So, you find yourself elected to the committee of a patient support group, small community group or charity, parents association or a professional networking group. Whether you jumped at the chance or just put up your hand to break the awkward silence at a meeting (next time, tuck your hands into the opposite sleeves!), no doubt you now have a long list of things to do, people to lobby, letters to write, fundraisers to organise and projects to coordinate.
If the group has staff, you are now expected to be a responsible employer and comply with employment law. (That’s a whole other blog!).
All of these activities involve communications. Many of these activities will be done through e-mail, text messaging, Facebook & Twitter and therefore you probably now have full access to a contact list of the members of the group. This contact list is essential to the management of the group’s activities, but it brings with it an additional level of responsibility – a requirement to comply with the Data Protection Act.
You might think that Data Protection is too complicated to even think about, or think that it’s not relevant to you because the group is small and you all know each other.
You might feel that you don’t have time to wade through the details of the legislation to figure out how it applies to you.
Data Protection is the law. You can’t avoid it. Bigger groups and charities have dedicated staff, policies and all the tools of the trade to help them comply with Data Protection. However, the principles of the law apply to any group, no matter how large or small, that keeps contact details of other people.
Any group, organisation or company that holds contact details for any number of people is considered to be the “Data Controller” in relation to those details. Anyone within the group who processes those details must comply with the same data protection rules which are binding and “Any failure to observe them would be a breach of the Act” (ref). The stark reality is that any breach of Data Protection law could represent a significant risk to your group’s financial viability and reputation.
Don’t panic though, because it’s a totally avoidable risk. The basic principles of Data Protection are actually quite concise, easy to understand and easy to apply because they just make sense.
There are eight data protection rules and they are as follows:
- Obtain and process the information fairly.
- Keep it only for one or more specified and lawful purposes.
- Process it only in ways compatible with the purposes for which it was given to you initially.
- Keep it safe and secure.
- Keep it accurate and up-to-date.
- Ensure that it is adequate, relevant and not excessive.
- Retain it no longer than is necessary for the specified purpose or purposes.
- Give a copy of his/her personal data to any individual, on request.
Here are six simple tips to help you apply these principles to the common activities of voluntary groups / charities.
1) Set up independent contact details for the group/charity
Don’t use an e-mail account that is also accessed by other members of your family or work colleagues. It is best to set up an e-mail address specifically for the group. This protects your privacy and also offers continuity for people who communicate with the charity/group because the e-mail account can be handed over to the next committee when you step down from your role.
Buy a mobile phone for the group to use, so you are not using your own personal mobile. Protect it with a password and delete unused contact details regularly.
2) Get permission.
Get specific permission from people to use their e-mail address or phone numbers and keep a record of this, e.g. get them to sign a permission form. Don’t assume that you have their permission to use their details because they signed an attendance sheet at a meeting, unless they were specifically told that their details would be added to your database. If you are in any doubt, don’t use their contact details.
Also, if people share their contact details with the group for a specific purpose, e.g. to receive information about group activities, don’t send unrelated information and never give the list to a third party unless you have express permission to do so.
Ideally, the group should have a Data Protection Policy that is given to new members and available to view at any time via the group’s website or Facebook page.
3) Use the BCC field in e-mails.
It has unfortunately become common practice in today’s society for people to copy multiple recipients into an e-mail message using the CC field. I have personally seen it in numerous situations; work, clubs, associations, colleges, family, friends, funny cartoons, cat videos that go viral – the list goes on. If the sender copies a message to multiple contacts, each of those contacts can see the e-mail addresses of the others who received that message. Did each one give permission for their e-mail address to be distributed in this way? Has this happened to you?
A simple way to protect other people’s e-mail addresses is to use the BCC (Blind Carbon Copy) field. To do this you will need to put an address that is known to all recipients in the ‘To’ field. When I am managing e-mails for a group I set up a third party address specifically for this purpose, e.g. a ‘dummy’ e-mail address as indicated by the yellow arrow in the screenshot here. Everyone who receives the message can see this e-mail address. Then all the actual recipients can be added in the ‘BCC’ field (see blue arrow). People in the BCC field cannot see any other recipient’s e-mail address, thus offering complete privacy. An additional benefit of this practice is that it helps prevent the spread of computer viruses, malware and spam.
4) Stop! & think twice before you post or send messages.
In group e-mails or texts, don’t announce where someone lives, that they are going on holidays, or details about their family or children. This seems obvious but it’s surprising how often this happens! Online chats are not private, so imagine that your message is scrolling across Times Square on New Year’s Eve. If you are happy for it to be there and that you are not compromising anyone’s privacy, go ahead and post it.
5) Give them every opportunity to change their mind if they wish.
If anyone asks for their contact details to be amended or deleted, do it immediately. A quick way to provide an opportunity for people to change their mind is to add an opt-out option in the signature line of your e-mails, even if that’s just a note advising them to reply with “Unsubscribe” in the subject line of their e-mail.
6) Update your records
Go through the contacts list in the group e-mail account regularly and delete unused details. If you have recently stepped down from a committee role you should permanently delete any personal details that may remain on your own computer or mobile phone.
Aside from the fact that Data Processors are required to comply with the law, it’s worth putting these tips into action and establishing good data protection habits, so that you have a clear conscience and can get on with your committee role – you will be busy enough with that! And you will certainly appreciate it when your successor on the committee continues those good habits in relation to your own privacy.
A version of this article was originally published in Nursing in General Practice
A template Data Protection Policy document is available to purchase HERE.