Fortunately there are laws that protect us from unscrupulous use of our personal information. The Data Protection Act 1998 is legally binding and applies to everyone. It should be taken seriously, but that said, what it requires you to do is only common courtesy.
Sponsorship forms
The most common way of collecting data is through a sponsorship form.You will need to include a statement on the form which tells donors how you will use their data, i.e. that you will send it to the charity. In this instance it is then entirely acceptable for you to send the forms to the charity you are supporting. They are then responsible for complying with the Data Protection Act.
Also make sure that the charity’s registered charity number is on the sponsorship form.
Top
The Data Protection Act
The Information Commissioner’s Office, which is responsible for the Data Protection Act, provides the following information.
“The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.”
Put simply this means that you must:
- State what the data will be used for on any forms or other mechanisms you use to capture data about people.
- Don’t be tempted to use the information for a purpose other than it was originally collected. If you want to use it for something else later, you must ask for permission at the time of gathering the information. For example, use a simple statement that asks "we would like to use this information to contact you with direct mail at a later date" and give them an option to say “no thank you”.
- Only ask for the information you need to know to carry out your fundraising activity, unless you can explain to the individual, at the time you gather it, why you are asking for more information and what it will be used for.
- If you keep the information after the event because you have asked for permission to do so, or the event goes on for an extended period, let people know what information you have and give them an opportunity to update it. If this is the situation, you will probably have the information stored on computer and you can use a mail merge function to send the details to people by letter, asking them to let you know if there are any changes they would like you to make or if they no longer want to hear from you.
- When you have completed the fundraising activity, destroy the data unless you have written permission from people to keep it and they know what you will use it for subsequently.
- This is a complex area, and if you are in doubt you should check with the Information Commissioner’s Office before collecting the data.
- For most volunteer fundraising purposes people should know:
o who holds the data and how to contact them
o what data you hold and how it will be used
o that you have their permission to hold this data and you will use it only for the purposes you said at the time they gave it to you
o that you are not recording any sensitive personal data (see below)
- Keep you paper files somewhere secure. Put them out of sight when you are not using them and shred them when you have finished with them. Do not share your electronic files with other people, unless they are part of your fundraising activity team. If you share a computer, password protect the files so that they cannot be opened by people who don’t have a right to use them. If you must share files with other people in your team, make sure they understand their obligations under the Data Protection Act. Delete the files from your computer files when you have finished your fundraising activity and then delete them from the ‘trash’ folder. Make sure that anyone else who has had a copy of the files does the same. Do not put personal details on a website (unless you have permission, in writing, from each individual concerned).
- The simplest approach is not to give the details to anyone else. You can only pass data on if the people who gave you the data have expressly said you can. If you have permission from each individual to pass the details on to the charity you are supporting, for example, make sure that the charity you pass the information onto confirms to you, in writing, that they will in turn comply with the Data Protection Act. You should not assume that just because a charity is worthy, that its systems are perfect. Check that the charity understands the purposes for which they may use the data you are giving them. Make sure the charity sees a copy of the form that the individuals signed, giving you permission to pass this data on.
If someone asks to see the information you hold about them, you must show it to them immediately, so don’t record anything that you would not be happy for the individual that it is about to read! Make sure you display the information in such a way that they are not able to see any other personal records. If someone asks you to remove any personal details that you hold about them, you must comply immediately.
Top
Sensitive personal data
Sensitive personal data is data concerning:
- the racial or ethnic origin of the data subject
- the political opinions of the data subject
- the data subject’s religious beliefs or other beliefs of a
- similar nature
- whether the data subject is a member of a trade union
- the data subject’s physical or mental health or condition
- the data subject’s sexual life
- the commission or alleged commission of any offence by the data subject
It can only be processed in certain circumstances, as described in the Data Protection Code of Fundraising Practice. Check with the Information Commissioner’s Office whether you can record such details.
Other useful links
The Institute of Fundraising’s Code of Best Practice for Data Protection gives an outline of how the Data Protection Act impact on all fundraising activities.
The Information Commissioner’s Office gives comprehensive information on all aspects of the Data Protection Act.
Disclaimer
This know-how sheet is produced by how2fundraise.org, an on-line service provided by The Institute of Fundraising. It is intended to provide general information only and should not be taken as a full statement of the law. Please bear in mind that the Institute does not give professional legal or accounting advice, and while care has been taken with this information, you should consider whether you need to seek advice before taking any actions or incurring costs.
The information applies to England and Wales only.
The Institute does not endorse or recommend any third party services or products. If any third party services/products are listed on this website, it is for information purposes only. This how2guide/know-how sheet was last updated on date given at the top of this page and is reviewed on an annual basis. If it is some time since you obtained this how2guide/know-how sheet, please check if it is still correct.
Copyright
Copyright © 2007 Institute of Fundraising. Please see our terms and conditions for full details on use of these materials.
