We must all take responsibility for ensuring that all personal data we have access to is kept safe and secure, and only used for the purpose/s agreed by the individual. It is crucial that we handle it carefully according to the principles of the GDPR.
All personal data belongs to the person to whom it refers. They have a legal right to see what personal information is held about them.
You must not publish a person’s personal data anywhere unless you have their prior consent in writing for the publication you intend to make. If in doubt, contact our Data Governance Team for assistance.
You must be discreet with personal information at all times, and maintain confidentiality where necessary.
Anybody who stops volunteering with us must return all personal data owned by the MS Society to your Coordinating Team within seven days. This includes paper based personal data and personal data held on a computer, laptop, tablet, phone or on an encrypted memory stick.
Failure to return personal data within this timescale is data theft and may result in the matter being reported to the Information Commissioner’s Office (ICO) and the Police.
- See our rules on Keeping personal data safe
Under the GDPR, there are specific rules for dealing with emails.
- Find out more about Using MS Society email
All email communications from volunteers should be made using your official MS Society email account when communicating on our behalf. We can’t vouch for the security of other accounts.
When emailing more than one person, you must not disclose their email address to others receiving the email. Always use ‘blind carbon copy’ (bcc) when you send emails so that recipients can’t see each other’s email addresses.
When emailing members, you must use up to date membership data. A member can contact us at any time to change their email preferences. Ensure your email list is accurate by using the Portal to download membership data each time you need it, and delete this as soon as it has been used.
You must store written and digital communications securely and never share them with third parties. You can only share an email with another MS Society volunteer if you need their help to reply to it.
You must not use a person’s email address to communicate with them unless they have agreed to receive emails from us. If a non-member or local supporter emails your group, this does not mean you can use their email address to contact them about other matters.
You must offer people the option to opt out of receiving written and digital information from us. Your MS Society email automatic signature includes an unsubscribe option. When you receive an unsubscribe request from a member, you must update the Portal or inform our Supporter Care Team.
- Get contact details for our Supporter Care Team
The GDPR applies to images and stories (often called ‘case studies’) too, although there are some circumstances where it is not necessary to obtain consent for images.
Images and stories used in advertising, publicity, newsletters and websites
In cases where a person’s image or story is intended to be, or may be used publicly, that person's consent must be obtained in writing and kept on file until one year after the last use of the image or story. You must specify to the person how their image or story may be used.
When written consent is not needed
You do not need written consent when taking photographs of crowds or large groups at meetings or similar events. However, it is good practice to let those pictured know why photos are being taken, so that anyone who doesn’t want to be pictured can make themselves known.
If a person is seen close up, and can be easily identified, they must give written consent.
Our Data Governance Team is here to make sure we all meet our personal data, information handling and record keeping obligations. Contact us for help with any data compliance questions you may have.
- Get contact details for our Data Governance Team
Back to Handling data