Data Protection Help! Sheet
If your organisation processes and retains personal information regarding individuals, then you need to be aware of what you should be doing to protect that information.
As the management committee, you are ultimately responsible under the Data Protection Act 1998 and need to ensure that your organisation's practices are compliant.
The Data Protection Act 1998
The Data Protection Act 1998 aims to strike a balance between the rights of individuals and the interests of those with legitimate reasons for using personal information. Individuals, for example, are given the rights to access certain information held on them.
The Management Committee needs to ensure that the organisation has considered 3 key questions in order to ensure that they are compliant with the Act:
- Does our organisation process personal information?;
- Are we obliged to notify the Information Commissioner's Office (ICO) that we are handling personal information?; and
- What principles should govern how we handle personal information and how are we ensuring that our policies and practices are compliant?.
1. Does your organisation process personal information?
Personal information means data which relates to a living individual who can be identified from those data (or from that data and other information which is in the organisation's possession). It covers both facts and opinions about the individual.
- If you obtain, record, use or hold such information, then you are considered to process personal information. You therefore need to consider questions 2 & 3; and
- If you do not process personal information, then you do not have any obligations under the Data Protection Act 1998.
The ICO has developed basic documentation templates which you can use to help you create a register of all the information you hold and why. These excel sheets can be downloaded from the bottom of the page here.
2. Are we obliged to notify the Information Commissioner's Office that we are handling personal information?
Click here for a self-assessment questionnaire to confirm whether your organisation needs to provide notification.
The Data Protection Act 1998 obliges those who process personal information to notify the Information Commissioners Office that they are doing so. However, most not for profit organisations will find themselves covered by the exemptions for this.
Essentially, if you are a not for profit organisation processing personal information solely for:
- maintaining a membership or supporters scheme;
- administering activities for individuals who are members or have regular contact with you
personnel matters in relation to your staff;
- advertising or marketing your business, activity, goods or services and promoting public relations relating to this; and
- keeping accounts relating to any business or other activity which you carry out.
then you are likely to find yourself exempt from notification. In addition, if none of your processing is carried out on a computer, then you are unlikely to need to notify, but you do need to check the detail in the Information Commissioner's Office online guidance at https://ico.org.uk.
Click here for more details on exemptions for not-for-profit organisations.
3. What principles should govern how we handle personal information and how are we ensuring that our policies and practices are compliant?
Whether or not you are required to provide notification that you are handling personal information, your organisation's policies and practices must still comply with eight enforceable principles of good information handling practice.
These say that data must be:
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept longer than necessary;
- Processed in accordance with the individual's rights;
- Secure; and
- Not transferred to countries outside European Economic area unless country has adequate protection for the individual.
For personal information to be considered fairly processed, at least one of the several extra conditions must be met. For example:
- Having the explicit consent of the individual;
- Where there is a legal obligation;
- Being required by law to process the information for employment purposes;
- Needing to process the information in order to protect the vital interests of the individual or another person; and
- Dealing with the administration of justice or legal proceedings.
For more information about the conditions for processing click here.
Additional conditions relate to sensitive personal information:
Sensitive information is defined as
- race or ethnicity;
- political opinions;
- religious beliefs;
- trade union membership;
- physical or mental health condition;
- details of their sex life;
- criminal convictions;
- sentencing as a result of criminal convictions.
Contact the Information Commissioner's Office for guidance on storage of personal information, legal requirements, rights of individuals, etc.
Contact Cyberstreetwise for guidance on protecting your organisation against cyber threats.
Click here to download the Charity Commission for Northern Ireland's guidance on Data Protection for Charity Trustees.