Some key terms under the Data Protection Act 1998 (DPA)

Under the DPA, “personal data” means information which refers to identifiable living individuals. The DPA covers how personal data should be protected. “Data” can generally be taken to refer to:

information held on computer;
information held in ‘relevant’ manual files

Under the DPA, sensitive personal data consists of information about:

a) the racial or ethnic origin of the data subject;
b) their political opinions;
c) their religious beliefs or other beliefs of a similar nature;
d) whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
e) their physical or mental health or condition;
f) their sexual life;
g) the commission or alleged commission by them of any offence, or
h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Under the DPA a “Data Subject” is anyone whose personal data is processed. It is important that organisations understand that children, young people and adults are Data Subjects which means that children have a legal right to request to see and to be given access to all the information the organisation holds on them. However, there are some exceptions. For example, where providing the information to the Data Subject would be likely to interfere with crime prevention, detection or prosecution. Full information on how and when this is likely to happen within the Disclosure process is available, on request from CRBS.

Under the DPA personal data should be processed in accordance with the following eight Data Protection Principles which state that data must be:

fairly and lawfully processed;
collected and used only for specified purposes;
adequate, relevant and not excessive;
accurate;
not kept longer than necessary;
processed in accordance with the data subject’s rights;
secure;
not transferred to other countries unless that country has adequate levels of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Organisations should keep these principles in mind whenever they request and process personal and sensitive data from children, young people, their parents/carers and workers.

Legal responsibility for compliance with the DPA lies with the Data Controller. Guidance given to voluntary organisations by Volunteer Development Scotland in their policy briefing Volunteering & The Data Protection Act 1998 states that every volunteer-involving organisation is likely to be a Data Controller and therefore needs to notify the Information Commissioner if it is processing personal data. The main duty of every Data Controller is to ensure that the organisation is managing data according to the Data Protection Principles.

Further general guidance on the Data Protection Act 1998 and voluntary organisations can be obtained from:

The Information Commissioner
Wycliffe House
Water lane
Wilmslow
Cheshire
SK9 5AF

Tel. 01625 545745
www.dataprotection.gov.uk
e-mail: data@dataprotection.gov.uk

The Information Commissioner can advise an organisation on whether or not it is required to register as a Data Controller.

The publication Data Protection for Voluntary Organisations (Paul Ticher, 2nd Edition, published by the Directory of Social Change) gives detailed guidance on the DPA 1998. Tel. 08450 77 77 07 or email: books@dsc.org.uk

One of the advantages of being affiliated to a larger voluntary body is that the ‘body’ (for example Scottish Youth Football Association) may sometimes act as the registered Data Controller for the smaller local groups and clubs.