The Data Protection Act and your Voluntary Organisation

Recently, we’ve had a spate of users asking us here at Three Rings HQ to comment on the ways in which the Data Protection Act 1998 applies to their organisation. We’ve had to make it clear that we’re not experts on the subject, and we’re not qualified to provide legal advice, so any of our clients with specific questions or concerns really need to seek professional counsel, but there’s clearly a degree of interest – and perhaps even some concern – among our users on this subject.

So, for the benefit of any users who’ve heard of the Data Protection Act, but don’t know much about it’s requirements, we’ve put together this blog post to provide a quick summary of the requirements of the DPA as they might relate to one of the voluntary organisations using Three Rings. Our hope is that this post will help them review their own situation and policies, and make it easier for them to work out if they or their organisation require any further guidance or advice.

It’s also worth making it clear that, although this blog post assumes your data is being stored in Three Rings, the DPA applies to your organisation even if you aren’t yet one of our clients: whether you’re using Three Rings, an Excel or Google spreadsheet, another electronic volunteer management system or even good old fashioned pens and paper, what matters is that you are storing volunteers’ personal data, and you have to do so in accordance with the law.

(Note that organisations outside the UK should bear in mind that their use of Three Rings is governed by the laws of England and Wales – meaning they’ll need to abide by the DPA in their use of the system in addition to any national laws on data processing which apply in their home jurisdiction.)

For a far more comprehensive and authoritative summary of the DPA and its requirements in relation to organisations, you can read this helpful guide created by the Information Commissioner’s Office, which is the independent body which exists to uphold and regulate best practice in data management by public bodies and organisations.

A brief summary of the DPA

The DPA exists to protect individuals from having data about them wrongfully gathered or used by organisations. It boils down into eight key Principles, which any organisation storing individual’s data must follow in order to comply with the terms of the DPA. The primary legislation for this is available online here, but there is also a much more readable version direct from gov.uk .

There are two key definitions to understanding the DPA in the context of voluntary organisations using Three Rings: ‘Data Subjects’ and ‘Data Controllers’.

Data Subject means the individual whose personal data is being stored – in Three Rings terms, almost certainly one of your volunteers.

Data Controller means the individual (or individuals) who decide how and why the Data Subject’s personal information is stored and used. In the case of Three Rings, this is likely to include people such as a Director, Shop Manager or Coordinator, representing your voluntary organisation as a whole, as they gathering and use certain items of personal information in order to run the organisation effectively.

Three Rings stores the information on behalf of our client organisations, but Three Rings CIC is not a Data Controller (except where we store details on our own volunteers). Instead, we’re what’s called a ‘Data Processor’ – we processes the data on behalf of the data controller, through the Three Rings application itself. We don’t require that organisations store any particular type of data on their users, and our own policies ensure that we never examine individual volunteer data without express permission (usually in response to a support request). The ICO provides an in-depth guide to the differences between Data Controllers and Data Processors here.

Broadly speaking, the DPA requires that your organisation and the volunteers administering its Three Rings account (the Data Controllers) do not store any individual volunteer’s data unless you need it for a specific purpose. It also states that any information gathered should only be gathered with the permission of the individual concerned, and only used for the purposes it was originally gathered for.

So, if you’re storing Joe The Volunteer’s phone number in order that you can contact him to help fill gaps in the rota, then you need to make sure Joe knows that’s what you’re doing and is happy with you doing that. As long as Joe’s OK with you storing his phone number for that purpose, then a Rota Manager can retrieve his number from Three Rings in order to call him and try to fill a gap in the rota.

However, if Joe also happens to be an ace mechanic (as well as a sure bet to fill a gap with only 20 minutes notice!) the Rota Manager can’t retrieve his number from Three Rings in order to try and help out a friend who needs their car fixing: that isn’t the reason your organisation gathered Joe’s number, it’s not the reason you’re meant to be storing it for, and Joe himself didn’t give any of your organisation’s volunteers to gather, store, or use his number for any other reason than the one you originally said you wanted it for.

In this way, the Data Protection Act protects individual volunteers like Joe from losing control of their personal data.

What Eight Principles of the DPA (probably) Mean For You

The eight principles of the DPA govern how organisations who are storing data should treat it: we thought it would be useful to give examples of how they might apply specifically within the context of a voluntary organisation.

Bear in mind that the precise circumstances in which your organisation operates are likely to be different than those we’ve imagined here – and we’re experts in delivering volunteer management systems, not legal advice! – but these should give you some idea of how the DPA can be applied in a voluntary setting, and give you a basis to seek further professional advice if they raise any concerns. You can also get more guidance direct from the ICO’s guide by following the links that make up each “Principle” heading.

Principle 1:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Essentially this means that if your organisation holds any personal data on your volunteers, you must have a legitmate reason for collecting and using it, and must not use it in any way that could have a negative impact on the individual whose data it is.

You also have to be clear and open about how you’re planning to use the information, and only use that information in a way the individuals might reasonably expect you to. The concept of “fair processing” is central to the first Principle of the DPA – if any aspect of the way you gather, store or use an individual’s personal data is unfair then you will be in breach of the DPA even if you met other conditions for processing the data.

Principle 2:

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

This is the principle we touched on earlier with our example of Joe, the volunteer who’s also a great mechanic. It means that if your organisation does store any data on its volunteers, you have to say why it’s being stored. For a phone number, this might be to help with gapfilling. For a home address, it might be so you can confirm travel expense claims, or study how effective your recruitment drives are in certain areas.

This principle also requires that organisations acting as Data Controllers register with the ICO where necessary. The ICO has produced some guidance on which organisations are exempt from such registration, including non-profit organisations and private clubs, which may mean your voluntary organisation does not have to register.

Whatever your justification for storing an item of data, you can’t then use the data you’ve gathered for a completely different purpose that is incompatible with the purpose you had in mind when you first gathered the data. (So – depending on the reasons you gave Joe to start off with – you’d probably be OK using Joe’s number to tell him his shift this evening has had to be cancelled because you can’t find anyone else to do it with him. You probably wouldn’t be OK selling Joe’s home phone number to a telemarketing firm!).

Principle 3:

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

You shouldn’t store more data than the minimum information you need for your purposes. You can store someone’s home address, if you need it, but not who else lives there. You can’t collect extra information “in case it’s useful later” – you have to be clear what information you need, and why you need it.

You should try to store as little information as you need in order to run your organisation.

Principle 4:

Personal data shall be accurate and, where necessary, kept up to date.

If you’re storing information on your volunteers, you must take all reasonable steps to ensure it is accurate, and that it doesn’t become outdated.

In the context of Three Rings this most often means that volunteers should be able to keep information on their Directory page up-to-date. You don’t have to give them ‘Self Manage’ permissions to comply with this part of the DPA, but if a volunteer doesn’t have permission to update their details, and their data changes – for example when they move house, or get a new email address, then a volunteer who does have permission to edit their details  should do so promptly, once they are aware that the details stored have changed.

Principle 5:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

You can’t keep information too long. If a volunteer goes on an extended leave of absence, and won’t be back for 12 months, it’s probably OK to keep storing their information in Three Rings (and possibly sleep their account, if your policies require that). But if a volunteer leaves the organisation entirely, and you have no reason to suspect they’ll ever come back or contact you again, you should remove all of their personal data.

It’s probably OK to keep some of their information for a while (in case they change their mind, for example, or if you think they might ask you for a reference and you can confirm exactly how many hours worth of shifts they did with you), but you have to get rid of the data once it’s clear you no longer need it (and you should make sure that you get rid of any part of the information you hold as soon as it’s not needed any more, even if you continue to keep other data on the same individual because that’s still necessary).

This is where purging sleeping accounts is useful, and it’s also why purging accounts which have been slept for a long time is one of the new Maintenance Tasks introduced by Milestone Krypton – it would be a very, very unusual organisation that legitimately had a greater number of unpurged sleepers in its Directory than it had active volunteers!

Principle 6:

Personal data shall be processed in accordance with the rights of data subjects under this Act.

This principle can sound intimidating, but it really just sets out exactly what rights the Data Subject (ie, your volunteer) has over their data even after they’ve given it to you. These are:

  • A right to see and access what data you hold about them,
  • The right to object to any processing of their data which might cause them substantial damage or distress (but not if they have already consented to you processing the data in that manner, or if it is necessary for your organisation to process that data in order to meet a non-contractual legal obligation),
  • The right to stop you sending them direct marketing materials,
  • The right to object to any automated decisions made based on their data without any human intervention or review,
  • The right to have any errors or inaccuracies in their personal data corrected (or, depending on the situation, to have a note added to explain the true facts)
  • The right to seek compensation through the courts for any loss or damage suffered as a direct result of your organisation failing to comply with the DPA.

Principle 7:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This is a principle where Three Rings can really help your organisation to comply with the terms of the DPA! The act requires that you take precautions to protect the data which you store from unauthorised access. That includes taking steps to store the data in the most secure way possible, using good passwords, and making sure that nobody can access the data unless they’ve got a good reason to.

We’ve written about the technologies that help keep Three Rings (and the data on it) secure on our documentation website, and the  ability to set different levels of access control based on Role to match how things work inside your voluntary organisation has always been a powerful tool for ensuring that volunteers only have access to the information which they need to see to do perform their role  (a feature which is even more powerful since the ability to control access to individual Directory fields was introduced with Milestone Krypton!)

Of course, Three Rings can’t protect you against everything – it’s very important that you never tell another volunteer your username and password, and equally important that you sleep the account of any former volunteer with your organisation, so they can’t continue to log in after they’ve left you – but we do our best. That’s part of the reason your Three Rings session will time out if you don’t seem to do anything for a while, and why you’re not allowed to pick passwords that are too common, or too easily broken.

Principle 8:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The eighth principle requires that the data you are storing about your volunteers isn’t transferred beyond the borders of the EU, unless it’s being sent to a country which has a level of data protection which is at least equal to that provided by the DPA.

In terms of where we, as a Data Processor, store information – it’s all inside the EEA. Any information which you store on Three Rings will be stored on our main server, which is housed in Manchester. We make hourly backups of the data, which are also stored in Manchester. That’s to ensure that, in the incredibly unlikely event that something went so wrong with the system that we had to restore from a backup (which, due to the way our server is constructed, would most likely require the total failure of multiple primary and backup drives, simultaneously), nobody would lose more than an hour’s worth of data when we brought the system backup online.

To safeguard against the even-less-likely event of something going seriously seriously wrong, to the point where the part of Manchester housing Three Rings and its backups was completely destroyed, we also make a daily backup, which is encrypted and transferred to a separate server in Ireland (so in the event of a catastrophic disaster crippling the north of England, nobody would lose more than a day’s worth of data from Three Rings). At no point is the data processed or transferred beyond the EEA (except where a Three Rings user in another country chooses to access it, which is why we ask that organisations based in other countries check that they can comply with both the laws of England and Wales and the laws of their own nation).

In Conclusion

Most voluntary organisations are unlikely to have trouble with the DPA – by their very nature, they’re rarely in a position to use the information they gather on volunteers and store in Three Rings to engage in direct marketing campaigns aimed at their own volunteers, and it’s unlikely that they will start using the information they have to do things their volunteers didn’t agree to.

But, it’s important to be clear on what data you’re storing about your volunteers, how and why you’re storing it, and who will have access to it. It’s also important to purge unnecessary information from Three Rings (and anywhere else your branch stores it) after a volunteer has left the organisation. Volunteers should be able to see, and if necessary correct, the data that you are storing about them on request, even if they don’t have permanent or edit permissions in relation to that data.

The DPA can sound pretty scary and confusing, but the eight principles mainly come down to being open and honest about what information you store about someone, why you’re storing it, and how you’re going to safely dispose of it afterwards. If you do have any concerns, we’d like to refer you once again to the excellent resources provided by the ICO, and we’d encourage you to seek expert advice on any particular points you’re not sure about.