A common sense guide to the Data Protection Act 1998 for volunteers
Why is it necessary?
The Data Protection Act 1998 is a law introduced to control the way information held about
individuals is handled and to give legal rights to people who have information stored about
them. This need not be particularly sensitive information, and can be as little as a name and
address. This guidance refers to all personal information whether it is stored electronically or in
hard copy/paper systems.
There can be serious consequences for breaching data protection. This can be a financial
penalty, as well as the risk of damage to your branch, group or the Associations reputation. If
you would like a copy of the Data Protection Policy which fully explains the Act, please contact
the branch and group support and information line (details at the end of the guide).
It is clear we must ensure we are storing personal information carefully and this guidance
explains what branches, groups and other volunteers need to do to ensure they are not at risk of
breaching the Act.
Data Protection Act Principles:
There are eight data protection principles. These specify that personal data must be:
1.
2.
3.
4.
5.
6.
7.
8.
Processed lawfully and fairly
Obtained for specified and lawful purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept any longer than necessary
Processed in accordance with the ‘data subject’s’ (the Individuals) rights
Securely kept
Not transferred to any other country without adequate protections in situ
So what does this mean in practice and how can you ensure you are complying with the law and
protecting the rights of the people we support? By adhering to the following practices, you can
be sure you will be acting in accordance with the principles outlined.
Last updated: May 2016
Collecting and storing information:
The Data Protection Act refers to information about a living person that allows them to be
identified and is kept in any type of filing system. This includes names, addresses, telephone
numbers and email addresses. These include those stored on a computer or any manual
system you may use.
Think about the sort of information you may hold:
•
•
•
•
•
•
•
•
•
Databases
Lists where people living with MND are included
Mailing lists
Requests for funding
Volunteer records
Referral forms
Correspondence files
Email address books
Booking applications forms
If you can say yes to any of the above, you will be covered by the Act and have to take steps to
safeguard personal information in your care. This is classified as “personal data”.
Information is classed as “sensitive” if it includes:
•
•
•
Racial or ethnic origins
Religious beliefs
Physical or mental health (including noting a diagnosis of MND – disclosure could impact
employment / insurance etc…)
None of this must be shared without the express consent of the person.
You might find you are handling these very well, but you may find you need to change or add to
some of the things you do.
Any information you collect must be for a specific purpose and mustn’t be used for anything
else, so to avoid duplication, check in your branch or group what information you keep and who
is keeping it.
Consent:
If you are keeping personal or sensitive information on anyone - you must let them know you
are doing so and why you need to. They have a right to say you may not have their information,
or not to receive information from you. The Association will always try to get permission to keep
someone’s personal details, and where these are sensitive (usually relating to health) then we
must try to get explicit consent either in writing or verbally. We will do this prior to sharing
information with you, or Association Visitors may do this when they first contact someone with
MND.
Last updated: May 2016
Recording:
The Act states that information should be ‘adequate, relevant and not excessive’. Ask
yourself: Do you really need to know this information? For example, do you need to know family
history? At branch or group meetings, how much information do you really need to know and
why, when you are looking at funding applications. Consider how you would you feel if sensitive
personal information was shared?
Be really clear about why you want this information and for whose benefit it is. If it is not relevant
to supporting people with MND, then you should not be collecting it.
Consider these best practice points when you are recording information:
•
•
•
•
•
•
•
•
Summarise the main points of a discussion
Complete immediately or as soon as is practical after a meeting
Differentiate between fact and fiction
Write clearly in terms that are easily understood
Avoid using jargon and abbreviations
Avoid words that are emotive or could be misinterpreted
Avoid using ‘clearly’ or ‘obviously’ if this reflects a personal opinion
Avoid keeping duplicate information
Security and confidentiality:
We are in a position of trust with the information we have and therefore we must ensure that this
trust is not misplaced.
It is important that you make sure that the information you keep is safe from other people seeing
it, and that it doesn’t get lost, damaged or destroyed.
Putting it into practice:
•
•
•
•
•
•
•
•
•
•
Make sure everyone in your branch or group know their responsibilities
Use your funds to buy a small lockable filing cabinet
Password protect emails (see Good Practice at the end of this document)
Use up to date anti-virus software
If you are taking information to a meeting by car make sure it is kept in the boot and
the car locked when you leave it
Don’t leave information on tables, and turn off computer screens when it is possible
other family members or visitors can see the information
Avoid using identifying names, or other information in minutes or newsletters unless
you have permission
Don’t pass details to other organisations or individuals without permission
If you no longer need the information, destroy it (see disposal of information)
Do not use personal / sensitive information in an email subject line
Last updated: May 2016
Access to information
In practice, a person you have information on has the right to see it. If someone makes a
request to see the information you have about them you have to:
•
•
•
•
Tell them what information you have about them
Why you have the information and who it may be shared with
Supply them with a copy of all the actual information
Say where you got the information from
If you get a request asking to see what information you are holding about a person
you must inform the Data Protection Officer (DPO) at David Niven House, and they
will ensure the following:
•
•
•
•
The request is in writing (fax or email is acceptable)
The DPO will reply promptly and within a maximum of 40 calendar days
They will give the information to the right person - check their identity
If it is a third party who requests the information (solicitor or next of kin) the DPO will
check that:
- they are properly authorised to do so
- they are acting in the interest of the individual
- get written authorisation
Sharing information
From time to time we may need to share this information with other people or organisations to
either provide or ensure individuals receive the service most suited to their needs and care. In
May 2011 a Data Sharing Code of Practice was published by the Information Commissioners
Office, which said
“People now have an expectation that, where appropriate and necessary, their personal details
may be shared.” – Christopher Graham, Information Commissioner
This supports increased transparency with information within the Association as long as the
minimum amount of information is shared with as few people, and only if it supports the care of
people with MND and their families. We should never do anything that might cause risk or harm
through the sharing of information.
We must have consent to store and share personal information and have processes in place to
capture this wherever possible.
For example, you may hear at an AGM of challenges for people with MND in your area not
receiving social care as would be expected. You may ask the individual if you can share this
information with your RCDA or MND Connect as this could support future campaigning.
Last updated: May 2016
Another example may be that you receive the names of people with MND in your area from
David Niven House, this will enable you to consider branch planning and possible fundraising.
This of course does not mean their full information can be shared at meetings; however it
means the branch contact has the information and the Individuals initials can be their
identification. Remember – it is not your information, it is the person with MNDs and it should be
shared with as few people as possible in order to provide the best care and support.
Good practice when sharing information – including by email
You will all be aware of the need for confidentiality, and the Association expects all its staff and
volunteers to be aware of what this means to them. In order to ensure we protect information,
we need to ensure our processes for sharing are carefully considered, and this would include
information in newsletters, minutes, and websites as well as branch listings.
Remember the following
•
•
•
•
•
•
Lists of peoples personal details should only be shared on a “need to know” basis
Anything with personal information in should be sent marked “Private and Confidential” and
anything that has sensitive information contained in it should be sent recorded delivery
All personal computers should have a password protection to ensure only the volunteer
working with the Association can access the data, not family or friends
Dedicated email address for MND Association correspondence only – this must not be a
shared email adress
Any information kept on a memory stick / computer disc must be encrypted
When sharing information with colleagues on home PCs all sensitive information should be
put in a word document and then attached as a password protected document – you will
need to agree on a password and share this with the people you are corresponding with.
Please refer to your Help Documentation supplied with your application on how to password
protect a document
To password protect a document:
•
•
•
•
Go into Tools in Word
Then select Protect Document
This brings up a password box where you enter a selected password
Once you save the document the password will be applied and will be needed to
open the document again
Last updated: May 2016
It is also good practice to include a disclaimer at the end of all messages sent on branch or
group business. This alerts the receiver that they should delete if it’s not for them. The one we
have as standard for all outgoing messages from the Association, which you could copy, is as
follows:
The information contained in this email message, and any files transmitted with it, are
confidential, and intended solely for the use of the individual or organisation to whom they
are addressed. If you are not the intended recipient, please note that any disclosure,
distribution or copying of the email is strictly prohibited. If you have received this email in
error, please notify the MND Association via email at [email protected] and
delete the message from your system. Thank you for your co-operation.
The opinions expressed in this message are those of the individual and are not necessarily
the official opinions of the MND Association. The MND Association cannot be held
responsible for any advice provided in this message and is not liable for any damages
caused by the recipient’s reliance on the content.
Motor Neurone Disease Association, Registered in England Company Limited by Guarantee
No 2007023. Registered Charity Number 294354
Disposal of information
Once you no longer need the information you have, special care needs to be taken when
destroying it to ensure that it cannot be read or used by anyone else.
There is also a duty under statute to keep certain information for a defined length of time:•
•
•
Minutes and other correspondence for three years
Financial records and related correspondence must be kept for seven years
Sensitive personal information must be kept for 10 years
For paper based information your branch or group could use funds to buy a shredder and
appoint one person to be responsible for destroying these, or set up a rota for this task.
To remove information from a computer, special discs can be purchased which completely
remove the information. Deleting data not only secures privacy but helps make the computer
run better, saves storage space and most importantly, makes sure you are in control of what’s
seen and what’s not.
For more information contact the Volunteering Team:
Phone: 0345 6044 150
Email: [email protected]
Website: www.mndassociation.org/volunteerzone
Last updated: May 2016