All the information you need, all in one place. We’re still working on some exciting features, so you won’t be able to login or pay online just yet. But don’t worry! All of our amazing content is open and you can make payments as you usually would. Browse our help and guidance
On 25 May 2018 the European General Data Protection Regulation (GDPR) came into force. It strengthens and extends data protection law, and has a greater focus on individual rights. Among the changes are a stronger requirement for explicit consent to use someone’s information, more rights to access and ask for information to be deleted, and the right for someone to object to the way their information is used.
The Information Commissioner’s Office has guidance on the regulation.
Organisations need to keep details about their volunteers (unless they are volunteering at an informal, one-off activity). If these details are included in the Data Protection Act 1998’s definition of ‘personal data’, the organisation must follow the rules about how it collects, stores, uses and discloses this information. It may need to ‘notify’ (register with) the Information Commissioner.
There is a self-assessment tool for organisations to check whether they need to register on the Information Commissioner’s Office website.
The Data Protection Act 1998 has eight data protection principles, which give guidance on what organisations should do. However, it’s not always clear from them what action should be taken – for example, where a duty to disclose information about a person conflicts with someone else’s right to confidentiality.
There have been a number of cases where charities have been fined by the ICO for failing to comply with data protection law, specifically the handling of personal data. It is imperative that organisations train their volunteers if they are to handle personal data. This can include personal information of service users, other volunteers, staff and trustees.
Volunteers should receive as part of their induction the eight principles of data protection so they can be clear about their responsibilities in complying with legislation.
The act uses certain words for information and individuals or organisations, depending on their roles and responsibilities under the act.
The Information Commissioner’s legal guidance on the act says: ‘it is difficult to envisage any action involving data which does not amount to processing within this definition’.
Section 4 and Schedule 1 of the act set out the eight data protection principles. Personal data must be:
Personal data should only be used for one or more of the following reasons.
Apart from the first condition, where the data subject has given consent, the conditions are based on ‘necessity’ – needing the information. Necessity is not defined in the act, but as a guide an organisation could think about whether its obligations or aims can be reached without collecting or using the information – if not, the information could be seen as necessary.
Some personal information is particularly sensitive. This ‘sensitive personal data’ has tighter rules about how it can be used. It is defined as personal data that includes information about the data subject, which includes:
As well as meeting one of the ‘fair processing’ reasons listed, there are separate conditions that need to be met for sensitive personal data to be used, such as the data subject giving explicit consent.
The Data Protection Act 1998 says that people who want to see data held about them can write to the data controller to ask for this. This is called ‘subject access’. The data controller can charge up to £10 and must reply promptly (within 40 days of receiving the fee).
The response should include information about:
The data subject cannot always see this information, for example:
Under the Data Protection Act 1998, volunteers may ask to see their references. References given by the organisation to whom the request is made are exempt under the Data Protection Act 1998. References provided by third parties should, however, be disclosed.
The act seems to protect information about a third party from being revealed when a person asks to see data held about themselves, but the Information Commissioner’s Office Employment Practice Code (pdf, 3MB) says that in the case of references, consent is not needed from the referee for the reference to be disclosed but that the organisation must make a judgement as to what information it is reasonable to withhold.
Some or all of the details can still be held back if the organisation believes there is a fair reason to do so, but the code says that factual information, such as sickness records, should not be withheld. Although the code refers to employment issues, the general principles apply to volunteering. More guidance on disclosing references is in the code’s supplementary guidance (pdf, 2MB).
There are no clear guidelines about how long volunteer records should be kept.
Organisations regulated by a body such as the Care Quality Commission must follow the guidelines from the appropriate guidance or inspecting/regulating body. Other organisations should follow the data protection principle that data should not be kept longer than for the purpose which it was taken. For example, contact details of people who have enquired about volunteering but have not wished to progress to becoming volunteers should not be held.
The Disclosure and Barring Service Code of Practice says that disclosures must not be kept for longer than six months, except in exceptional circumstances. In its general guidance it recommends that organisations speak to the DBS if they think they may need to keep disclosures for longer.
Organisations subject to regulation and inspection by bodies such as the Care Quality Commission may need to keep records between inspections.
Organisations working in areas with particular health and safety concerns – such as work with hazardous substances – should look for guidance on legal requirements for keeping health and safety records.
Records about accidents should be kept for at least three years – the time limit for personal injury claims under the Limitation Act 1980. There can be exceptions to this if long-term health effects may emerge, as with asbestosis. The three-year limit then starts when the individual is first aware of the problem.
Organisations that have volunteers who give advice or similar services should be aware that the Limitation Act 1980 says there is a six-year time limit for damages claims that are not about personal injury. A case like this might require training records and similar information to show that the organisation took the right steps to avoid damage.
Last reviewed: 19 May 2022Help us improve this content
Learn about different volunteer management systems and how to choose one for your organisation
Guidance on volunteers from overseas
Things to consider when paid staff want to volunteer for the organisation that employs them
A free online tool for volunteer-involving groups and organisations
How to use NCVO's financial procedures manual template
Guidance around copyright and volunteers
Guidance and policies to consider when using volunteer drivers
Advice on DBS checks for volunteers and volunteer involving organisations
Get regular updates on NCVO's help, support and services