Records and data protection
The data protection act
The 1998 Data Protection Act is the legal framework for the storage and processing of personal information.
The act covers two areas:
- Principles of good practice in relation to processing personal information.
- The individual’s right to access information held about them
All organisations that process personal information are subject to the act and most are required to notify the Information Commissioners Office (ICO) that they process such information. Some Not-for-Profit organisations however are exempt from the obligation to notify. The rules governing this are fairly complex. They can be accessed via The Information Commissioners Office.
Whether or not you are required to notify the ICO you must still follow the good practice principles for processing information by ensuring that personal data relating to volunteers is:
- Fairly and lawfully processed
- Processed only for specified and lawful processes
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept for longer than the purpose specified
- Processed in accordance with the rights of the data subject
- Secure from the point of collection through to disposal
- Not transferred to other countries without adequate protection of data subjects
General Data Protection Regulation Legislation
The new General Data Protection Regulation legislation came into effect on Friday 25 May 2018
On 25 May 2018, data protection law changed with the introduction of the European General Data Protection Regulation (GDPR). It is a significant change for all organisations that hold and process personal data. Voluntary and community organisations will need to overhaul their privacy and data policies in order to be compliant with the new and more stringent regulatory framework.
Types of information about volunteers
The sort of personal information about volunteers that you may need to keep could include:
- Contact details
- Details of experience, skills and preferences used to assess suitability for a role (recorded on application form or gained through interview)
- Monitoring information including ethnicity, disability etc
- Information relating to DBS checks
- Supervision notes
Some of this information is regarded as “sensitive data” under the act and must be processed accordingly.
You may hold information in the form of paper based files or computerised information eg a volunteer database or both. Any information you hold will be subject to the rules, regardless of whether it is held on paper or on a computer.
You should seek only to collect and record sensitive data on a ‘need to know’ basis and have procedures relating to the written recording of this.
Your organisation should also ensure that it has specific security procedures relating to volunteers’ files to guard against anyone seeing the information that shouldn’t or data getting damaged, lost or destroyed.
Keeping volunteer records
No clear guidelines exist for the retention of volunteer records.
If your organisation is operating under any form of regulation eg the care standards act. You must follow any guidelines set out by the appropriate body.
The criminal records bureau code of practice on disclosure information must also be adhered to.
The limitation act 1980 sets out timescales for retention of certain records that might also apply such as the time limit for personal accident claims. This is currently 3 years in most cases.
Where volunteers are providing advice or similar services, organisations should be aware that the act imposes a six year time limit for damages claims other than personal injury. Were such a case to be brought, training records and similar information might be needed to demonstrate that the organisation had taken adequate measures.
Generally speaking, organisations should follow the data protection principle that data should not be kept for longer than the purpose for which it was collected.
Informing volunteers and gaining consent
Volunteers should be made aware of why you collect information, what you do with it and how you keep it safe.
You could include details of this in an appropriate document such as your volunteer policy or volunteer handbook or use these to refer volunteers to other organisational policies that cover this such as a data protection policy.
Organisations should also gain explicit consent from volunteers to hold sensitive information.
Volunteers' access to their records
Volunteers have the right to make a request to access all of the data you hold about them. Requests should be made in writing and you will need to decide a process for this, eg will access be by appointment?