Charities - Data Protection, IT Security and Confidentiality
Charities are bound by data protection law in the same way as other organisations.
This means that the charity and its employees, trustees and volunteers must not do or fail to do anything that would cause the charity to be in breach of data protection law: this is for the protection of individuals both within and outside the charity.
As to those who are inside the charity, it means that the charity must abide by data protection law when receiving, holding, or using any personal data held by it about volunteers and other individuals (e.g employees) inside the charity, for the protection of those individuals.
A charity should adopt a data protection policy which sets out the rights of volunteers (as well as others) as data subjects, the obligations of the charity as a data controller under data protection legislation, and a number of organisational and procedural measures to help ensure compliance with the legislation. Note that “data subjects” may be employees, beneficiaries, clients, customers, suppliers, service users, donors or volunteers.
See our UK Data Protection collection of templates under "Related Documents" below for examples of data protection policies which you can adapt for your charity’s use to protect personal data of individuals outside or inside the charity, including volunteers.
A charity should also adopt a form of privacy notice to provide data subjects (including volunteers) with important information about the charity’s use of their personal data, as required by data legislation. See our template Privacy Notice for a Charity (GDPR compliant) under "Related Documents" below.
As well as abiding by the duties arising under data protection legislation, charities should adopt suitable measures to protect commercial or other confidential information, both its own information and that which it receives from external sources. Such measures will include bringing to the attention of volunteers (as well as employees) the fact that, where they have access to such information, they must keep it confidential and not misuse it.
A charity should in addition adopt an IT security policy that can serve not only as a policy for IT security matters but also as a guide to the important IT security points that a business should consider. Such a policy should be written to expressly require volunteers (as well as employees) to abide by the policy. See our IT Security Policy template under "Related Documents" below as an example which can be adapted to expressly include volunteers.
It would also be prudent for a charity to adopt a communications, email and internet policy: see our Communications, Email and Internet Policy template under "Related Documents" below as an example which can be adapted to expressly include volunteers.
A charity and its employees, trustees and volunteers must not do or fail to do anything that would cause the charity to be in breach of data protection law.