Managing information policy
All our staff and volunteers must make sure they collect and use personal information appropriately and store it safely
Approved: 7 June 2022
Version: 3
Our Managing Information policy sets out how we collect and use data fairly, responsibly, and in line with the law.
It also explains how we expect our volunteers, members and staff to manage data.
We’re committed to following data protection legislation. Everyone in Girlguiding and the Guide Association Trading Service Limited who may handle personal data must follow this policy.
Definitions
- Data protection – ensuring people can trust you to use their data fairly and responsibly.
- Personal data – any information about a person. This includes names, addresses, phone numbers, photographs or characteristics of their identity, like their ethnicity. When we use 'data' in this policy, we mean personal data.
- Data breach – when data is used in a way that it shouldn’t be, for example emailing personal data like a phone number to the wrong person.
- Data subject - the person the data is about, like a young member. Data subjects have individual rights (see below).
- Data processing - doing anything with personal data, like collecting, storing or sharing it.
We need to manage personal data so we can give girls great guiding experiences. You can find out more about the data we manage and why in our privacy notice.
Whether it’s about our young members or our ambassadors, it’s really important that we manage the data we have properly. By following this policy and its procedure you’ll help protect the privacy of our members, volunteers, employees and others. You can also be confident that you’re following data protection legislation, like the Data Protection Act 2018.
This policy applies to everyone in Girlguiding because everyone may manage data – even if it's something as simple as someone’s phone number.
Expectations
If you process personal data as part of your role you must:
- Follow this policy and relevant procedure whenever you’re using personal data.
- Follow other relevant Girlguiding procedure and guidance.
- Think about why you need to handle personal data, and only use the data you need to do your task.
- Reduce as much as possible the likelihood of a breach by following our Managing information procedure.
- Report any data breaches to our Data Protection team as soon as you discover them, in line with our Reporting a data breach procedure.
- Follow relevant procedures to report and respond to any data protection emergencies, for example, a major data breach involving members’ personal data.
- Make sure personal data is destroyed safely (in line with your relevant data retention schedule).
- Follow our Personal data requests procedure if a data subject asks for the information we hold or use on them.
If a volunteer breaches this policy, we’ll handle it using our Managing concerns about adult volunteers policy. We’ll handle breaches by staff in line with our staff disciplinary procedure, which can be found on Girlguiding’s intranet.
Commissioners are responsible for making sure the volunteers they support comply with this policy and its procedure.
Our commitment to following data protection legislation includes:
- Implementing this Managing Information policy and making sure it's in line with data protection legislation.
- Co-operating with relevant regulatory bodies.
- Giving all volunteers and employees relevant and up-to-date training to help them comply with this policy. This includes our Keeping information safe training for volunteers. For staff we have a GDPR course within our Policy and Compliance eLearning.
How Girlguiding protects data
Data principles
We’re committed to making sure we use and manage personal data in line with data protection principles and requirements. Everyone in Girlguiding must only collect and share personal data when they need to and must never keep it for longer than necessary.
Legal basis for processing personal data
Anyone who collects and uses personal data must have a valid and legal reason to do so. Data protection law gives six ways of collecting and using personal data legally.
You can find out more about why Girlguiding collects and uses personal data in our privacy notice.
Data protection law - individual rights
All data subjects have certain rights that everyone in Girlguiding must respect. These are:
- The right of access – seeing a copy of their data.
- The right of rectification – correcting their data if they think it’s wrong.
- The right of erasure – deleting their data.
- The right to restrict processing – limiting the way we use their data, if they believe the data we hold is inaccurate, or we are not using it legitimately.
- The right to object to processing – they can object to their personal data being used for a specific purpose, like direct marketing.
- The right of portability – having a copy of their data in a way that other organisations can use.
For more information on your individual rights and how we manage them, contact our data protection team. If you receive a request about a person’s personal data, or if someone wants to use their rights, you must follow our Personal data requests procedure.
How Girlguiding retains data
We have a duty to keep some personal data related to members, volunteers and employees after they’ve left Girlguiding. We only keep it as long as we need it, and what we keep depends on why we collected it in the first place. You can find out more in our privacy notice.
Volunteers must follow the membership data retention schedule when considering how long to keep different types of data. Staff must refer to their team’s data retention schedule.
How Girlguiding keeps data secure
We have safeguards in place to keep data secure. These include protections against the unlawful or unauthorised processing of data, as well as accidental loss or damage to data.
Support with data protection
We’re here to help. If you have a question or need support with data protection, email us at [email protected]
Related documents and information
- Managing information procedure
- Personal data requests procedure
- Reporting a data breach procedure
- Volunteer Code of Conduct
- Managing concerns about adult volunteers policy
- Data breach notification form (docx)
- Privacy Notice
- Keeping information safe training
For members of staff only
- Disciplinary procedure