Volunteering personal data
Looking back, it’s hard to believe that we are still only ten months into the implementation of the GDPR and the huge strides many organisations have made on their compliance journey. On the other hand, it’s incredulous that others still haven’t made a start, or if they have, it has merely been to kick the can down a shadowy back alley where they believe no one will go looking.
At the beginning, the amount of knowledge about the full extent of the legislation, coupled with varying degrees of enthusiasm/obstinance, were fundamental to whether or not an organisation was going to get anywhere near the who, what, when, where and how of the data flows, permissions, legal bases for processing etc. etc. required. This is still the case, particularly where the democratisation of technology has resulted in lax procurement, security and access procedures.
For small charities and other membership organisations, where administration is often done by volunteers, the legislation is viewed as just one more rope to be bound with.
Many of those who step up and give willingly of their time have little or no interest in the semantics of data collection and usage and have a wide variety of opinions on just how much it actually matters. Knowledge inevitably varies and there are loud calls from the side-lines by individuals who think that the whole process is nonsense.
Recent experience within Scouting has illustrated just what a minefield complex legislation can be for individuals and groups that have to collect data from, and communicate with, a variety of different constituents: parents and guardians; young people themselves; or a disparate leadership team. The writing of this article was triggered after getting involved in a social media post by leaders extolling the virtues of communicating on a regular basis with parents and carers via an open WhatsApp group*. A great idea – free and easy… but then the road to hell is paved with good intentions.
To understand the issues, we first need to think about where a membership organisation keeps data.
This might be a simple spreadsheet or physical record cards or, in the more sophisticated organisations like British Cycling, a centralised database accessed online by nominated club officials. Sometimes, as in the Scouts, an outside provider creates a commercial solution e.g. OSM (Online Scout Manager). The structure of the data is not as important as making sure that there is one master version and that the data isn't passed at random between various officers and intermediaries until there are multiple unknown copies. This is because the recipients of the latter may have no understanding of the need to delete data from their devices once it is no longer needed, or even the basic level of security which should be enabled to protect it.
Communication with parents and guardians in a youth organisation is fundamental to maintaining engagement: it is how new volunteers are recruited and numbers are kept high. Doing this with a tool in daily use like WhatsApp feels like the right thing to do, not least because it is free. However, the data protection issues range from revealing the personal data of one data subject to a larger group; to removing the data from the safety of the master spreadsheet or system. The individuals who set this up will say, rather naively, that they got the adults concerned to sign a form consenting for their data to be shared but this isn't necessarily enough. The form would have to be specific about what information is being shared, to who and how. Should somebody join the group later then that consent would need to be refreshed in order for it to be valid.
There might be some individuals more than happy to go through this rigmarole. But frankly if you're volunteering for something, the last thing you need is yet more admin.
Consent mechanisms are, by their very nature, extremely complicated, as any marketing director will tell you. They need to be active and well managed and you have to be able to remove somebody's information as well as add it. It gets more complicated still. Imagine the scenario when someone exercises their right to erasure: because you revealed their telephone number to the rest of the parents in the WhatsApp group you have to go and ask all of them to remove the details from their own device; that’s not so tactful (and tedious). Because WhatsApp reveals the telephone numbers of all group members and smart phones are terribly clever, it means that people barely connected in real life, are suddenly revealing masses of details via linked social media services. You can bet most of them didn’t sign up for that on the consent form. In organisations like the Scouts, where 14-17 year olds can take on Young Leader roles and Explorer Scouts are encouraged to take control of their own schedules, the use of WhatsApp and its clever connecting abilities means that adult leaders can find themselves inadvertently in an adverse safeguarding situation.
It is always better to find a solution that keeps just one record of an individual, which that individual or their parent or guardian has updated themselves. If, wherever possible, you use this system for all communication it prevents the proliferation of the data into multiple, unknown places. It also means that the natural turnover of committee members, managers, coaches or leaders does not leave legacy records on personal devices which could be a data breach. Should you be in the unfortunate circumstance of having to remove an individual from working within the organisation, this centralised system enables you to remove access rights without the unbearable angst of asking someone to prove they have made the necessary deletions.
Volunteering should be a joy and as rewarding to the volunteer as the people they support.
Protecting the data of the latter is incredibly important particularly when working with young people and the vulnerable. Doing it for free is not an excuse for doing it badly. Having neither the time nor the inclination to find out about and follow the laws is no excuse.
Just as in business, the voluntary sector must develop the knowledge that is required to manage and protect the personal data. It doesn't have to be hard: in fact, where good tools exist, it can significantly reduce the time devoted to admin. It is important that this knowledge doesn’t come from a post on social media by individuals of unknown capabilities.
In our opinion the key takeaways for any membership organisation are as follows:
- Keep all of your data in a single place securely protected and managed.
- Do not download your data and disperse it amongst many or few individuals in an effort to make things easier. It is rarely ever so from a compliance perspective
- Having a piece of paper with a tick box on it is rarely sufficient proof of unambiguous consent which must also be active and relevant. Utilise the system that enables this consent to be managed on a regular basis by the individuals to whom it relates.
And one more thing… if once upon a time you were a Beaver, Cub or Scout, your local Group needs you. Go volunteer to be a Section helper or even step up to be a Leader. There are thousands of young people desperate to join who can’t because of a lack of adult volunteers. Your data protection expertise would be invaluable – plus you could change the course of someone’s life. #skillsforlife scouts.org.uk/join
For anyone who is interested – my Scout Group has pictures on the wall of its HQ which parents and carers are very welcome to come and look at. There’s the odd one in our newsletter (when we get around to writing it) and we have got very good at taking pictures without faces. This is what our social media policy says:
Taking Photos & Social Media
- We love celebrating the various antics of our Beavers, Cubs, Scouts and Explorers and we know that you do too. It's great to catch these moments on camera.
- However, please be aware that not every parent or carer of a Beaver, Cub, Scout or Explorer, or Leader, wants their image distributed widely via social media.
- Because we are a uniformed organisation, it is very easy to identify the location of our Group. By sharing photographs in the public domain which contain images of other members without their permission you are infringing their privacy and may, inadvertently, be putting someone at risk.
- Therefore, we respectfully request that any identifiable images you share on social media are solely of the children for whom you have parental responsibility.
* Many groups openly use this as a method of sharing photos of what the young people are doing at their meetings. Personal opinions of this aside (young people deserve privacy in their activities/the right to curate someone’s childhood etc.) less is definitely more where this is concerned.