Volunteer records and data protection

The Data Protection Act

The 1998 Data Protection Act is the legal framework for the storage and processing of personal information.

The act covers two areas -

principles of good practice in relation to processing personal information.
the individual’s right to access information held about them

All organisations that process personal information are subject to the act and most are required to notify the Information Commissioners Office (ICO) that they process such information. Some Not-for-Profit organisations however are exempt from the obligation to notify. The rules governing this are fairly complex. They can be accessed via The Information Commissioners Office.

Whether or not you are required to notify the ICO you must still follow the good practice principles for processing information by ensuring that personal data relating to volunteers is:

Fairly and lawfully processed
Processed only for specified and lawful purposes
Adequate, relevant and not excessive
Accurate and up-to-date
Not kept for longer than the purpose specified
Processed in accordance with the rights of the data subject
Secure from the point of collection through to disposal
Not transferred to other countries without adequate protection of data subjects

Types of information about volunteers

The sort of personal information about volunteers that you may need to keep could include

Contact details
Details of experience, skills and preferences used to assess suitability for a role (recorded on application form or gained through interview
Monitoring information including ethnicity, disability etc.
Information relating to CRB checks
References
Supervision notes

Some of this information is regarded as “sensitive data” under the act and must be processed accordingly

Recording of Information

You may hold information in the form of paper based files and/or computerised information (e.g. a Volunteer Database), or both. Any information you hold will be subject to the rules, regardless of whether it is held on paper or on a computer.

You should seek only to collect and record sensitive data on a ‘need to know’ basis and have procedures relating to the written recording of this.

Your organisation should also ensure that it has specific security procedures relating to volunteers’ files to guard against anyone seeing the information that shouldn’t and/or data getting damaged, lost or destroyed.

Keeping volunteer records

No clear guidelines exist for the retention of volunteer records. If your organisation is operating under any form of regulation (such as the Care Standards Act) you must follow any guidelines set out by the appropriate body. The Criminal Records Bureau code of practice on disclosure information must also be adhered to.

The Limitation Act 1980 sets out timescales for retention of certain records that might also apply – such as the time limit for personal accident claims (currently 3 years in most cases). Where volunteers are providing advice or similar services, organisations should be aware that the act imposes a six year time limit for damages claims other than personal injury. Were such a case to be brought, training records and similar information might be needed to demonstrate that the organisation had taken adequate measures.

Generally speaking, organisations should follow the data protection principle that data should not be kept for longer than the purpose for which it was collected.

Informing volunteers and gaining consent

Volunteers should be made aware of why you collect information, what you do with it and how you keep it safe. You could include details of this in an appropriate document such as your Volunteer Policy or Volunteer Handbook or use these to refer volunteers to other organisational policies that cover this such as a Data Protection Policy. Organisations should also gain explicit consent from volunteers to hold sensitive information.

Volunteers access to their records

Volunteers have the right to make a request to access all of the data you hold about them. Requests should be made in writing and you will need to decide a process for this, e.g. will access be by appointment?