Sources of information, along with a few hints and tips about the General Data Protection Regulation.
Many of our members will be aware that the EUs General Data Protection Regulation comes into force on the 25 May.
The GDPR applies broadly the same principles as the existing UK Data Protection rules but includes some areas of work - particularly around obtaining consent to hold and use data - where third sector organisations will need to have a good look at what they do to check that they’re working within the law.
At VAL we don’t think there’s any reason for third sector organisations to panic; the important thing is to get organised and think through what you need to do.
We’ve been doing a bit of work here to get ourselves ready, and to share what we’ve been learning with members (for instance through a recent Third Sector Leeds event). We’ve been collecting together useful documents, we’ve come up with a few things (not a complete list) that we think are important and we’ve been trying to get answers to your queries.
Useful sources of information.
The Information Commissioners Office have prepared a really helpful ’12 things to do’ document to help you get ready. They have also set up a free online chat line to answer queries from small and medium sized organisations.
At our recent Third Sector Leeds event Wrigley’s solicitors explained some of the key features of the GDPR. Their presentation includes a helpful checklist for action you should take, and information about how you can ensure you are holding information lawfully.
When we were working out whether we held information lawfully we used this toolkit that we found from the Isle of Man government.
From experience the things that we think are really key.
We’re certainly not claiming to be experts but we thought we might share some of the things we think are important from our recent experience.
*Make sure you have someone in charge; have someone in your organisation that has received training on data protection policy and procedure and is responsible for making sure things happen.
*Get a group of staff to sit down and work out all of the data that you hold, why you hold it, who and where you send it and whether you do this lawfully. (Write this all down in a ‘register’ – we have a spreadsheet)
*Think about consent – if you hold and use information with consent (e.g. you need consent for pretty much all marketing and anything sensitive) the person must have:
* agreed to every purpose you use the data for (e.g. ‘ticked the box for every mailing list).
* had consent explained clearly and understood how you’ll hold the information, what you’ll do with it, and why.
* the ability to, and understand how to, withdraw their consent
* have good records of how and why you are holding information and when consent was gained.
* not make consent a pre-condition of service.
*Make sure the information you give to people about how you manage their data (your Privacy Notice) is really clear and explains in detail how you keep it safe, everything you do with it, why you do it, how long you keep it and who you share it with.
*Check that any data that goes outside the EU is processed lawfully (if you use US apps like Survey Monkey or Eventbrite then they must GDPR compliant…at the moment you should check for US/EU Privacy shield).
* Make sure you don’t keep data about people longer than you need to; you need clear rules about how long you’ll keep information and you need to stick to them.
* Have really clear systems for recording breaches, learning from them and reporting breaches to the Information Commissioner Office (a form for recording, an action plan for improvement).
* Have a system for checking that new things you do are lawful (Privacy Impact Assessment). ·
* Check to make sure you have appropriate data sharing/processing agreements with people you send data to
* Make sure your training on confidentiality and data protection is up to scratch and check that staff both know what to do and are doing it.
We’ve been collecting some questions we’ve been asked and the answers that we’ve received. Here’s a taste of them. These are all paraphrased from responses that have been offered by trainers, Wrigley’s solicitors at our recent Third Sector Leeds event or by the Information Commissioners Office through their online chat facility.
Q: Do business email addresses count as personal data if they include first name.second name @....
A: Yes – you can identify a person and their place of work from this so it’s definitely personal data.
Q: If we’re converting from one type of organisation (e.g. a voluntary organisation) to another type (e.g. a CIO) but will continue to work with the same service users in the same way do we need to get new consent?
A. It depends whether your consent meets the new requirements of the GDPR. If your consent is already robust enough then no, as long as your organisation has the same purposes, and is not transferring the information elsewhere and is doing nothing new with the data then you should be fine.
Q: We collect names, contact details and case histories for the support that we offer service users. Do we need consent for this?
A: You can make a case that collecting this information is a ‘Legitimate Interest’ for your organisation. In short, if the service user expects to come to you several times to receive a service then you’re going to have to keep some records. ‘Legitimate interest’ does not require the same level of detailed record keeping as consent although you must record your reason for treating this information as a legitimate interest and explain your legitimate interests in your privacy notice.
If the case history includes and sensitive information you must, of course, obtain consent.
Q: In the course of our work we record information such as disclosures of domestic violence. We can’t find this referred to as ‘sensitive information’ in the law. Should we treat this as sensitive information and obtain consent?