Data Protection Toolkit - Frequently Asked Questions
This FAQ contains some guidance and advice on the types of questions and scenarios we are regularly asked by the community and voluntary sector. Though we're trying to provide assurance in many cases, you should read more widely about a topic if you're still unsure about what to do.
Useful information and links to guidance, such as that which the Information Commissioner's Office provides, are included. We'll continue to add questions as we get them.
1. We're a very small group with only a couple of unpaid staff. We don't store data electronically. Does data protection apply to us? Do we have to register with the ICO or pay a fee?
Data protection applies to any person or organisation who is processing some personal data, unless it's for a purely personal or household activity. This can be as much as collecting or storing information, even if the only personal data that you have is on your employees or volunteers. Most organisations would have a legal obligation to process personal data in this respect, in which case data protection laws would apply. Data protection applies to all personal data no matter how it is held, electronically or on paper.
If you are truly confident that you don't process any personal data, then you aren't bound by data protection laws, but it's going to be very unlikely.
There is an exemption from the 'data protection fee' for not-for-profits, which is dependent on how they process personal data. If you're unsure about whether you have to register, the ICO's self-assessment is very quick and easy to complete. If you have CCTV for crime prevention purposes then you will have to pay a £40 fee.
The GDPR does not define the age limit at which a person is considered to be a child for the purposes of obtaining consent. The concept of competence is key when you are relying on consent as the lawful basis for processing. Remember that you may be able to use another lawful basis other than consent, and in the case of children's data, another may be more appropriate.
If you are seeking consent from the child, you should ensure that they have the competence to understand what they are consenting to, as they are not as likely to understand the risks and consequences as a competent adult. You can seek consent from the person with parental responsibility if you don't think a child is competent to consent for themselves.
A privacy notice aimed at a child should be written in a way that it can be understood by them. If you are seeking consent from the person with parental responsibility, you can have two privacy notices: one for the parent and one for the child.
In the case of providing online services, if the child is under the age of 13 you require consent from the person with parental responsibility (with the exception of online preventative or counselling services), as specified by the UK Data Protection Act 2018. You should have appropriate age-verification procedures in place and should also be able to verify the identity of the person giving consent for the child.
A photograph is considered to be information, but the purposes of the photograph will inform whether it is personal data. The examples that the ICO gives considers the case of a photograph of a large crowd with no one person or small group of people as the focus of the image. In this case, because the photograph is not being processed to determine the identity of any individual in the scene, it's not considered to be personal data.
If a photograph is likely to identify someone, for example, a photograph of a single person or a smaller group of people, then it could be considered personal data. In such cases, it is wise to ask for permission and explain how the photograph will be used, preferably at the time or in advance, so that the people are aware what will happen with their image. If it's clear what you're doing in this case, you don't need to provide a privacy notice. Consent can be asked for and given verbally or in writing, but you need to record that consent was given by the person or people in the photograph.
In the case of young children who would not be considered able to consent for themselves, you should seek parental consent. The ICO has produced separate guidance about taking photographs in schools.
4. A funder or government agency requires us to provide community background and other sensitive types of personal information about programme participants. How can we do this under data protection laws?
Often, funders ask organisations to provide monitoring information on programme participants so that they can gauge the success of projects on underrepresented groups, or because their own Section 75 duties (in the case of government authorities) requires it. Data protection does not prevent the processing of personal data for monitoring purposes, but you need to be aware that this type of information is considered to be more sensitive than basic personal data, and that this processing places extra duties upon you.
Under the GDPR, the types of sensitive personal information that are frequently monitored are considered to be 'special category data' (for example, about an individuals ethnicity, political opinions, religion, health or disability). The GDPR requires that one or more of a set of conditions are satisfied, as well as a lawful basis, in order that collecting and processing that information be lawful. There are 10 possible conditions detailed in Article 9 of the GDPR, it is likely that two of them could be applied in respect of the funder's request:
- the explicit consent of the data subject (Article 9(2)(a)), or
- the necessity of the processing for statistical purposes (Article 9(2)(j)) (see also Article 89)
The safeguard of 'data minimisation' (limiting personal data to what is necessary for its purpose) is specifically referred to in relation to statistical purposes in the GDPR. In the case of reporting back to the funder, you should provide anonymised results (e.g. 45% of participants from X community background), rather than sharing information that would identify any individual on the programme.
The use of explicit consent - if that is the condition that you are relying on - means that the individual should not be required to provide the information in order to continue to participate in your programme or project, and should be free to withdraw their consent for that information to be processed at any time. This means that providing the monitoring information is optional, and can't be used as a condition to withdraw the service.
Therefore, in order to undertake this type of monitoring, you should make it clear to the individual why you are collecting this information and how it will be used, including who it will be shared with, and if you are doing so in an anonymised fashion. You should also pay particular attention to how long you retain this information for, and how you treat it with appropriate security. You should also not use any of this information to support or make decisions about how you provide the service to the individual.
ICO, Guide to the GDPR: Special Category Data
ICO, Monitoring under section 75 of the Northern Ireland Act 1998 [pdf]
ICO, Guide to the GDPR: Consent
Article 29 Working Party, Guidelines on Consent under Regulation 2016/679
If you're a charity, you're almost certainly going to have to process the personal information of your trustees as part of a legal obligation or good business practice. You have a legal duty to provide trustee declarations to the Charity Commission. If you're making reimbursements to trustees (for out-of-pocket expenses, for example) you have to disclose this information to the Commission and retain the payment forms as part of accounting records for six years. Charitable companies also have to retain records on resolutions and decisions by members for ten years.
Trustees' personal data should not be treated any differently from any other person's data with regard to data protection. You should make sure that trustee information is adequately covered in a privacy notice, that it is processed fairly and with an appropriate lawful basis, such as legal obligation or legitimate interest.
Trustees may need access to personal information on occasion in the course of discharging their duties, for example, to access the Register of Members. As with any other use of personal data in your organisation, this should be limited to what is necessary for them to perform their task. You should ensure that trustees return any copies of personal information that they might have after leaving their position.