Data protection and GDPR

This resource is aimed at VCS organisations who hold or have access to any form of personal data about either the people they work with or their employees or volunteers. This will apply to almost all organisations regardless of size. It is a vital starting point for all organisations to have a commitment to keeping personal data safe and understanding the basic principles of data protection.

What is data protection?

Answer:

Data protection refers to the set of laws, regulations and processes that ensure against the misuse or publication of personal data. The main aim of data protection is to enable individuals to maintain control over how their data is held and used. In the United Kingdom the relevant legislation is:

What is personal data?

Answer:: Personal data refers to any information which relates to an identifiable individual and would allow that individual to be identified either directly through that information or in conjunction with other sources of information about them.

What does the law say?

Answer:

The UK GDPR 2018 sets out seven key principles of data protection:

Lawfulness, fairness and transparency.
Purpose limitation - information has to be collected for a specific and lawful reason.
Data minimisation - collected data has to be relevant to the purpose.
Accuracy - data must be accurate and kept up to date.
Storage limitation - data should be kept for only so long as is necessary. • Integrity and confidentiality (security) - the data should be kept safe.
Accountability - an organisation should be able to demonstrate how it is complying with the regulations.

7 principles of data protection: A guide to the data protection principles | Information Commissioner’s Office (ICO).

Voluntary and community groups have a legal responsibility to protect personal data. This legal responsibility means that organisations need to take certain steps to ensure they are compliant with the law.

Organisations need to:

Decide upon a lawful basis for data collection.
Identify if they are collecting special category data. This is data which is considered more sensitive than others - such as ethnic origin or medical data – and take extra precaution to ensure this data is protected.
Ensure they do not keep data longer than is necessary.
Enable individuals to maintain control over their own data – this includes ensuring individuals give informed consent and responding to Subject Access Requests where an individual can request a copy of all information held on them by an organisation.
Be able to demonstrate the steps they take to ensure they comply with the law. • Ensure that breaches of data security are reported to the ICO.

Lawful basis for data collection

Answer:

When processing personal data it is necessary for there to be a ‘lawful basis’ for the processing to take place. There are numerous forms of lawful basis under which an organisation can process data including:

Consent – an individual has given you clear and informed consent to process their personal data.
Fulfilling a contract – for example, it would be necessary to hold and process the personal data of an employee in order to fulfil their contract of employment.
Legitimate interest – for example, information about the health of an employee or volunteer.
Legal obligation – for example, if the organisation becomes aware of a safeguarding concern or crime that they are required to disclose to the relevant authority.

Special category data

Answer:

Special category data refers to personal data that is regarded as particularly sensitive. This kind of data is subject to stricter processing laws due to the increased levels of harm that a disclosure of special category data could do to the individual involved. Forms of special category data include information about health, racial or ethnic origin, political opinion, trade union membership, and gender and sexuality.

In addition to identifying a legal basis for processing special category data organisations must also identify an additional ‘condition for processing’. The ICO sets out what these are here: Special category data | ICO. Organisations that are processing special category data need to ensure that they take extra care and document how they are ensuring the safety of the data.

What is the ICO?

Answer:

The Information Commissioners Office (ICO) is the independent regulator set up to support data protection and enforce data protection laws in the UK. In the case of a breach of security of personal data it is the organisation’s legal responsibility to report the breach to the ICO.

Data controllers and data processors

The terms ‘data controller’ and ‘data processor’ are related to the organisation or individual who is processing data and the level of responsibility they are subject to.

Data Controller: A data controller is the decision maker around how and why data is collected and used. This will generally be an organisation.
Data Processor: A data processor acts upon instruction from a data controller. Generally individuals within organisations are data processors.

What is a DPO?

Answer:: A Data Protection Officer (DPO) is a named individual who is responsible for supporting an organisation to comply with data protection regulations. It is unlikely a small VCS organisation will be statutorily required to appoint a DPO but it may be good practice, especially for organisations who process special category data.

What does an organisation need to consider?

Answer:

The first step is to carry out an information audit to find out what personal data your organisation holds and where it is. You should then know:

What kind of data do you process? For example do you process special category data that requires a high level of security?
Who processes that data? - Who within your organisation processes and has access to data. Are they aware of their responsibilities? Do they need training? How do you keep data safe? What systems do you use? If you keep information internally then is the information kept somewhere secure. If you use electronic systems what are their security arrangements? • How do you process consent? Are people aware of what information you collect about them and do they give their consent for you to do this?
Why are you collecting that data? What is the purpose for collection? If this is understood then it will be possible to identify the lawful basis for collecting data. This may require the consideration of a legitimate interests assessment.

Legitimate interests assessment

Answer:: This is a process which helps organisations assess if their data processing meets the legitimate interests of their organisation whilst also balancing the rights of individuals. More information about legitimate interests assessments can be found here.

Data breaches

Answer:

A personal data breach refers to a breach of security that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Example: A list of client details is accidentally attached to an email.

An organisation needs to have processes in place that tell individuals what to do in the case of a personal data breach. This will depend on the severity of the breach and the kind of personal data that has been involved.

In the event of a data breach an organisation is required to assess the severity of the breach. The main concern is to assess the potential for any negative consequences that could happen for an individual as a result of the breach. This assessment should also take into consideration whether any special category data was involved in the breach. If a decision is made not to report the breach then this decision must be justifiable and documented.

If the organisation determines that the breach could cause potential negative consequences then there two actions they must take:

Report the breach to the ICO within 72 hours of its occurrence.
Inform individuals involved that their data has been compromised.

Failure to report a breach can result in a fine of up to £8.7 million or 2 per cent of the organisation’s global turnover.

Resources

• Information Commissioners Office | ICO documentation.

• Privacy notices: Privacy notice generator - for customers or suppliers | ICO.

• NCVO - Writing a data protection policy and procedures.

• Advice for small and medium size organisations.

• Data protection self assessment - Do you need to register with the ICO? Most charities and non-profit organisations do not, but there are some circumstances (including using CCTV) that mean you need to pay a small fee and join their register.

• Children’s Code - advice on data protection for organisations working with children.

Data protection documentation checklist for UK voluntary and community organisations

Document	Description	Required for	ICO guidance
Data protection policy	Explains how the organisation complies with data protection laws.	All organisations.	Guidance page
Privacy notices	Clear information on how personal data is collected and used.	All organisations.	Guidance page
Record of Processing Activities (ROPA)	Log of what personal data is processed and why.	If 250+ staff or handling special category, high-risk, or non-occasional data.	Guidance page
Legitimate Interests Assessment (LIA)	Assessment to justify using legitimate interests as a lawful basis.	When using legitimate interests.	Guidance page
Consent records	Proof of valid, informed consent.	When relying on consent.	Guidance page
Data sharing agreements	Formal agreements with third parties sharing personal data.	When sharing personal data with other organisations.	Guidance page
Data protection impact Assessments (DPIAs)	Risk assessments for high-risk processing.	For high-risk processing.	Guidance page
Data retention schedule	Schedule of how long data is kept and when it is deleted.	All organisations managing personal data.	Guidance page
Security measures documentation	Summary of how personal data is protected.	All organisations.	Guidance page
Subject Access Request (SAR) Log	Record of access requests and how they were fulfilled.	When receiving SARs	Guidance page
Data breach log	Record of breaches, how they were handled, and reported.	All organisations – required by law for certain breaches	Guidance page
Staff and volunteer training records	Evidence that people handling data understand their responsibilities.	All organisations.	Guidance page
Appointment of a data protection lead	Named person responsible for data protection (not necessarily a DPO).	All organisations.	Guidance page

If you have any questions about any of the information in this resource, THCVS can give 1-1 support and advice. Please email us at info@thcvs.org.uk.