You are here

Data protection basics

All MS Society volunteers and staff must follow the General Data Protection Regulation (GDPR). The GDPR gives people broader rights, and places greater obligations on organisations that control or process personal data than the Data Protection Act (1998), which it replaces. Our obligations apply to personal data held in any form, both electronic and on paper.

See Group Handbook A6: Handling data

  1. Types of personal data
  2. Why data protection is important
  3. What is data processing?
  4. Rights of the individual
  5. Data Statements
  6. Your access to personal data
  7. Need support?

Types of personal data

‘Data’ or ‘personal information’ means a piece or pieces of information which can identify a living person. We hold personal data about our members, supporters, volunteers, staff, and people who use our services.

Examples of personal data include someone’s name, address and date of birth, as well as ‘special category’ personal data which is more sensitive, such as physical and mental health (for example, whether a person has multiple sclerosis), ethnic origin, religious and political beliefs, sexual orientation and trade union membership.

Back to the top

Why data protection is important

We are a ‘data controller’ and ‘processor’, and we have a Register of Processing Activities which documents the breadth of processing we do. We have one registration to cover the whole organisation, including all local processing activities.

Organisations that are data controllers are legally required to ensure that personal data is:

  • Fairly, transparently and lawfully processed
  • Processed only for specified purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Not kept for longer than is necessary
  • Kept secure (both technically and procedurally)
  • Not transferred outside of the EU without adequate protection

Back to the top

What is data processing?

Data processing includes anything we do to, or with, personal information, such as filing, updating, copying, checking and sharing.

Data processing also covers simply storing data, even if nothing is done with it.

Back to the top

Rights of the individual

People have the right to:

  • Be provided with privacy information whenever data is collected, which tells them about that processing.
  • See what personal information an organisation holds about them, for what purpose, on what lawful basis, where in came from, who it will be shared with, and how long it is expected to be held for.
  • Have errors or inaccuracies in their personal information corrected.
  • Have excessive or irrelevant personal information deleted.
  • Be forgotten – that is, to have all data held about them deleted (in most cases).
  • Object to processing.
  • Not have solely automated decisions made about them based on their data.

Subject access requests

A ‘subject access request’ is when an individual contacts an organisation to find out what personal information is held about them. All subject access requests must be directed to our Data Governance Team.

You may be contacted by the Data Governance Team if they receive a subject access request. You must provide copies of the personal information held by your group about the individual who has made the request.

Back to the top

Data Statements

Whenever you collect personal data from an individual, you must give them a summary of how their personal information will be processed, and for what purposes.

We do this by including a Data Statement and a link to our full Privacy Notice in all forms we use to collect personal data. This information must be in the same font size as the main body of text.

  1. Find out more about Data Statements
  2. Go to our Privacy Notice

Back to the top

Your access to personal data

You may have access to personal data as part of your volunteer role. This could include any of the following:


You may be in a volunteer role that is authorised to request membership data to communicate with our members:


Your role may include maintaining the records we keep about other volunteers in your group:

Service users

You may be in a volunteer role that involves collecting personal data on an exercise class or property register, a minibus emergency contact list or grant application form:


You may collect personal data about our supporters on sponsorship forms or Gift Aid declaration forms, or deal with email communication from supporters:

Data protection for GDPR eLearning

We may ask you to complete our Data protection for GDPR eLearning as part of your role, even if you have completed previous data protection training.

  1. Find out who must complete Data protection for GDPR eLearning

Back to the top

Need support?

Our Data Governance Team is here to make sure we all meet our personal data, information handling and record keeping obligations. Contact us for help with any data compliance questions you may have.

  1. Get contact details for our Data Governance Team

Back to Handling data