Data protection and community groups
When starting a community group, club, or team, the safety and wellbeing of your members should be one of your main concerns. This includes protecting their personal data, including any sensitive information, such as medical or religious details.
In May 2018, the Data Protection Regulations in the UK were updated and the General Data Protection Regulations came into place – or more commonly known as GDPR. It’s important to ensure your group or club follows these regulations, so that you protect your members’ data, as well as ensure you’re not breaking the law.
Remember, these regulations haven’t been put in place to create barriers for the running of your group; they’re there to ensure your members data is protected, so that personal details can’t be exposed and harm your members.
Disclaimer: This article is not legal advice and if you are concerned about the data you store and hold for your group, you should seek legal advice from a professional. There is a list of resources at the end of this article for further guidance on data protection. You should follow the regulations outlined by the Information Commissioner’s Office (ICO) and other legal entities in order to fulfil your data protection obligations.
What is personal data?
Personal data refers to information that can identify an individual. This includes their name, email address, home address, telephone number etc. and then more sensitive information, such as their sexual orientation, medical conditions, race, and employment. As a group or club, you might not require to document all of this information, but it will be necessary to have some of this on file, including a member’s next of kin information, in case of emergency.
What is the purpose for storing that personal data?
As mentioned above, you may need a person’s next of kin details in case there’s an emergency. You might also need their medical details if you run a sports team – injuries may require a person to go to hospital or receive treatment and having medical details on hand can be extremely helpful. If you run a music group, for example, knowing a member’s medical details wouldn’t be necessary and would simply add more sensitive data to your documentation, which could be at risk of being leaked.
You need to show a clear purpose for holding data on an individual – as long as you can clearly prove this, you should have no problems holding that data, in a safe and secure manner. Be as clear as possible when outlining why and how you intent to store someone’s data – and keep this in an easy-to-access document, so that you can share it whenever necessary.
It would be helpful to nominate a person to be in charge of handling your members’ data, just as you would have a treasurer. However, this individual is not a ‘Data Protection Officer’ – they are simply someone who documents members’ data and keeps it up to date.
Storing data securely
The way you store data is just as important as the data you hold. You also need to gain explicit consent from a person to record and store their data – this consent should be recorded. You can do this through explaining exactly why you require that person’s data and should only ask for the absolute minimum information from them. If you have children under the age of 13 in your group or team, you should gain consent on storing their data from their parents or guardians.
A privacy notice can explain to potential members of your group how you’re going to store their data. This can be a simple document requesting the information, with tick boxes and statements, stating what you’ll be using their personal data for, such as regular group communication in the form of emails and post, and where you’ll store that personal data, whether that’s on a password protected Google Drive document or Microsoft Excel. You may use paper forms for your members when they sign up – keep these safe in a locked cabinet or drawer and make people aware that you intend to transfer that data into an electronic source.
However, you might also choose to store email data on a third party platform, such as MailChimp or Campaign Monitor. These companies tend to have their own privacy and data storage polices, which you can inform your members about. You will need to tell your members that you may intend to store or use their data through a third party, as they have the right to know where their data is stored. Try to limit the data you share with third parties; names and email addresses should be sufficient, if you’re only planning on sending email communication. Sensitive data, such as sexual orientation or medical details should not be shared with third parties, if possible.
What to do with data when someone leaves
As is the nature of community groups and sports teams or hobby clubs, people will leave from time to time. It’s not necessary to keep people’s information if you no longer need to communicate with them; if this data is hacked or accessed by someone else and stolen, you can be liable for holding that information when it was no longer necessary. Keeping on top of your club’s historic data is important, so that you don’t hold information unnecessarily.
People may also request for their data to be deleted. Unless there is a legal reason to retain a person’s data, you should grant this request and remove the data safely and securely. Members of your group should always the option to unsubscribe from any communication from you, even if they are an active member. When sending an email newsletter, this option is usually included within every email; if any personal emails are sent, ensure you include a similar link and update your data lists if someone does decide they no longer wish to receive communication.
Requesting personal data
Below, we’ve compiled a list of helpful resources if you require more information about data protection and your group. Remember, safely storing personal data is vital to protect your members.
Information Commissioner’s Officer
Community groups and COVID-19 – updated data protection advice
Guide to the General Data Protection – downloadable PDF guide
Data protection advice for small organisations
FAQs for charities and data protection