Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at Keep your speakers or headphones turned on and you will shortly hear a voice!

Please note:  If you want to make the links and animations in this presentation work, you need to Show it as a slideshow (press F5)  If you can see this slide, you are not in Show mode and the links and animations won’t work

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

The main topics for this webinar:  The roles volunteers play  Quick overview of Data Protection  The legal background  Data Protection & Confidentiality  Responsibilities  The Data Protection Principles in practice 4

The roles volunteers play Volunteers work in a range of settings, including:  Running the whole organisation  Working in the office alongside paid staff  Delivering part or all of the organisation’s service  Running local branches  Acting as trustees on the Board or Management Committee

6 What Data Protection is about: 1  Prevent harm to the individuals whose data we hold, or other people  Keep information in the right hands  Hold good quality data Protecting people   Protecting data

7 What Data Protection is about: 2  Reassure people that we use their information responsibly, so that they trust us  Be transparent – open and honest, don’t hide things or go behind people’s back  Offer people a reasonable choice over how you use their data, and what for Give us more money! Support our campaign! We sold your details to someone else

 Comply with specific legal requirements, such as: 8 What Data Protection is about: 3   Right to opt out of direct marketing  Right of Subject Access  (And others)

9 The Data Protection Principles 1.Data ‘processing’ must be ‘fair’ and legal 2.You must limit your use of data to the purpose(s) you obtained it for 3.Data must be adequate, relevant & not excessive 4.Data must be accurate & up to date 5.Data must not be held longer than necessary 6.Data Subjects’ rights must be respected 7.You must have appropriate security 8.Special rules apply to transfers abroad

The legal background: 1  An organisation is “vicariously liable” for most actions of an employee  The situation with volunteers is not so clear cut, but measures can be put in place to emphasise their responsibilities in regard to Data Protection and Confidentiality without creating a contract of employment

The legal background: 2  Most information about people is “personal data” as soon as it is recorded somewhere  If the organisation fails to comply with the Data Protection Principles, it may face:  A penalty from the Information Commissioner  A claim for compensation from affected individuals  Reputational damage  The Principles on their own are not enough: policies and procedures must ensure compliance

12 Confidentiality Clear boundaries Data Protection and Confidentiality overlap a lot, but they are not the same Data Protection

Confidentiality  Define the boundaries: who has access to what information for what purposes  Employees have an implied duty of confidentiality  Volunteers are subject to the common law duty of confidentiality (as long as they know what information is confidential)  A signed confidentiality pledge should underpin all volunteers’ responsibilities

Ways of breaking confidentiality  Discussing confidential information with partner  Talking about confidential information in public  Working on confidential material in public  Giving out information carelessly over the phone  Sharing or disclosing computer access details  Losing confidential documents/leaving them around  Sharing information about people who have not given permission  Disposing of information carelessly

Responsibilities: Internal  The organisation is responsible for Data Protection compliance  Where volunteers work alongside paid staff they should be following exactly the same procedures  Volunteers should also be subject to the same checks, supervision and monitoring as paid staff would be if they were in the same role(s)

Responsibilities: Branches  Branches are part of the parent organisation or they are autonomous; there is no half-way house  In a unified structure, full responsibility lies with the parent organisation:  The volunteers running the branch must be given clear procedures and instructions, and held to account  In a federal structure, full responsibility lies with each branch:  The volunteers running the branch must know this; they may be given guidance

17 Security (Principle 7) The Data Protection Act says you must prevent:  unauthorised access to personal data  accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. £500,000

Key security areas  Security in the office  IT security (data at rest)  IT security (data in transit)  Website security  Non-electronic data in transit  Personnel

Data quality (Principles 3 & 4) The Data Protection Act says that data must be:  Adequate  Relevant  Not excessive  Accurate  Up to date (where necessary)

Guidance volunteers might need  Use centrally-produced materials where possible  What information to collect, and in what format  How to design data collection forms  How to ensure that the information they record is as neutral and accurate as possible  How to keep information up to date – including how and when to offer people the chance to check that the information held about them is correct

21 ‘Fair’ processing (Principles 1 & 2): Transparency & Choice  People generally need to know:  who is collecting their information  what purposes you hold their data for  who you might pass the data on to  how to contact you if they want to stop you from using their data or check what you are doing  They also must be given a reasonable choice over how their information is used, especially regarding Direct marketing

Guidance volunteers might need  Use centrally-produced materials wherever possible  Use standard wording provided by the organisation  Record people’s preferences carefully, and respect their preferences  Use the Information Commissioner’s Privacy Notices Code of Practice if designing own materials

Retention periods (Principle 5)  Data must not be held longer than ‘necessary’  Volunteers who hold data do so on behalf of the organisation  They must follow the organisation’s retention schedule  When their role ends they must not retain any confidential information  Return it for archiving if required  Otherwise destroy it securely

Data Subject Rights (Principle 6)  Volunteers must be aware of any restrictions on marketing, resulting from choices the Data Subject has made  Most volunteers (or other staff) should not normally handle Subject Access Requests; these should be referred to the organisation’s Data Protection Officer

Transfers abroad (Principle 8)  Most UK voluntary organisations do not transfer information outside Europe. However, transfer may take place if:  cloud computing (online applications such as Dropbox or SurveyMonkey) is used and the location of the data storage is outside Europe  information is published on a website that is designed to be accessible throughout the world  Volunteers should be given guidance on the risks

26 The Data Protection Principles 1.Data ‘processing’ must be ‘fair’ and legal 2.You must limit your use of data to the purpose(s) you obtained it for 3.Data must be adequate, relevant & not excessive 4.Data must be accurate & up to date 5.Data must not be held longer than necessary 6.Data Subjects’ rights must be respected 7.You must have appropriate security 8.Special rules apply to transfers abroad ( )

27 Data Protection: the absolute basics We are trying to:  Prevent harm by  Keeping data only in the right hands (and being clear what ‘the right hands’ are)  Holding good quality data (accurate, up to date and adequate)  Reassure people so that they trust us  Making sure people know enough about what we are doing  Giving people a choice where possible

Many thanks Follow-up questions: To come by *Link to evaluation questionnaire *Link to download the presentation, after you have completed the questionnaire