The GDPR applies to both paper and electronically stored personal data and you must ensure that both are kept safe and secure at all times. When not in use, all personal data must be stored securely. Only volunteers in roles that are allowed to use personal data must be permitted access to it.
See Group Handbook A6: Handling data
- Paper based records
- Electronic records
- Keeping information in the Cloud
- Data breaches
- Reporting a data breach
Paper based records
Paper based personal data must be kept in a locked drawer, filing cabinet or cupboard at all times when it is not being used. Access to the key or combination lock must be limited only to volunteers in roles that are allowed to use MS Society personal data. You must not allow members of your family to access personal data you hold.
Avoid taking paper copies of personal data from your home. Where this is unavoidable (such as for events or meetings), you must keep them in your possession at all times. You must not view them where members of the public may be able to see them, and you must never leave them unattended on a train seat or in a car.
Purchasing storage
Providing the necessary equipment for your volunteers to keep data securely is an appropriate use of group funds. If your group doesn’t have a lockable drawer, filing cabinet or cupboard, your Coordinating Team should purchase one from a local stationer or website.
When a volunteer leaves, we expect them to return the personal data they hold and any items purchased by your group to store it.
- Find out more about your Coordinating Team
- Learn what to do When a volunteer leaves
Electronic records
Electronically stored personal data must be held in a password protected file on a computer, laptop, tablet, phone or on an encrypted memory stick. All devices used to store or access personal data must need a password to be accessed. Access to the device and password must be limited only to volunteers in roles that are allowed to use MS Society personal data.
- For guidance on password protection, see IT support
- Find out more about [Your access to personal data
Keeping information in the Cloud
With the exception of MS Society email accounts and Office 365, you must not use cloud based storage (for example, Dropbox, Google Docs or Google Drive) to store personal information and data.
- See our guidance on Using MS Society email
Data breaches
A ‘data breach’ is any situation where personal data is made insecure. In some situations it will be obvious that personal information has been accessed in error, but this is not always the case.
A breach might be caused by:
Clicking on unsafe links in emails that breach the security of your computer. This may then give access to your contact lists and may also allow corruption to or damage of data stored.
Sending an email to a list of contacts using the ‘To’ field instead of the ‘Bcc’ field (thereby sharing everyone’s email addresses with everyone else, which they may not have consented to, or be happy with). Further unauthorised sharing can happen if that email is then forwarded.
Leaving personal information in a public place – either in printed form or on a public or shared PC or smartphone.
Verbally sharing personal information with someone who should not have access to it.
A mistake in how an IT system is set up.
Someone else breaking into or ‘hacking’ an IT system.
Theft or loss of hardware that contained personal information
This list may not include every possibility of a breach, so if you are unsure, you must speak to our Data Governance Team without delay.
Reporting a data breach
You must speak to our Data Governance Team to report any potential data breach immediately. We are required to inform the Information Commissioner’s Office of a breach within 72 hours of any volunteer or member of staff becoming aware of it.
- Get contact details for our Data Governance Team
Back to Handling data