We simply wouldn't be able to reach as many people affected by diabetes without the support of our local groups. We want you to continue to raise awareness of diabetes with many people as possible, but we must make sure we have a lawful basis to do so.
The EU General Data Protection Regulation (GDPR), a new law on data protection (the use of individuals’ personal data), comes into effect in the UK on 25 May 2018. All our staff, local groups and volunteers must work with GDPR and comply with these new regulations together.
We've produced guidance and tips for local support groups, to help you keep people's personal data secure, as well as get consent to store or share their information.
We recognise you’ll have some questions and we’ve produced this handy FAQ page to support you.
If you have a question that’s not listed, get in touch with your local volunteering team.
Complete online GDPR self-assessment form
What can our group do now to comply with GDPR?
If you’re storing personal information about people locally, for example on a spreadsheet, database or in hard copy form, consider what you are collecting, how and where you are storing it and with whom you are sharing it. Here are some practical tips on how to look after personal information compliantly.
Special category data
Special category data is personal data which is more sensitive, such as diabetes type, medical information and ethnicity. As a volunteer you shouldn’t need to collect or store this kind of information, although you may come into contact with it as part of carrying out your role. Remember this information is highly personal and whilst it may be divulged in confidence as part of a conversation, you must not record, store or share it with anyone else.
Emailing
If your volunteer role involves communicating with people via email, always ensure that what you are sending is relevant to your role, and necessary for that person to read.
Relevant – the email only includes content specific to your volunteering role. Don't include anything else which isn't relevant to the topic you're discussing as part of your role.
Necessary – the email has a clear purpose and only includes content that will benefit the recipient.
Consider the information you share via email and remember that you shouldn’t share the personal data of other people unless you have their express consent.Sharing minutes of meetings is usually OK, and introducing people via email is permissible (if you have their consent. Sharing lists of names and email addresses is not allowed.
When sending emails to groups of people, using the Blind Carbon Copy option(BCC) is usually most appropriate as this prevents sharing of email addresses.
Collecting and storing data safely and securely
It is unlikely that as part of your role you will need to proactively collect personal data (e.g. names, email addresses, phone numbers etc.) If you do think you need to collect this information, please speak to your volunteer manager who will be able to support you in doing this safely and securely
If someone gives you their details (for example to follow up on some information after a meeting or event), only use them for the specific purpose they’ve given them to you, and dispose of them safely and securely when you’re done
Download our Keeping safe and legal - Data protection and confidentiality guide (PDF, 119KB)
Think about any data you currently hold and consider whether you still need to store this information. If not, dispose of it or delete it securely. Think about whether the individual concerned would expect that you still have this information. We shouldn’t hold on to personal information ‘just in case’
Finally, remember that any personal information you hold must be stored securely (password protected if in electronic format, or locked away if in paper form).
What's coming next?
To understand how we can best support you as a local group, we’ll be asking you shortly for more details about how you manage data in your group. When we have this information, we’ll work with you to design some simple processes to manage data and consent, and we will introduce those later this year
We’re in the process of finalising a new data collection form and consent statement which you’ll be able to use to collect personal data compliantly, and we are updating our privacy policy and systems too. We’ll give you guidance on how to use these appropriately and how to record data compliantly.
We’ve also started to roll out GDPR training across the organisation. We’ll be rolling out training to you later in the year when we’ve developed a process to help you manage data.
I have a concern
If at any point you’re unsure of what to do with data you have access to, please get in touch with your local volunteering team or contact who will be able to advise you accordingly.
If you are concerned that you may have accidentally lost or shared information incorrectly, speak to your local volunteering team and email infogov@diabetes.org.uk immediately.
