Data Protection webinar: Data Protection & Volunteers

19th June 2014

Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on

and you will shortly hear a voice!

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

The main topics for this webinar:

The roles volunteers play Quick overview of Data Protection The legal background Data Protection & Confidentiality Responsibilities The Data Protection Principles in practice

4

The roles volunteers play

Volunteers work in a range of settings, including: Running the whole organisation Working in the office alongside paid staff Delivering part or all of the organisation’s

service Running local branches Acting as trustees on the Board or

Management Committee

6

What Data Protection is about: 1

Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data

Protecting people

Protecting data

7

What Data Protection is about: 2

Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide

things or go behind people’s back Offer people a reasonable choice over how

you use their data, and what for

Give us more

money! Support

our campaign!

We sold your details to someone

else

Comply with specific legal requirements, such as:

8

What Data Protection is about: 3

Right to opt out of direct marketing

Right of Subject Access

(And others)

9

The Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)

you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad

The legal background: 1

An organisation is “vicariously liable” for most actions of an employee

The situation with volunteers is not so clear cut, but measures can be put in place to emphasise their responsibilities in regard to Data Protection and Confidentiality without creating a contract of employment

The legal background: 2

Most information about people is “personal data” as soon as it is recorded somewhere

If the organisation fails to comply with the Data Protection Principles, it may face: A penalty from the Information Commissioner A claim for compensation from affected

individuals Reputational damage

The Principles on their own are not enough: policies and procedures must ensure compliance

12

Confidentiality

Clear boundaries

Data Protection and Confidentiality overlap

a lot, but they are not the same

Data Protection

Confidentiality

Define the boundaries: who has access to what information for what purposes

Employees have an implied duty of confidentiality

Volunteers are subject to the common law duty of confidentiality (as long as they know what information is confidential)

A signed confidentiality pledge should underpin all volunteers’ responsibilities

Ways of breaking confidentiality

Discussing confidential information with partner

Talking about confidential information in public

Working on confidential material in public Giving out information carelessly over the

phone Sharing or disclosing computer access

details Losing confidential documents/leaving them

around Sharing information about people who have

not given permission Disposing of information carelessly

Responsibilities: Internal

The organisation is responsible for Data Protection compliance

Where volunteers work alongside paid staff they should be following exactly the same procedures

Volunteers should also be subject to the same checks, supervision and monitoring as paid staff would be if they were in the same role(s)

Responsibilities: Branches

Branches are part of the parent organisation or they are autonomous; there is no half-way house

In a unified structure, full responsibility lies with the parent organisation: The volunteers running the branch must be

given clear procedures and instructions, and held to account

In a federal structure, full responsibility lies with each branch: The volunteers running the branch must know

this; they may be given guidance

17

Security (Principle 7)

The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data

The security measures must be appropriate.They must also be technical and organisational.

The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security.

£500,000

Key security areas

Security in the office IT security (data at rest) IT security (data in transit) Website security Non-electronic data in transit Personnel

Data quality (Principles 3 & 4)

The Data Protection Act says that data must be:

Adequate Relevant Not excessive Accurate Up to date (where necessary)

Guidance volunteers might need

Use centrally-produced materials where possible

What information to collect, and in what format

How to design data collection forms How to ensure that the information they

record is as neutral and accurate as possible How to keep information up to date –

including how and when to offer people the chance to check that the information held about them is correct

21

‘Fair’ processing (Principles 1 & 2): Transparency &

Choice

People generally need to know: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using

their data or check what you are doing They also must be given a reasonable choice over

how their information is used, especially regarding Direct marketing

Guidance volunteers might need

Use centrally-produced materials wherever possible

Use standard wording provided by the organisation

Record people’s preferences carefully, and respect their preferences

Use the Information Commissioner’sPrivacy Notices Code of Practice ifdesigning own materials

Retention periods (Principle 5)

Data must not be held longer than ‘necessary’

Volunteers who hold data do so on behalf of the organisation

They must follow the organisation’s retention schedule

When their role ends they must not retain any confidential information Return it for archiving if required Otherwise destroy it securely

Data Subject Rights (Principle 6)

Volunteers must be aware of any restrictions on marketing, resulting from choices the Data Subject has made

Most volunteers (or other staff) should not normally handle Subject Access Requests; these should be referred to the organisation’s Data Protection Officer

Transfers abroad (Principle 8)

Most UK voluntary organisations do not transfer information outside Europe. However, transfer may take place if: cloud computing (online applications such as

Dropbox or SurveyMonkey) is used and the location of the data storage is outside Europe

information is published on a website that is designed to be accessible throughout the world

Volunteers should be given guidance on the risks

26

The Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the

purpose(s) you obtained it for3. Data must be adequate, relevant & not

excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad

()

()

()

()

27

Data Protection:the absolute basics

We are trying to: Prevent harm by

Keeping data only in the right hands (and being clear what ‘the right hands’ are)

Holding good quality data (accurate, up to date and adequate)

Reassure people so that they trust us Making sure people know enough about what we are

doing Giving people a choice where possible

Many thanks

Follow-up questions: paul@paulticher.com

To come by e-mail:* Link to evaluation questionnaire* Link to download the presentation, after you

have completed the questionnaire