Giving Machine

FAQs: data protection

Do you use email and text messages to communicate with volunteers? How diligent are you about looking after their details? Dawn Monaghan, from the Information Commissioner's Office provides advice on data protection.

We want to send out a letter to our volunteers asking them to give us their email addresses so that we can contact them more easily. Do we need to include any special wording?

I'd recommend including a brief explanation of why you are collecting the information. It would be best practice to explain how their details would be used, how you would store this information, who would have access to it (for example, elected committee members only) and for how long you would keep their details. You should give volunteers the option to opt in or out of having their details kept on file.

We like to send out a contact form at the start of every year. Should we be doing this for our organisation?

Absolutely! Best practice would suggest that you do this on an annual basis to check the accuracy and the relevance of the information you hold.

We have a database of volunteers' email addresses and phone numbers - does this mean our organisation needs to register as a 'data controller'?

Generally, organisations which hold or process personal data do need to register with the Information Commissioner's Office. There are, however, some exemptions including 'not for profit' organisations. As long as your group is working on a 'not for profit' basis - regardless of whether you have charitable status - you are NOT required to register as a 'data controller'. This means you are not legally obliged to adhere to the terms of the Data Protection Act 1998, however there are several 'best practice' principles that I'd recommend you comply with. Make sure that the information held is:

  • Processed for limited purposes

  • Adequate, relevant and not excessive

  • Accurate and up-to-date

  • Not kept for longer than is necessary

  • Held securely

Also, if your organisation is emailing groups of volunteers, make sure you use the 'bcc' option to ensure that personal details are hidden from other recipients.

Are there any special criteria for making sure that our database of contact information is held securely?

It depends upon the nature of the data and the harm that could be caused if the information was accidentally or otherwise disclosed. I would suggest that if the information is just names and addresses, the database should be password protected. Those who have access to it should understand that they need to keep it safe and not let non-approved people view or access it unless it is appropriate to do so.

To save time and effort, we want to use an online booking system for events, where people can view available time slots and add their names (such as Does this pose any data protection issues?

It doesn't pose any data protection problems as you are not subject to the Act, but it would be ethical to ensure that people who are invited to input their information understand why you want it and who has access to it.

Other organisations successfully use Facebook and Twitter to communicate with supporters, but some of our members are concerned - what can I do to reassure them?

There aren't any real issues on this from a data protection perspective. Individuals voluntarily sign up to Facebook and Twitter, so you can only contact them through these means if they have made their details available. If their details can be accessed, or if supporters ask to join your organisation's Facebook group, they have essentially given consent for their details to be used.

The more common concern about using social networking as a means of communication is not the data protection issue, but that inappropriate comments might go unmoderated.

Last year we ran a shopping and pamper night. I have recently been contacted by another local fundraising group to ask for details of our stallholders for an event they're planning. Can I pass these details on?

NO! Unless you made it clear, when you originally collected the data, that you may share details with third parties, then you shouldn't pass this information on. I'd suggest that you email your contact list and ask that they get in touch with the group direct if they wish to get involved.

We often put photos of events on our noticeboard or videos on our website. Are there any data protection issues with this?

When taking photographs or videoing people you should get their consent, explaining what you intend to do with the photograph/footage including whether it is to be published and where. In relation to children, consent must be given by a parent or guardian, either in writing or verbally, depending on the circumstances. Consent should not be necessary when photographing/videoing a crowd where the individuals remain relatively anonymous.

For more information, visit

Share this page