About data protection. Privacy by design. Managing special category data. Considering data flows. Privacy responsibilities. Cyber security.
This guide provides an overview of the online working activities carried out by UK charitable organisations, and addresses a range of privacy and data protection issues they are likely to encounter. It includes checklists, practical advice and resources to help understand and manage online activity. This guide provides introductory level detail and links to other sources.
Disclaimer: the information provided within this guide is an opinion and should not be construed as legal advice.
1. What is data protection?
Data protection legislation in the UK comprises the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). The data protection legislation relates to the processing of personal data, which includes data held on spreadsheets, paper correspondence, records and even within photographs, films and other collection items.
Personal data relates to any information relating to the private, professional or public life of a living person that can identify that person, either directly or indirectly when combined with other information. It can include an expression of opinion about an individual.
Examples of personal data include:
- Membership lists;
- Customer and client data;
- Visitor information;
- Staff, trustee and volunteer details;
- Collection items, such as individuals appearing in photos and films and names and addresses in letters.
A data controller is any person or organisation that makes decisions about, or determines, how and why data is processed. They are responsible and accountable for making sure that any personal data that is processed is done so legally, including their role in making sure that data is held securely. Part of the responsibility of a data controller is avoiding a data breach.
A data breach will arise from a security incident that affects the confidentiality, integrity or availability of personal data, for example: a data breach has occurred when personal data is: lost, destroyed, corrupted or disclosed, accessed or shared without authorisation, made unavailable or accidentally lost or destroyed.
2. Privacy by design: Thinking about data protection from the outset
Privacy by design is an approach to managing personal data that promotes privacy and data protection compliance in all your activities. This ensures that privacy and data protection is a key consideration in the early stages of any activities, including for example a project, and then throughout its lifecycle.
For example when:
- building new IT systems for storing or accessing personal data;
- collecting personal data;
- developing policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.
Organisations must complete a Data Protection Impact Assessment (DPIA) for processing that is likely to result in a high risk to individuals. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
3. Managing ‘special category data’
Some information is regarded as particularly sensitive and requires additional security if being collected:
- medical history;
- political views.
The risk of non-compliance if such data is lost, stolen or misused, either by accident or deliberately, means reputational risk for your organisation and the potential for sanctions or fines. Understanding what is meant by ‘data’ can be complex. The UK’s Information Commissioner’s Office (ICO) has provided a detailed guide.
4. Considering data flows
In order to manage how personal data flows within your organisation, a Record of Data Processing Activities (ROPAs) should be used and updated regularly. These are records of how we process the personal data that we hold. It is a requirement that it should be in writing in paper or electronic form. Generally, most organisations will benefit from maintaining their documentation electronically so it can be updated, and amended easily as a living document.
As Data Controllers, organisations will be both responsible and accountable for all the processing of personal data that either it, or third parties on its behalf carry out. This includes the identification of any risks and making sure that it documents all the processing activities and the decisions that it makes. It is important to have an audit trail that can be reviewed regularly by the respective data owners responsible within different parts of an organisation.
There are seven principles that underpin all processing of personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
5. Using new digital tools and the Cloud: your privacy responsibilities
When using new digital tools, there are likely to be data protection implications. Organisations should check the terms and conditions and privacy notices of the supplier to make their organisation’s data protection responsibilities are met. This includes Cloud based providers who are being used to support access to services, audiences and content.
Typically, Cloud based services include: online data storage and backup solutions, Web-based e-mail services, hosted office suites and document collaboration services, database processing and managed technical support services. Cloud based providers can be accessed either directly and/or via another platform such as Zoom, (particularly if you agree for recordings to be made available via the Cloud). As Data Controllers, organisations must choose carefully which Cloud based providers it uses and document the decisions made. If Cloud based providers fall short of standards in data processing required by the legislation, the organisation will either need to negotiate better arrangements or walk away and potentially choose another Cloud based provider.
Before you use Cloud based services, you will need to:
- Complete a DPIA. If you are moving to a Cloud based provider, you should complete a DPIA so you can evaluate the risk.
- Check the Cloud based provider’s online terms and conditions of use as well as their online Privacy Statements. Any Privacy policies/statements and Terms and Conditions should be clear, transparent and up to date.
- Ensure that the Cloud based provider provides data in a form that would satisfy the right to portability of data subjects. If a data subject wants personal data that you have uploaded on to the Cloud, can the Cloud based provider (or you), enable them to have it transferred elsewhere? Can the Cloud based provider allow you to get a copy of your data, at your request, in a usable format?
If you are choosing a CRM, which might be Cloud based, you will also need to consider the following:
- Understand what is your lawful basis for the processing of personal data in this way and do you need consent? Do your data subjects know what you are doing with their data and who has access to it? Have you sought consent where needed from all data subjects that reflects the processing by your selected Cloud based providers and any other third parties with whom they share the data? Have you updated your Privacy Notice to reflect this?
- Understand how your CRM keeps personal data safe. It will be important to understand the risks to the data subjects if the personal information about them was lost, deleted, stolen or misused via the CRM. How quickly will the CRM provider react if a security vulnerability is identified in their product and/or they detect a data breach? Will they inform you if personal data they are processing on your behalf is included and how long will they take to tell you? Don’t forget that as a Data Controller, you have 72 hours to let the ICO know of any breaches that could be detrimental to the data subjects concerned.
- With whom will your CRM provider be sharing the personal data you provide and will it be safe? Are they legitimate, will they keep the personal data safe and is there a robust contract in place between your CRM provider and any other providers/services? In what circumstances will your data be transferred to other countries? Can your CRM provider limit the transfer of your data to countries that you consider appropriate? Does your CRM provider provide an appropriate third party security assessment and does this comply with an appropriate industry code of practice or other quality standard?
- Will your CRM provider enable the deletion of personal data? What are the data deletion and retention timescales? Does this include end of life destruction? Will your CRM provider delete all of your data securely if you decide to withdraw from their platform in the future and/or you receive a request for the data to be deleted?
- Make a list of the personal data you hold and how it will be processed by the CRM provider. Include within your evaluation whether the CRM provider produces user statistics etc. that would produce extra personal data. It is important to know what data this platform will process, so you can track it and comply with any Subject Access Requests (SARS).
6. Cyber security
Keeping equipment safe is fundamental to good data management. Keep a record of what devices are being used by all staff and volunteers working for your organisation, including the make of the device, model numbers and unique organisational codes. For assets belonging to the organisation, this information will help you trace your devices in case they are lost or stolen and identify any devices that require updates and extra software to protect against any potential cyber security issues.
Keeping data secure
You should only collect data that you need for your work, and you should ensure that you know what is being collected and how it will be used, as set out in your organisation’s Privacy Notice. If personal data is collected for work purposes, in order to comply with the data protection legislation, you need to know:
- what personal data you are collecting and why
- where you are storing it
- how you are protecting the data and for how long. Data protection legislation requires you to retain personal data only for as long as it is needed.
This will depend on a number of factors, including the purpose of the data and any legal requirements there are relating to the length of time specific types of data must be kept. For example, financial regulations require pension related data to be kept for as long as an employee is alive, regardless of whether they are still working for your organisation. Some personal data collected might have a very limited use, such as information relating to participants who are attending a specific event. In this case, without additional permissions to contact participants in future, you would need to delete this data after the event once the business need has completed.
Work safely with data
- Ensure that people who don’t have permission to view confidential, commercial, personal or other sensitive data aren’t able to look at this when you are viewing it on your screen.
- Always close your screen if you are away from your computer.
- Make use of security features like password or PIN code protection.
- Set an automatic session timeout on your device.
- Manually log out of sessions if leaving your device unattended or when you leave a shared computer.
Further guidance can be found at the National Lottery Heritage Fund’s Online Privacy and Security guidance.
- Information Commissioner’s website
- Heritage Digital website for free digital skills training and support
- Naomi Korn Associates who have developed this guide
- Digital guide: online privacy and security
Developed by Naomi Korn, Founder and Managing Director of Naomi Korn Associates, industry-leading experts in copyright and data protection, for the Beyond Project.