Data protection

Top tips & quick links

Here are some key documents and sites to access for implementing data protection and GDPR:

• Data protection and GDPR context https://www.ncvo.org.uk/help-and-guidance/digital-technology/data-protection-and-cybersecurity/gdpr-data-protection-law-brexit-and-how-keep-top-your-responsibilities/#/
• GDPR form by Sydenham + privacy note 
• Data Protection forms on shared Google drive + guide from NFS + more advice from Resource Centre 
• My Community link https://mycommunity.org.uk/understanding-data-protection-and-the-general-data-protection-regulation-gdpr

Why is Data important?

We are collecting personal information such as telephone numbers, address’, full names for both our volunteers and vulnerable neighbours. With the best of intentions we would still be opening ourselves and the people we are trying to assist up to a variety of risk.

GDPR:

Simply put, its General Data Protection Regulation.

GDPR states that all companies or organisations which use personal information must explain how they process this data. GDPR also requires that all information provided uses 'clear and plain language' and is 'concise, transparent, intelligible and easily accessible'.

The six principles are:

1. Lawfulness, fairness and transparency- have we collected that in good faith with the right notice?

2. Purpose limitation - clearly stated what the purpose is for?

3. Data minimisation - do you need all the data your collecting or can it be reduced?

4. Accuracy - has all efforts been made to make sure that data is accurate?

5. Storage limitation - Is the data being deleted when its not needed any more?

6. Integrity and confidentiality - Is the data being kept securely?

Mutual aid networks aren't companies or organisations

The guidance offered by the ICO is organising and collecting data on a street level would be considered “domestic” meaning it would fall outside of a governance framework and GDPR. However, organising and collecting data at a postcode or city level would slip outside of that and fall into the “commercial” bracket and GDPR would apply. Because of the quantity and scale of the data collection and the possible risk of that data being open to abuse.

Which data do we consider data we’ve got to hide and what's the difference?

In the most basic terms, personal data is any piece of information that someone can use to identify, with some degree of accuracy, a living person. Such as:

• Full Names
• Home address
• Email Address
• ID Card numbers - Driving license, Passport
• Telephone numbers
• Sensitive personal data is a specific set of “special categories” that must be treated with extra security. And these are:
  • Racial or ethnic origin.
  • Religious or philosophical beliefs
  • Trade Union Affiliation
  • Sex life and Orientation
  • Political Beliefs Physical
  • Mental Health

It's great the groups are popping across the country. But an open excel spreadsheet leaves volunteers and those in need at risk of their data falling into the wrong hands. Examples might be below:

• Scam groups are already operating email scams
• Volunteers/vulnerable who have been survivors or at risk of domestic violence who want to help but have their contact info widely visible.
• People with vulnerable needs which should not be broadly known.
• Trolls - sending abuse messages

Google forms are not the same as an open spreadsheet in this respect - as they do not make people’s data available to all and sundry,

What happens if we don't get this right?

The Information Commissioner's Office guidance: Firstly to support in looking to implement ‘best practice’. If malpractice continues then the same steps it applies in the normal process’ will apply. This can be a fine of up to 20 million euros.

What does ‘best practise’ look like?

Local

Local small facebook groups of your road are fine.

You wouldn’t need to manage volunteer spreadsheets as the group would be small enough to manage.

Another option would be to join https://nextdoor.co.uk/

Postal Area

Appoint a data controller in your group - this can be 3 or 4 people to manage a google form who can pass the information out to volunteers in postcode reach or who match criteria. It’s the role of a data controller to give access to the data as and when someone needs access to it. For example: if there’s a call out for someone to do shopping, it will be the data controller’s job to pass the first name and address of the recipient to the person delivering the shopping.

It’s fine to capture information such as:

• Do you drive?
• Do you have a DBS check?

Once information is used it must be deleted

City wide

The same advice as postal area but the large quantity of data being captured will become unmanageable. This might be where the advice is to work in tandem with large organisations such:

ACORN - www.acorntheunion.org.uk/corona

Whatsapp/Telegram groups:

Whatsapp / Telegram are really great tools for organising. If you start one create a link to the whatsapp group then with your created link post it to the various groups with a caption of:

“Hey started this local whatsapp group for mutual aid purposes, would be great if you join, please be mindful that this does share your number with the wider group and by joining you opt in to that being okay.”

Policies and procedures – as you grow you will find more need for policies and procedures. Most Councils for Voluntary Service (CVS) will be able to help with this and may have sample policies and templates. See the list here to find your local London CVS. Relevant to this topic – see the model Data protection policy on Voluntary Action Islington’s resource page here