Data Protection: A guide for Mutual Aid groups
All over the country, neighbours are gathering together in Mutual Aid Groups to support people living nearby during this public health emergency.
Some of those groups have asked questions about data protection, the GDPR and whether they might be breaking the law.
Here is a short guide you may find helpful to make sure that you are using people’s data fairly and lawfully. Please bear in mind that it is not legal advice.
1. Keep Calm And Carry On.
Data Protection is about being respectful of people’s right to privacy over their own personal information. As long as you are being respectful – and only using people’s personal data in ways that you would want your own data used – you are probably complying with the law.
Data Protection is not an obstacle to carrying out the valuable work of Mutual Aid groups looking after their neighbours.
2. What is Data Protection and the GDPR?
The General Data Protection Regulation (GDPR) is a set of legal rules explaining how information about individuals (their personal data) should be used. Although the language is technical, it’s ultimately a matter of common sense. Among other things, the GDPR requires organisations using people’s personal data:
- To be able to demonstrate a good reason for using the data
- To inform those individuals how and why they are using their data
- To make sure the data are accurate and up to date
- To only hold onto the data for as long as they need it
- To keep the data safe
3. Does the GDPR apply to our Mutual Aid Group?
In general, anything an organisation does to personal data about individuals (“processing“) is subject to the GDPR. Collecting information about people (e.g. their name, home address, email address and anything to do with their health) is “processing” their personal data and therefore must be done in accordance with the GDPR. The organisation which processes personal data is known as the “data controller“.
However, private individuals are not subject to the GDPR when they use other people’s personal data in their personal, domestic or household activities (e.g. sending an email/social media message to a friend or family member).
The quickest way to work out whether your Mutual Aid Group is subject to the GDPR is its size. Therefore a WhatsApp chat limited to a handful of neighbours on one street is unlikely to be subject to the GDPR. However, groups on a larger scale (e.g. organised by electoral ward) will in most cases be subject to the GDPR.
You may find it helpful to consider:
- How many members are there in our group?
- Is the group limited to friends or acquaintances or does it also include strangers?
- What kind of information about people are we collecting and using? The more sensitive the information (e.g. health condition) the greater the risk to privacy and therefore the more likely you are subject to the GDPR.
4. What should we be doing to comply with the GDPR?
(1) Establish what data you need to collect and use.
Where you are co-ordinating volunteers, you are likely only to need their name, mobile phone number, email address and home address.
Where you are dealing with people who are self-isolating, you may also be collecting information about their health. Special rules apply to using data about an individual’s health.
(2) Identify your reason for using people’s personal data.
In general, consent is likely to be the most appropriate reason for using someone’s personal data. In order to comply with the GDPR, you should ensure that:
- The individual knows what you are going to do with their personal data
- The individual is free to give or refuse their consent
- Consent is demonstrated by some positive action (e.g. ticking a box on a form, signing a consent form)
- The individual is able to withdraw their consent at any time
If you are collecting health data (or any other kind of “special category” personal data), you will need to identify an additional justification for doing so. This is because health data is more sensitive and therefore needs to be treated with care. In general, the individual’s explicit consent is likely to be the most appropriate reason for using their health data.
Explicit consent means (on top of the basic requirements for consent set out above):
- Consent has been confirmed in a clear statement (either oral or written)
- The health data (or other special category data) being used is specified
- It is given separately to consent for using other kinds of personal data
(3) Inform people how you are going to use their personal data.
It is important to inform individuals how you are going to use their personal data. You can do this in a number of ways:
- On flyers you are distributing in your neighbourhood
- In the group description of your Facebook page
- A document uploaded to your WhatsApp chat
You need to inform people of the following:
- Who you are and how your group can be contacted
- Why you are processing people’s personal data (your “purpose”; i.e. to provide support to neighbours who are self-isolating)
- Your reason (your “lawful basis”) for processing personal data (i.e. the individual’s consent and, where appropriate, their explicit consent)
- What kinds of personal data you are processing (e.g. name, contact details, health conditions)
- Who the data will be shared with (i.e. members of the Mutual Aid group, specific external organisations)
- How long the data will be held (i.e. until the government withdraws its advice about self-isolation)
- Information about individuals’ rights
- Their right to withdraw their consent
- Their right to complain to the Information Commissioner’s Office
(4) Keep people’s data securely and in a single location.
You should try to maintain a single working document with people’s personal data (e.g. a Google Doc or spreadsheet). You should limit access to that document to only those people who need it (this may require granting various levels of access or permissions). You should ensure that the document is kept in a secure manner and is not at risk of being access by unauthorised people.
(5) Be prepared to deal with requests.
If you are relying on an individual’s consent (and, in some cases, explicit consent), that individual must be free to withdraw their consent at any time. In most cases, if consent is withdrawn, you should stop using that individual’s data and should delete it.
Individuals whose data you hold have certain rights in relation to it:
- They may ask for it to be disclosed to them (a “subject access request“).
- They may ask for it to be amended if it is incomplete or inaccurate (“a rectification request“).
- They may ask for it to be erased (“the right to be forgotten“).
- They may ask for you to stop processing it for particular reasons or in particular ways (“restriction of processing“).
- They may ask you to stop using their data altogether (“objection to processing“).
You should be prepared to deal with these requests if they are made.
(6) When this is all over, delete!
You should only hold people’s personal data for as long as you need it. At the moment, we don’t know how long this public health emergency will last. However, there will come a time when we can go back to normal life. When this happens, or perhaps even before then, you will in most case need to delete all of the personal data you hold.
Of course, if you have made new friends as a result of this process, then you don’t need to delete their contact information!
Remember, GDPR is not a barrier to doing the right thing and help those in need. Thank you for all of your hard work in looking after one another.