Data protection and online security: An introduction

This resource has been developed in partnership with Naomi Korn, Founder and Managing Director of Naomi Korn Associates, industry-leading experts in copyright and data protection.

Since the coronavirus (COVID-19) pandemic it’s become more necessary than ever before for organisations of all shapes and sizes to increasingly work remotely and online. With this shift, safeguarding the privacy of people and keeping their information secure online has become particularly important. This guide provides an overview of the online activities carried out by UK charitable organisations and addresses a range of issues they are likely to encounter. It includes checklists, practical advice and resources to help understand and manage online activity. This guide provides introductory level detail and links out to other sources so organisations can use the information to help you, and the communities you support, stay safe.

Disclaimer: The information provided within this Guide is an opinion and should not be construed as legal advice.

1. WHAT IS DATA PROTECTION?

Data protection legislation in the UK comprises the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). The data protection legislation relates to the processing of personal data, which includes data held on spreadsheets, paper correspondence, records and even within photographs, films and other collection items.

Personal data relates to any information relating to the private, professional or public life of a living person that can identify that person, either directly or indirectly when combined with other information. It can include an expression of opinion about an individual.

Examples of personal data include:

Membership lists
Customer and client data
Visitor information
Staff, trustee and volunteer details
Collection items, such as individuals appearing in photos and films and names and addresses in letters

A data controller is any person or organisation that makes decisions about, or determines, how and why data is processed. They are responsible and accountable for making sure that any personal data that is processed is done so legally, including their role in making sure that data is held securely. Part of the responsibility of a data controller is avoiding a data breach.

A data breach will arise from a security incident that affects the confidentiality, integrity or availability of personal data. A data breach has occurred when personal data is lost, destroyed, corrupted or disclosed; it may be accessed, shared without authorisation, made unavailable or accidentally lost or destroyed.

Privacy by design is an approach to managing personal data that promotes privacy and data protection compliance in all your activities. It involves keeping privacy and data protection a key consideration through the outset, early stages and entire life cycle of any project.

For example when:

Building new IT systems for storing or accessing personal data
Collecting personal data
Developing policy or strategies that have privacy implications
Embarking on a data sharing initiative
Using data for new purposes

Organisations must complete a Data Protection Impact Assessment (DPIA) for processing that is likely to result in a high risk to individuals. It is also good practice to do a DPIA for any other major project which requires the processing of personal data. More information can be found here.

2. MANAGING SPECIAL CATEGORY DATA

Some information is regarded as particularly sensitive and has additional security requirements for its handling if it is collected.

This includes:

Ethnicity
Religion
Medical history
Sexuality
Political views

The risk of non-compliance if such data is lost, stolen or misused, either by accident or deliberately, means reputational risk for your organisation and the potential for sanctions or fines. Understanding what is meant by ‘data’ can be complex. The UK’s Information Commissioner’s Office (ICO) has provided a detailed guide.

3. CONSIDERING DATA FLOWS

In order to manage how personal data flows within your organisation, a Record of Data Processing Activities (ROPAs) should be used and updated regularly. These are records of how we process the personal data that we hold. It is a requirement that it should be in writing in paper or electronic form. Generally, most organisations will benefit from maintaining their documentation electronically so it can be updated, and amended easily as a living document.

As Data Controllers, organisations are both responsible and accountable for all the processing of personal data, regardless of whether or not it’s been carried out internally or by a third party on the organisation’s behalf. This includes the identification of any risks and making sure that it documents all the processing activities and the decisions that it makes. It is important to have an audit trail that can be reviewed regularly by the respective data owners responsible within different parts of an organisation.

There are 7 principles that underpin all processing of personal data:

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

More information about ROPAs, including a template you can use can be found here.

4. USING NEW TECHNOLOGY TOOLS AND THE CLOUD – YOUR PRIVACY RESPONSIBILITIES

When using new technology tools there are likely to be data protection implications. Organisations should check the terms and conditions and privacy notices of the supplier to ensure their organisation’s data protection responsibilities are met. This includes Cloud based providers who are being used to support access to services, audiences and content.

Typically, Cloud based services include: online data storage and backup solutions, web-based email services, hosted office suites, document collaboration services, database processing and managed technical support services. Cloud based providers can be accessed either directly and/or via another platform such as Zoom, (particularly if you agree for recordings to be made available via the Cloud). As Data Controllers, organisations must carefully choose which Cloud based providers they use, documenting all of the decisions made. If Cloud based providers fall short of standards in data processing required by the legislation, the organisation will either need to negotiate better arrangements or walk away and potentially choose another Cloud based provider.

Before you use Cloud based services, you will need to:

Complete a DPIA so you can evaluate the risk of moving to a Cloud based provider. More information can be found here.
Check the online terms and conditions of use as well as any online Privacy Statements for the Cloud based provider; all policies / statements should be clear, transparent and up to date.
Ensure the data is provided in a form that satisfies the right to portability of data subjects. In any case that a data subject wants personal data that you have uploaded onto the Cloud, the Cloud based provider (or you), should allow them to have a copy of this data transferred in a usable format.

If you are choosing a CRM, which might be Cloud based, you will also need to understand the following:

What is your lawful basis for the processing of personal data in this way and do you need consent? Do your data subjects know what you are doing with their data and who has access to it? Have you sought consent where needed from all data subjects and does this reflect the processing by your selected Cloud based providers and any other third parties with whom they share the data? Have you updated your Privacy Notice to reflect this?
How does your CRM keep personal data safe? It is important to understand the risks to the data subjects if their personal information was lost, deleted, stolen or misused via the CRM. How quickly will the CRM provider react if a security vulnerability is identified in their product and / or if they detect a data breach? Will they inform you if personal data they are processing on your behalf is included in a breach and how long will they take to tell you? Don’t forget that as a Data Controller, you have 72 hours to let the ICO know of any breaches that could be detrimental to the data subjects concerned.
With whom will your CRM provider be sharing the personal data you provide and will it be safe? Will they keep the personal data safe and is there a robust contract in place between your CRM provider and any other providers/services? In what circumstances will your data be transferred to other countries? Can your CRM provider limit the transfer of your data to countries that you consider appropriate? Does your CRM provider provide an appropriate third party security assessment and does this comply with an appropriate industry code of practice or other quality standard?
Will your CRM provider enable the deletion of personal data? What are the data deletion and retention timescales? Does this include end of life destruction? Will your CRM provider delete all of your data securely if you decide to withdraw from their platform in the future and/or will you receive a request for the data to be deleted?
What personal data do you hold and how will it be processed by the CRM provider? This includes whether the CRM provider produces user statistics etc. that would produce extra personal data. It is important to know what data this platform will process, so you can track it and comply with any Subject Access Requests (SARS).

5. CYBER SECURITY

Keeping equipment safe is fundamental to good data management. Keep a record of what devices are being used by each team member and volunteer working for your organisation, including the device’s make, model number and any unique organisational codes. For assets belonging to the organisation, this information will help you to trace any lost or stolen devices and to identify any devices that require updates / extra software to protect against potential cyber security issues.

Keeping data secure

As set out in your organisation’s Privacy Notice, you should only collect data that is needed for work purposes. If this includes any personal data, to comply with the data protection legislation, you need to know:

What data you are collecting and why
Where you are storing the data
How you are protecting the data and for how long - data protection legislation requires you to retain personal data only for as long as it is needed

These considerations depend upon a number of factors, including the purpose of the data and any legal requirements relating to the length of time different data types can be kept. For example, financial regulations require pension related data to be kept for as long as an employee is alive, regardless of whether they are still working for your organisation. Some personal data collected might have a very limited use, such as information relating to participants who are attending a specific event. In this case, without additional permissions to contact participants in future, you would need to delete this data after the event once the business need has completed.

Work safely with data

Ensure that people who don’t have permission to view confidential, commercial, personal or other sensitive data aren’t able to look at this when you are viewing it on your screen.
Always close your screen if you are away from your computer.
Make use of security features like password or PIN code protection.
Set an automatic session timeout on your device.
Manually log out of sessions if leaving your device unattended or when you leave a shared computer.

Further guidance can be found at the National Lottery Heritage Fund’s Online Privacy and Security guidance document here.