FAQs: data protection
Do you use email and text messages to communicate with
volunteers? How diligent are you about looking after their details?
Dawn Monaghan, from the Information Commissioner's Office provides
advice on data protection.
We want to send out a letter to our volunteers asking them to
give us their email addresses so that we can contact them more
easily. Do we need to include any special wording?
I'd recommend including a brief explanation of why you are
collecting the information. It would be best practice to explain
how their details would be used, how you would store this
information, who would have access to it (for example, elected
committee members only) and for how long you would keep their
details. You should give volunteers the option to opt in or out of
having their details kept on file.
We like to send out a contact form at the start of every year.
Should we be doing this for our organisation?
Absolutely! Best practice would suggest that you do this on an
annual basis to check the accuracy and the relevance of the
information you hold.
We have a database of volunteers' email addresses and phone
numbers - does this mean our organisation needs to register as a
Generally, organisations which hold or process personal data do
need to register with the Information Commissioner's Office. There
are, however, some exemptions including 'not for profit'
organisations. As long as your group is working on a 'not for
profit' basis - regardless of whether you have charitable status -
you are NOT required to register as a 'data controller'. This means
you are not legally obliged to adhere to the terms of the Data
Protection Act 1998, however there are several 'best practice'
principles that I'd recommend you comply with. Make sure that the
information held is:
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up-to-date
Not kept for longer than is necessary
Also, if your organisation is emailing groups of volunteers,
make sure you use the 'bcc' option to ensure that personal details
are hidden from other recipients.
Are there any special criteria for making sure that our
database of contact information is held securely?
It depends upon the nature of the data and the harm that could
be caused if the information was accidentally or otherwise
disclosed. I would suggest that if the information is just names
and addresses, the database should be password protected. Those who
have access to it should understand that they need to keep it safe
and not let non-approved people view or access it unless it is
appropriate to do so.
To save time and effort, we want to use an online booking
system for events, where people can view available time slots and
add their names (such as doodle.com). Does this pose any data
It doesn't pose any data protection problems as you are not
subject to the Act, but it would be ethical to ensure that people
who are invited to input their information understand why you want
it and who has access to it.
Other organisations successfully use Facebook and Twitter to
communicate with supporters, but some of our members are concerned
- what can I do to reassure them?
There aren't any real issues on this from a data protection
perspective. Individuals voluntarily sign up to Facebook and
Twitter, so you can only contact them through these means if they
have made their details available. If their details can be
accessed, or if supporters ask to join your organisation's Facebook
group, they have essentially given consent for their details to be
The more common concern about using social networking as a means
of communication is not the data protection issue, but that
inappropriate comments might go unmoderated.
Last year we ran a shopping and pamper night. I have recently
been contacted by another local fundraising group to ask for
details of our stallholders for an event they're planning. Can I
pass these details on?
NO! Unless you made it clear, when you originally collected the
data, that you may share details with third parties, then you
shouldn't pass this information on. I'd suggest that you email your
contact list and ask that they get in touch with the group direct
if they wish to get involved.
We often put photos of events on our noticeboard or videos on
our website. Are there any data protection issues with this?
When taking photographs or videoing people you should get their
consent, explaining what you intend to do with the
photograph/footage including whether it is to be published and
where. In relation to children, consent must be given by a parent
or guardian, either in writing or verbally, depending on the
circumstances. Consent should not be necessary when
photographing/videoing a crowd where the individuals remain
For more information, visit ico.gov.uk.
Share this page