Volunteer and Trustee Security checklist
Generally it is not expected that Volunteers or Trustees have as much broad access to personalised data as staff, to minimise risk. However, it may be through the specific nature of their involvement they do access or share personally identifiable information, for example the treasurer may view donor names in a gift aid claim, or a volunteer may review feedback forms from event attendees.
This page is intended to evolve as a simple set of guidelines and a checklist for the use, storage of sharing of data in role as either a Trustee or volunteer for Wikimedia UK.
General Overview
- Data controller - A person who (either alone, or jointly, or in common with other individuals) determines how and why any personal information is to be processed.
- Data subject - An individual about whom personal information is held.
- Personal data/information - Information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession
- Processing - Obtaining, recording or holding data or carrying out any operation or set of operations on that data. Organising, storing, adapting and amending the data, retrieval, consultation and use of data; and disclosing and erasure or destruction of data. It is difficult to envisage any activity involving data that does not amount to processing.
Key Principles of Data Protection Act
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
- At least one of the conditions in Schedule 2 is met, and
- In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
These highlighted principles are ones that you should bear in mind most when you 'process' any data - basically be clear:
- What you are trying to achieve that requires information
- What information you need to achieve this (what DON'T you need is often helpful to define this - use only what is minimally necessary)
- When you will have achieved your express goal - then delete your data.
Checklist
Read the list! Anywhere where you can't confidentially put a 'tick' next to the statement, you should look at amending your arrangements asap. If in doubt, ask for advice by contacting the office
Keeping information secure
- Do you change your password regularly (best practice says at least every 90 days) for any @wikimedia.org.uk email account?
- Do you lock/log off a computer you are using to access Wikimedia UK systems or data when away from it?
- Do you ensure if using your computer no one else can view confidential data on your screen?
- Do you destroy confidential paperwork i.e. by shredding (Confidential is defined as either 'sensitive' or 'containing personal data' according to our Confidentiality_Policy)?
- Where you are required to store hard-copy confidential paperwork, is it kept in a locked secure place when not being used?
- Do you take care to prevent viruses accessing data on your computer when opening email attachments, and by using appropriate, up to date firewalls?
- Do you encrypt confidential information if storing it on a hard drive or usb drive (NB Data_Encryption_Policy)?
- Do you back up information securely?
Minimal collection and storage
- When you collect or request information is it for a specific purpose related to your role?
- If you need information for a new purpose do you explain this to those whose data you are collecting and obtain consent or a clear opt out?
- Do you update records promptly e.g. change of address
- Do you delete information when no longer needed? (You must not keep it 'just in case')
Data over the telephone
- Are you aware you must check and confirm the identity of a caller who requests personal information over the telephone about themselves or someone else?
- Do you confirm the recipient of a call you make is the person whose information you wish to discuss?
- Do you use the minimum amount of personal information necessary during a phone call, and follow up in writing if appropriate?