Data Protection Toolkit - Frequently Asked Questions
This FAQ contains some guidance and advice on the types of questions and scenarios we are regularly asked by the community and voluntary sector. Though we're trying to provide assurance in many cases, you should read more widely about a topic if you're still unsure about what to do.
Useful information and links to guidance, such as that which the Information Commissioner's Office provides, are included. We'll continue to add questions as we get them.
1. We're a very small group with only a couple of unpaid staff. We don't store data electronically. Does data protection apply to us? Do we have to register with the ICO or pay a fee?
Data protection applies to any person or organisation who is processing some personal data, unless it's for a purely personal or household activity. This can be as much as collecting or storing information, even if the only personal data that you have is on your employees or volunteers. Most organisations have a legal obligation to process personal data in this respect, in which case data protection laws would apply. Data protection applies to all personal data no matter how it is held, electronically or on paper.
If you are truly confident that you don't process any personal data in the course of your work, then you aren't bound by data protection laws, but it's going to be very unlikely.
There is an exemption from the 'data protection fee' for not-for-profits, which depends on the purpose of the data processing. If you're unsure about whether you qualify for this exemption, the ICO's self-assessment is very quick and easy to complete. If an exemption doesn't apply to you, you will have to pay the fee every 12 months. For small organisations and charities who are not otherwise exempt, the annual fee is currently £40.
If you have CCTV for crime prevention purposes then you will have to pay a fee regardless of your not-for-profit status or data processing activities.
The GDPR does not include a general age limit at which a person is considered to be a child for the purposes of obtaining consent , apart from the case of online services offered to a child (see below).
The concept of competence is key when you are relying on consent as the lawful basis for processing. Remember that you may be able to use another lawful basis other than consent, and in the case of children's data an alternative may be more appropriate. Even if you do decide to use another lawful basis (for example, legitimate interests ) you will still need to take the child's age and understanding into consideration.
The consent must be 'informed' to be valid under the terms of the GDPR. If you are seeking consent from the child, you must ensure that they have the competence to understand what they are consenting to, as they are not as likely to understand the risks and consequences as an adult. You can seek consent from the person with parental responsibility if you don't think a child is competent to consent for themselves.
A privacy notice aimed at a child should be written in a way that it can be understood by them. If you are seeking consent from the person with parental responsibility, you can have two privacy notices: one for the parent and one for the child.
In the case of providing online services to children in the UK, if the child is under the age of 13 you require consent from the person with parental responsibility (with the exception of online preventative or counselling services), as specified by the UK Data Protection Act 2018 . You should have appropriate age-verification procedures in place and should also be able to verify the identity of the person giving consent for the child. Other countries in the EU may have decided on different age levels, which can be between 13 and 16, so take care if offerering online services to children outside of the UK. In Ireland the age is 16.
GDPR Article 7 - Conditions for consent
GDPR Article 8 - Conditions applicable to child's consent in relation to information society services
ICO, Guide to the GDPR: Consent
ICO, Guide to the GDPR: Children
ICO, Children and the GDPR: Guidance
A photograph is considered to be information, but the purposes of the photograph will inform whether it is personal data . The examples that the ICO gives considers the case of a photograph of a large crowd with no one person or small group of people as the focus of the image. In this case, so long as the photograph is not being used to determine the identity of any individual in the scene (as would be the case for most photos intended to publicise and event), it's not considered to be personal data.
If a photograph is likely to identify someone, for example, a photograph of a single person or a smaller group of people, then it could be considered personal data. In such cases, it is wise to ask for permission and explain how the photograph will be used, preferably at the time or in advance, so that the people are aware what will happen with their image. If it's clear what you're doing in this case, you don't need to provide a privacy notice . Consent can be asked for and given verbally or in writing, but you need to record that consent was given by the person or people in the photograph.
In the case of young children who would not be considered able to consent for themselves, you should seek parental consent. The ICO has produced separate guidance about taking photographs in schools.
4. A funder requires us to provide community background and other sensitive information about programme participants. How can we do this under data protection laws?
Often, funders ask an organisation to provide monitoring information on programme participants so that they can gauge the success of projects on underrepresented groups, or because their own Section 75 duties requires it (in the case of government authorities). In other cases, you may wish to monitor equality of provision for your own purposes.
Data protection law does not prevent the processing of personal data for monitoring purposes, providing that the processing is carried out in line with the data protection principles .
You organisation is being funded to provide employment and training advice to unemployed people in the local community. The funder requires that you ask programme participants about their age, gender, community background and disabilities, and report back to them about the numbers or percentage of participants in each category.
Step One - Think about the legal basis for collecting and sharing the information
As with the processing any personal data, you need a lawful basis to satisfy what you intend to use it for.
In most cases you will be able to rely either on the consent of each individual to collect and share their information for this purpose, or undertake an assessment that to do so is necessary in order for the funder to achieve the purpose of equality of opportunity (a ' legitimate interest ' of a third party). See more about using legitimate interests and carrying out this assessment here.
Consent must be 'freely given', or it is not considered to be valid. E ven if the person has agreed, they must be free to withdraw their consent for that information to be processed at any time. This means that their providing the monitoring information to you is optional, and can't be used as a condition for you to refuse the service if they don't agree or they withdraw their consent. You therefore need to carefully consider the possible impact of using consent for this purpose.
Step Two - Consider the nature of the data you are dealing with and if if falls under the definition of 'special category data'
Many of the types of sensitive personal data that are frequently monitored in this way will be considered ' special category data ' under the GDPR. For example, information about an individual's:
- race or ethnicity,
- religious of philosophical beliefs (e.g. 'community background'),
- political opinions,
- health or disability,
- sexual orientation.
Note that age and gender are not special category data.
If some of the information you collect for this purpose meets the definition in Article 9 of the GDPR, you will need to consider whether you are doing so under one or more of a set of conditions, in addition to the lawful basis.
Step Three - Determine if your processing meets a condition for processing special category data
There are 10 possible conditions detailed in Article 9 of the GDPR. It is likely that one of the following two conditions could be applied in respect of the funder's request:
● you have the explicit consent of the data subject for the processing (Article 9(2)(a)), or
● the processing is in the substantial public interest (Article 9(2)(g)) as set down by the UK Data Protection Act 2018 Schedule 1 Part 2
The benefit of relying on explicit consent is that your lawful basis and condition for processing special category data will align.
However, you should only use explicit consent if the consent obtained has been 'freely given', and where the person is able to withdraw their consent without suffering detriment. This will me an that the individual should not be obliged to agree or to provide the information to participate in your programme or project.
For explicit consent, a clear statement (either oral or written, but preferably written) should be used to affirm the participant's agreement (see ICO guidance on explicit consent). The statement should cover what you intend to do with the information, for example: " I consent to you using this information to monitor participation in this programme and acknowledge that you may share this information, in an anonymised form, with [funder]".
Name the funder or funders if it is possible to do so in this consent statement, or link to a list of funders if there will be many.
If using a written or online form, an unticked box should be provided so that the person has the option of giving their explicit consent.
Substantial public interest (equality of opportunity)
If using the data for equality monitoring purposes is not optional for the data subject, you will need to consider an alternative to using consent for you lawful basis as well as the condition for processing special category data.
The UK Data Protection Act specifically cites "equality of opportunity or treatment" ( Schedule 1 Paragraph 8) as a substantial public interest condition for processing some types of special category data.
This condition can only be relied upon to the extent that the use is necessary to achieve the aim of monitoring the equality of opportunity or treatment with a view to promoting or maintaining equality.
You should also note that this condition covers only personal data relating to racial/ethnic origin, religious or philosophical beliefs, health data, and the person's sexual orientation. It does not cover the other types of special category data (notably data about a person's political opinions). This suggests that if you do need to collect information about a person's political opinion (for example a political view or who they vote for), it will need to be a conditional add-on.
What else do we need do?
Inform the data subject
Irrespective of what lawful basis or condition you rely on, you must make clear to the individual what information you are collecting this information and how it will be used, including who it will be shared with. This should be clearly set out in your privacy notice and the point at which you collect the information.
Data minimisation (anonymisation)
Whatever you process, you should be mindful of the ' data minimisation ' principle (limiting personal data to what is necessary for its purpose).
- First of all, if it were possible to anonymise the information at the point of collection so that even you could not link it to an individual, that should be considered.
- Alternatively, i n the case of reporting back to the funder, you should provide anonymised results (e.g. 45% of participants from X community background), rather than sharing information that would identify any individual on the programme.
- If this is not possible, you need to be able to justify why it is necessary for you to transfer special category data about a named individual to a funder. You may have to engage with the funder to establish if this is truly necessary.
You should also pay particular attention to how long you retain this information for and in what format.
- If the data hasn't been anonymised at the point of collection, can you justify holding on to this special category data for the duration of a programme after it has been shared with the funder?
- If so, on what lawful basis and for what purpose can you retain the information for longer?
- If you rely on consent for retaining this information, was the consent you obtained sufficient to enable this?
- Was the individual told how long you retain the data for?
Your rule of thumb should be whether the person would expect you to hold on to the data after the initial analysis has been completed.
Another important principle in the GDPR is that of 'purpose limitation'. If you have collected data for one purpose (in this case, monitoring for equality of opportunity), you shouldn't use it for another purpose that is not compatible with this. Most importantly, you should also not use any of this information to support or make decisions about whether or how you provide the service to the individual.
ICO, Guide to the GDPR: Special Category Data
ICO, Monitoring under section 75 of the Northern Ireland Act 1998 [pdf]
ICO, Guide to the GDPR: Consent
ICO, Anonymisation Code of Practice
Article 29 Working Party, Guidelines on Consent under Regulation 2016/679
UK Data Protection Act Schedule 1 Paragraph 8
If you're a charity, you're almost certainly going to have to process the personal information of your trustees as part of a legal obligation or good business practice. You have a legal duty to provide trustee declarations to the Charity Commission. If you're making reimbursements to trustees (for out-of-pocket expenses, for example) you have to disclose this information to the Commission and retain the payment forms as part of accounting records for six years. Charitable companies also have to retain records on resolutions and decisions by members for ten years.
Trustees' personal data should not be treated any differently from any other person's data with regard to data protection. You should make sure that trustee information is adequately covered in a privacy notice , that it is processed fairly and with an appropriate lawful basis , such as legal obligation or legitimate interest.
Trustees may need access to personal information on occasion in the course of discharging their duties, for example, to access the Register of Members. As with any other use of personal data in your organisation, this should be limited to what is necessary for them to perform their task. You should ensure that trustees return any copies of personal information that they might have after leaving their position.
6. Someone has made a request for their data, but a response may harm them in some way or create a danger for someone else. What can we do?
However, the right of access ( Article 15 of the GDPR) is not absolute, and you might have a genuine reason for refusing to provide the information. In some situations, confirming that you process their data or giving the data to the person could be harmful to them or another person.
An abusive partner requests their personal data that a domestic abuse helpline collected when providing help to the abused victim. The very act of confirming that such data exists could expose the victim to further harm.
Sharing a counsellor’s notes with a patient who requests them under the right of access. In certain situations, this could put them at risk of self-harm if they are in a vulnerable state.
If you receive a subject access request, your first step should be to make sure the person making the request is who they say they are. However, you should use reasonable means to establish the person's identity, and you can't use this process as a deliberate obstruction to avoid responding to a valid request.
The next step is to decide whether you are obliged to comply with the request.
The GDPR allows you to refuse a request if it is "manifestly unfounded or excessive". This onus is on you to show that it is, and if a request could be complied with if the individual provided further clarification, you should be seeking such clarification.
Article 15(4) also allows you to refuse the right to supply a copy of the data if doing so would “ adversely affect the rights and freedoms of others”. This may apply in the case of the first example.
The UK Data Protection Act 2018 sets out specific exemptions to the right of access:
- You may be exempt from complying with an SAR if in order to do so you would also have to disclose information relating to someone else who can be identified but who hasn’t consented to the sharing – provided that it would be unreasonable to do so without that other person’s consent.
- If the data you hold relates to an individual’s health, you may be able to rely on the ‘ serious harm’ exemption. This allows data about health issues to be withheld if the disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another person. A controller must seek the opinion of an appropriate health professional if they want to use this exemption. See more about how to apply the serious harm test.
The Data Protection Act is clear that you do not need to tell the person that their request is being denied if this would undermine the purpose of the refusal ( Section 45(6)) – for example, if confirming that you process their data in itself would cause harm. In this case, a 'Neither Confirm nor Deny' response could be given.
You should evaluate these situations on a case-by-case basis, rather than applying a blanket policy. You will need to justify your decision. Keep a record of the request and the reason for your decision to refuse it. If a complaint is made to the ICO or through a court, you may need to provide this record as evidence.
Remember that an individual is entitled only to their own personal data, and not to information that could identify another person, except where the other person has consented to this or it would be reasonable in all circumstances to comply without their consent.
Data subjects can exercise their rights through a third party. This could be their solicitor or another person that they're comfortable can act on their behalf, such as a family member or close friend.
For example, a person could have someone else make a subject access request for them, or ask to have their personal data erased.
You need to be sure that person making the request is entitled to act on behalf of the data subject. It is the third party’s responsibility to provide evidence of this, which could be a written authority or the power of attorney.
Although there are no specific provisions in the GDPR , the High Court Office of Care and Protection in Northern Ireland can empower a third party to act on behalf of a person who does not have the mental capacity to manage their own affairs.
Your service provides domiciliary care for elderly people. One of your healthcare workers is visiting a patient's home where their daughter - who is well-known to you and is the primary contact for her mother - asks what information you have about her mother and the care she's receiving. The daughter does not have the power of attorney, but explains that her mother doesn't feel able to handle the request by herself. It's not clear to you if you should comply with this request.
Charities and voluntary organisations often work with relatives of service user. If a close relationship like this exists and a family member makes a request on behalf of their relative without having the power of attorney, it is possible to respond to comply with the request, though you would not be legally compelled to. It would not be unreasonable to ask for more formal provisions where you have doubts.
Children have the same rights over their personal data as adults do. A competent child should be allowed to exercise their own rights, unless it is clear that this is not in their best interests. There is no age limit to this. Where a child is too young or not competent, an adult with parental responsibility can exercise rights on the child's behalf.
You can send the response directly to the data subject rather than to the third party if you think this would be more appropriate.
ICO, Guide to the GDPR: Right of Access
ICO, Guide to the GDPR: Children, What rights do children have?
Though an opinion about a person would be considered to be personal data (whether or not it has been given in confidence), there is a specific exception to the right of access for references which have been given in confidence under the UK Data Protection Act 2018 (Schedule 2 Paragraph 24).
This closes a previous loophole under the 1998 Act where the detail of a reference written for someone was exempt, but the same reference received by the other organisation (e.g. a prospective employer) was not.
The exception applies to any reference made in confidence for prospective or current:
- education, training or employment
- volunteer placements
- appointment to office (e.g. board members)
- provision of services (e.g. pre-contract checks)
This covers any reference given by your organisation (or by an employee where that reference was made in an official capacity), as well as any reference received.
You should omit any confidential references in a response to a Subject Access Request, and you can turn down any requests made by a data subject which seek this information. This includes both who the reference was given by as well as the contents of the reference itself.