In this week’s blog, we explore what data protection really means for community groups and charities. We look at the common pitfalls organisations can fall into—and how to avoid them—along with the core data protection policies every group should have in place. We also explain how the Information Commissioner’s Office (ICO) can support you to stay compliant, highlight recent changes in legislation, and provide a simple checklist that boards and committees can use to strengthen their data protection practices.

Team Update

This week was quieter for the SLCVO team but still productive. Michelle worked from home to collate training feedback for funder reporting, plan future training sessions, and prepare the monthly newsletter. Matt spent time on the road meeting potential new volunteers and building engagement in the community. Jo-Anne met with Luthien from HTSI’s Volunteer Academy to explore opportunities for collaboration and discuss ways to strengthen support for people interested in volunteering across the area.

Jo-Anne also worked on the Annual Business Review and Risk Report for the Board. This document is essential when planning for the year ahead and considering the sustainability of services beyond current funding. Like many local groups, SLCVO relies on annual funding for around 80% of our work. As contract decisions are delayed due to Scottish Government processes and uncertainty grows, we must consider contingency plans, the use of unrestricted reserves, and the implications if contracts are not renewed. This is why a business review and risk report are so important for organisations with staff, especially when income is not generated through enterprising activities.

Even though our heads have been deep in reports and financial planning, our work with local groups continues. This week we reviewed Lottery funding applications, supported a new group exploring the creation of a Community Interest Company, and worked with the Whole Family Wellbeing Team to look at issues around drug and alcohol addiction in Skye and Lochalsh. We hope they will join the Community Wellbeing and Support Forum going forward.

One of the groups we worked with this week needed guidance on data protection requirements. As last month marked the next commencement phase of the Data (Use and Access) Act (DUAA), we’ve decided to dedicate this week’s blog to data protection that all groups—regardless of size or legal structure—need to be aware of.

What Data Protection Actually Means for Third Sector Groups

If you run a charity, community group, or social enterprise, “data protection” can feel like a maze of acronyms. Here’s the simple truth: if your organisation handles information about people, the UK GDPR and the Data Protection Act 2018 (DPA 2018) apply — no matter your size.

What counts as “personal data”? Anything that can identify a living person: names, email addresses, phone numbers, photos, sign‑up sheets, attendance lists, case notes, referral forms, volunteer rosters, even IP addresses collected by online tools. Some data needs extra protection — e.g., health information or a person’s religion — known as special category data.

The seven principles to live by The law boils down to seven common‑sense rules:

• be lawful/fair/transparent;

• stick to clear purposes;

• collect the minimum;

• keep it accurate;

• don’t keep it longer than necessary;

• keep it secure;

• and be accountable (prove what you’ve done).

These apply to all processing, from paper sign‑in sheets to cloud forms.

• How you justify using people’s data You must pick one lawful basis for each activity (e.g., running a waiting list, emailing updates, paying staff). Common bases in the third sector are contract, legal obligation, vital interests, public task (if commissioned to deliver services), and legitimate interests; consent is used when people truly have a free choice. Document your choice and put it in your privacy notice.

• Special category data If you collect sensitive personal data, the law treats it as high‑risk. So you need two legal reasons to use it—and sometimes two extra documents to show you’re handling it responsibly.

• Breaches (and the 72‑hour clock) A breach is any security incident involving personal data — not just hacks. Emailing a spreadsheet to the wrong person counts. If a breach risks people’s rights and freedoms, you must report to the ICO within 72 hours and, if risk is high, inform affected people. Keep an internal breach log either way.

• Retention: how long can you keep data? Only as long as needed for the purpose (or any legal requirement). Set a retention schedule, review it, and delete/anonymise when the period ends.

Find out more information from the Information Commissioner Office (ICO) UK GDPR guidance and resources | ICO  

Understanding Special Category Data: What Third Sector Groups Need to Know

Some personal information is more sensitive than others, and the law places extra protections around it. This includes things like a person’s health details, ethnicity, religion or beliefs, sexual orientation, political views, or biometric data. Because this type of information could cause harm or discrimination if it were mishandled, organisations must meet higher standards when collecting or using it.

When a community group or charity handles sensitive data—such as wellbeing notes, accessibility needs, or information linked to safeguarding—you must be able to justify why you are using it. The law requires two separate legal reasons. First, you need a general lawful basis under UK GDPR, such as legitimate interests, consent, vital interests, or public task depending on your role and the situation. Second, you need an Article 9 condition, which is an additional safeguard specifically for sensitive data. Common conditions for third‑sector organisations include explicit consent, protecting someone’s vital interests, or working under “substantial public interest” grounds—for example, where safeguarding, equality monitoring, or support services are involved.

In many cases, especially when relying on the “substantial public interest” condition, your organisation must also have an Appropriate Policy Document (APD). This is a short explanation of why you’re processing sensitive information, how you’ll keep it secure, how long you’ll retain it, and which lawful bases apply. If the information relates to people who may be vulnerable, or the activity involves higher risk—such as providing wellbeing support, addiction services, domestic abuse support, or mental health assistance—you’ll also need a Data Protection Impact Assessment (DPIA). This helps you think through the risks and make sure you have strong protections in place.

In simple terms, handling sensitive data means showing that you’ve thought carefully about what you collect, why you collect it, and how you keep people safe. It doesn’t have to be complicated, but it does require a bit more structure. If your organisation collects health information or other sensitive details, taking these steps ensures you’re following the law and, more importantly, treating people’s personal stories with the respect they deserve.

For more information visit What is special category data? | ICO

Volunteers & Service‑User Data: Common Pitfalls (and How to Avoid Them)

Community organisations often handle personal data in everyday scenarios. Here’s how to avoid the usual missteps.

• Pitfall 1: Collecting too much Only collect what you genuinely need (e.g., emergency contact, relevant access needs). Avoid “just in case” data.

• Pitfall 2: WhatsApp groups & shared inbox sprawl Uncontrolled sharing leaks personal data; people leaving  may retain access. Set channel rules, restrict admin rights, remove leavers promptly, and document data‑sharing arrangements with partners.

• Pitfall 3: Photos and videos Photos of identifiable people are personal data; sometimes they even verge into special category territory (e.g., where they reveal health or beliefs by context). Decide your lawful basis (often legitimate interests for event photography; consent for profile stories), give clear notices, and respect withdrawals where consent is used. Crowd shots where no one is identifiable are lower risk.

• Pitfall 4: Retention drift Keeping sign‑up sheets and case notes forever breaches storage limitation.  Adopt a simple retention schedule and automate reviews where possible.

• Pitfall 5: “Small = exempt” thinking UK GDPR applies regardless of your size; enforcement focuses on risk and harm, not turnover. Focus on proportionate controls, document decisions, and train volunteers/trustees.

Find out more information on Data Sharing, use the Scottish Information Sharing Toolkit model where appropriate IS-Toolkit-Introduction-21-05-2019-5.pdf

Data Breaches: What Counts & What Groups Must Do

A data breach isn’t just hacking. It includes emailing personal data to the wrong person, losing a paper file, or a stolen laptop with unencrypted data.

Do we have to tell the ICO? If the breach is likely to result in a risk to people’s rights and freedoms, you must report it within 72 hours of becoming aware. If it’s likely high risk, you must also tell the individuals. Always keep a breach log, even when you don’t notify.

72‑hour responders’ checklist

• Start the timer and begin a log immediately.

• Establish the facts — what data, how many people, what happened, when.

• Contain and remediate — recover data, reset passwords, wipe devices if you can.

• Assess risk — can the data be misused? Is harm likely? Decide on ICO/individual notification.

• Learn & prevent — update training, tighten access, improve processes.

For more information see ICO:

• Personal data breaches: a guide | ICO

• 72 hours - how to respond to a personal data breach | ICO

Policies -What Every Third Sector Organisation Should Have

Policies don’t need to be long to be useful. Aim for clear, short, living documents you’ll actually use.

The essential bundle

• Data Protection Policy — states roles, principles, and governance. OSCR’s own policy is a useful model of scope and contents. https://www.oscr.org.uk/media/4184/2018-11-13-oscr-data-protection-policy-website-version.pdf

• Privacy Notice(s) — public‑facing information about how you use data. [ Data protection: The UK's data protection legislation - GOV.UK

• Information Sharing Agreement(s) — where you work with partners; follow the ICO Data Sharing Code and Scottish models. Model records management plan guidance - National Records of Scotland (NRS)

• Retention Schedule — who keeps what, for how long, and disposal steps. Retention | ICO 

• Breach Response Plan — roles, thresholds, the ICO 72‑hour process, and comms templates.  Personal data breaches: a guide | ICO

• Appropriate Policy Document — if you rely on certain Schedule 1 conditions for special category data (common in wellbeing/health contexts). Information assurance and data protection: appropriate policy document - gov.scot

Governance that works in practice

• Put data protection on trustee/board agendas at least twice a year (risk, training, audits).

• Train staff/volunteers annually; build cyber basics into induction.

• For projects using special category data or new tech, insist on a DPIA before launch. Special category data | ICO

Getting the Basics Right: A Practical Data Protection Checklist

You don’t need to be a lawyer to get data protection right. Start with these essentials and you’ll satisfy most funders, auditors, and stakeholders.

• Know what you hold (Data Map) List the personal data you collect, where it’s stored (paper/cloud), who has access, and why you need it. This underpins your lawful bases, DPIAs, retention, and security decisions.

• Choose the lawful basis for each activity For sign‑ups and service delivery, contract or legitimate interests may fit; for safeguarding and emergencies, vital interests or legal obligation may apply; for genuine choice (e.g., optional newsletters), consent works — record it and allow withdrawal.

• Write and publish a privacy notice Explain what you collect, why, the lawful basis, who you share it with, how long you keep it, and people’s rights. Keep it short and readable; put it on your website and in welcome packs. [

• Secure the data (right‑sized measures) Passwords, MFA on cloud tools, access limits, encrypted devices, lockable cabinets, and basic cyber hygiene. The GDPR requires “appropriate” measures — the ICO security outcomes are a good yardstick.

• Plan for breaches Have a one‑page playbook: how you’ll assess risk, who decides, how to contact the ICO within 72 hours if required, and how you’ll notify people where there’s high risk. Keep a breach log.

• Retention schedules Document how long you keep each category (e.g., volunteer records, case notes, safeguarding reports) and what you do at end‑of‑life (delete or anonymise). Review annually.

• Special category data & DPIAs If you process health or other sensitive data, pick both a lawful basis and an Article 9 condition, prepare an Appropriate Policy Document where applicable, and complete a DPIA.

For more information visit  ICO Guide for organisations (UK GDPR hub). UK GDPR guidance and resources | ICO

What the Data Use and Access Act 2025 (DUAA) Means for Third Sector Groups

The Data Use and Access Act 2025 (DUAA) is a new UK law that updates existing rules about how organisations use and manage digital information. It doesn’t replace the current data protection laws (UK GDPR, Data Protection Act 2018, or PECR), but it does make some important changes that may help your organisation work more efficiently and with more confidence.

The Act updates parts of existing data protection laws to encourage innovation, reduce unnecessary administrative burdens for organisations, and still protect people’s rights. For most groups, this isn’t about taking on lots of new obligations; instead, it opens up new opportunities to work more efficiently and approach data in a more flexible, modern way.

The Act makes it clearer when you can use personal data for things like:

• scientific or social research (including community‑based research),

• using “broad consent” for research activities, and

• using data for research without always needing to send individual privacy notices—so long as you publish the information publicly, such as on your website.

It also allows some automated decision‑making using more legal bases than before (except for sensitive data), giving organisations more flexibility.

The DUAA introduces several changes designed to make everyday work simpler:

• Recognised legitimate interests – for things like public safety, you won’t need to run a balancing test each time you use data. A balancing test is a way for an organisation to check whether: (1) Its reason for using someone’s personal data (its “legitimate interest”) is strong enough to outweigh (2) The individual’s rights, freedoms, and expectations

• Sharing data with public bodies – if the police or another public organisation needs information, they decide if they need it; you won’t have to assess this yourself.

• Reuse of personal data – some types of reuse (like archiving in the public interest) will automatically be considered compatible with the reason you originally collected the data.

• “Soft opt‑in” for charities –Previously, under the Privacy and Electronic Communications Regulations (PECR), only commercial organisations could rely on soft opt‑in for email marketing, meaning charities needed explicit consent before contacting supporters. The DUAA changes this by allowing charities to email people who have donated, attended an event, or otherwise shown interest—so long as they were given the option to opt out at the time and can easily unsubscribe from future messages.

• Subject Access Requests (SARs) – you only need to carry out reasonable and proportionate searches.

Overall, the law is written more clearly, which should make it easier for voluntary organisations to follow. There are, however , new responsibilities:

• Services likely to be used by children If you provide online services children might access, you must take their needs into account. Most organisations already meet this requirement by following the ICO’s Age Appropriate Design Code.

• Handling data protection complaints All organisations must: make it easy for people to submit complaints (e.g., an online form), acknowledge complaints within 30 days, and respond without undue delay.

For more information visit the ICO’s guidance. https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-duaa-summary-of-the-changes/

and GOV.UK – Data Use and Access Act Factsheets https://www.gov.uk/government/publications/data-use-and-access-act-2025-factsheets

Overview of the ICO (Information Commissioner’s Office)

The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection, privacy rights, and freedom of information. It oversees how personal information is used by organisations across all sectors — public, private, and third sector.

The ICO’s core mission is to “uphold information rights in the public interest, promote openness by public bodies, and data privacy for individuals.” 

This covers:

• Ensuring organisations manage personal data lawfully and transparently

• Supporting the public to understand and exercise their data rights

• Supporting openness, including FOI and EIR requests

The ICO oversees and enforces several major UK laws, including:

• UK GDPR and Data Protection Act 2018

• Freedom of Information Act 2000 (FOI)

• Privacy and Electronic Communications Regulations (PECR) — nuisance calls, email marketing, tracking technologies

• Environmental Information Regulations (EIR)

  
  

Their enforcement powers include:

• Conducting audits

• Investigating data breaches

• Issuing warnings and reprimands

• Issuing enforcement notices

• Imposing fines (sometimes multi‑million pounds)

The ICO provides extensive support and practical guidance for charities, community groups, sole traders, public bodies, and businesses. The website includes:

• Step‑by‑step UK GDPR guidance

• Templates

• Advice for small organisations

• Security and cyber guidance

• Tools for Data Subject Access Requests (DSARs)

• Registration and fee payments

  
  

This makes the ICO an important resource for the third sector  because it:

• Provides free, practical guidance tailored for small organisations

• Helps organisations understand what compliance looks like at a realistic scale

• Supports safe handling of volunteer, service‑user, and donor data

• Provides decision‑making frameworks around sensitive data, data sharing, DPIAs, and consent mechanisms

For more information about the ICO visit Information Commissioner's Office

Local Support

If you would like support in understanding or navigating your group’s Data protection responsibilities, you can contact SLCVO’s team. With over 25 years of experience working in the third sector in Skye and Lochalsh, we understand the unique challenges that rural organisations face and can help translate legislation and guidance into practical, local solutions. info@slcvo.org.uk