, other than an obligation implied by contract.
- It is necessary for the administration of justice or for other specified purposes, including public or statutory functions
- It is needed to protect the ‘vital interest’ of the data subject. Vital interest is ‘a life or death situation’ according to the Information Commissioner’s guidance – for example, disclosing medical information where it could save a person’s life.
- Where processing information is in the ‘legitimate interests’ of the data controller or a third party. This is to allow for the reasonable use of data which falls outside the other fair processing conditions. This has to be balanced with the interests of the individual, and be a fair and lawful use of the information.
Apart from the first condition, where the data subject has given consent, the conditions are based on ‘necessity’ – needing the information. Necessity is not defined in the act, but as a guide an organisation could think about whether its obligations or aims can be reached without collecting or using the information – if not, the information could be seen as necessary.
Sensitive personal data
Some personal information is particularly sensitive. This ‘sensitive personal data’ has tighter rules about how it can be used. It is defined as personal data that includes information about the data subject, which includes:
- racial or ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992).
- physical or mental health or condition or medical history
- sexual life
- criminal record (or allegations that they’ve committed an offence)
- details of criminal proceedings taken against a person, including any sentences.
As well as meeting one of the ‘fair processing’ reasons listed, there are separate conditions that need to be met for sensitive personal data to be used, such as the data subject giving explicit consent.
Individuals’ access to information about them
The Data Protection Act 1998 says that people who want to see data held about them can write to the data controller to ask for this. This is called ‘subject access’. The data controller can charge up to £10 and must reply promptly (within 40 days of receiving the fee).
The response should include information about:
- what data they have about the data subject
- how and why the data is being used
- details of anyone who may see the data.
The data subject cannot always see this information, for example:
- if it involves also giving information about another individual
- if it is being held for certain research purposes
- in some social work agencies
- if it might harm the physical, mental or emotional health of the individual.
Under the Data Protection Act 1998, volunteers may ask to see their references. References given by the organisation to whom the request is made are exempt under the Data Protection Act 1998. References provided by third parties should, however, be disclosed.
The act seems to protect information about a third party from being revealed when a person asks to see data held about themselves, but the Information Commissioner’s Office Employment Practice Code says that in the case of references, consent is not needed from the referee for the reference to be disclosed but that the organisation must make a judgement as to what information it is reasonable to withhold.
Some or all of the details can still be held back if the organisation believes there is a fair reason to do so, but the code says that factual information, such as sickness records, should not be withheld. Although the code refers to employment issues, the general principles apply to volunteering. More guidance on disclosing references is in the code’s supplementary guidance (pdf, 2MB).
Section 7 of the Data Protection Act 1998:
‘4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless
a) the other individual has consented to the disclosure of the information to the person making the request, or
b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to
a) any duty of confidentiality owed to the other individual,
b) any steps taken by the data controller with a view to seeking the consent of the other individual,
c) whether the other individual is capable of giving consent, and
d) any express refusal of consent by the other individual.’
There are no clear guidelines about how long volunteer records should be kept.
Organisations regulated by a body such as the Care Quality Commission must follow the guidelines from the appropriate guidance or inspecting/regulating body. Other organisations should follow the data protection principle that data should not be kept longer than for the purpose which it was taken. For example, contact details of people who have enquired about volunteering but have not wished to progress to becoming volunteers should not be held.
The Disclosure and Barring Service Code of Practice says that disclosures must not be kept for longer than six months, except in exceptional circumstances. In its general guidance it recommends that organisations speak to the DBS if they think they may need to keep disclosures for longer.
Organisations subject to regulation and inspection by bodies such as the Care Quality Commission may need to keep records between inspections.
Organisations working in areas with particular health and safety concerns – such as work with hazardous substances – should look for guidance on legal requirements for keeping health and safety records.
Records about accidents should be kept for at least three years – the time limit for personal injury claims under the Limitation Act 1980. There can be exceptions to this if long-term health effects may emerge, as with asbestosis. The three-year limit then starts when the individual is first aware of the problem.
Organisations that have volunteers who give advice or similar services should be aware that the Limitation Act 1980 says there is a six-year time limit for damages claims that are not about personal injury. A case like this might require training records and similar information to show that the organisation took the right steps to avoid damage.