NOTIFICATION
TROLLEY
SIGN IN

Beta

Welcome to the first part of the new NCVO website. While we finish building it, you will find the rest of our help and guidance on our existing site.

Last reviewed: 02 March 2021

Use this page to understand what data protection is and why it matters. This should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.

Data protection and the law

Data protection law aims to make sure that personal data is gathered, stored and used responsibly and transparently. It gives people ownership of information about themselves. It works to limit how organisations use that data and forces them to use it responsibly.

The relevant law in the UK is the Data Protection Act 2018. It was updated in 2019 with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations. The law and regulations align law in the UK closely to GDPR, the primary European regulation on data protection.

The ICO is the UK’s independent body that is responsible for promoting and regulating data protection. We link to their advice throughout this page.

Use the ICO’s small organisation home page.

What is personal data?

The exact nature of personal data is very complicated and varies from situation to situation. The legal definition of personal data in the UK is ‘any information relating to an identified or identifiable natural person’. That means that personal data is information about a person who can be:

  • directly identified from the information
  • indirectly identified from that information in combination with other information.

For many organisations, personal data is the most obviously identifiable information about a person. Name, age, email address, full postal address or full postcode are all examples of 'personal data'.

Sometimes it’s less obvious that information is personal data. For example, technical information that can identify people, such as their computer’s IP address, is also considered 'personal data'.

You could hold data on a wide range of people – from past volunteers, to people who give you donations, and many others.

It isn’t only information you are directly collecting about people that counts. It could also be information people give you about others.

Example

My Voice creates an app to help young people process what they are thinking in difficult situations. The young people can choose to send their entries to a counsellor who’ll contact them with follow-up advice. If they do this, the app collects and stores their phone number.

Most of the app focuses on clicking on preset words or images. Some young people ask for a free text space to vent. They expect the counsellor to see that venting. But sometimes they mention names and other information about friends or relatives in their text. My Voice doesn’t want to store that data and has no right to collect it, but it could fall under the definition of personal data.

My Voice doesn’t want to stop the young people getting help in the way they want to. So the counsellors agree to edit out any personal data about other people when they first open the message. This means it’s deleted from the organisation’s system as soon as possible.

There are also types of legally defined sensitive personal data. This is called special category data. It includes:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
  • genetic data
  • biometric data (where used for identification)
  • data about health
  • data about a person’s sex life
  • data about a person’s sexual orientation.

There are similar rules for data about criminal allegations, proceedings or convictions.

If special category data can be connected to a person there are additional rules to follow.

Find out more about special category data from the ICO.

Understanding the data protection principles

You need to know and understand what the legal principles of data protection are and what they mean for your organisation. They are as follows.

Lawfulness, fairness and transparency

  • Use data legally under a permitted lawful basis.
  • Use data fairly, being clear, open and honest with people whose data you hold.

Purpose limitation and data minimisation

  • Collect only what you need and use it as you planned and communicated you would.

Accuracy

  • Keep your records up to date.

Storage limitation and integrity and confidentiality

  • Store data securely and confidentially.

Accountability

  • Take responsibility for what you do with data.
  • Have records and policies that show what you’re doing with data.

Find the full legal wording of the principles on the ICO’s website

For more on each of these areas see our our steps to improve data protection in your organisation.

People’s rights relating to their data

The purpose of the data protection principles is to keep people safe and respect their rights.

People have a right to:

  • understand what data organisations have about them and how it is being used
  • see that information and get their own copy of it to use however they want
  • correct the information if it is wrong
  • ask for it to be deleted or limit how it is used
  • complain if they don’t like things an organisation is doing with their data.

Why should we make the effort to get data protection right?

  • We all need to comply with data protection to safeguard the people we work with.
  • The data protection principles are sound. Following them will help you to be an ethical organisation.
  • The reputational risk if someone discovers you are not following the principles is significant.
  • There are financial penalties for breaking the rules.
  • The ICO wants to make it easy for you. They produce lots of checklists and tools you can use.

This guidance was created with the help of TrustLaw, HR Services Partnership (HRSP) and Superhighways.

This page was last reviewed for accuracy on 02 March 2021

Back to top

Sign up for emails

Get regular updates on NCVO's help, support and services