You are here

Sharing data with third parties — a data protection reminder

While running your group, you may need to share personal information about your group members and/or those who use your services. Any third-party providers handling this data must undertake to keep it safe.



  • If your group provides a service such as an exercise class, you must have a signed Service Level Agreement (SLA) in place with the service provider, whether this is an individual or an organisation. The SLA sets out the expectations of everyone involved. And this includes requiring the service provider to look after any personal data we share appropriately, in line with the UK GDPR.

  • If you regularly hire transport or a venue, the service provider must sign a Third-Party Data Protection Undertaking. This outlines our confidentiality and record-keeping requirements when handling personal data we’ve shared. You don’t need to use it for one-off taxi, restaurant or hotel bookings.

  • Back in July, we reminded you of the importance of checking with us before using any new software, online tools or apps which aren't provided or recommended by the MS Society. You can read more about this here. When data’s being processed electronically, it’s particularly important that data security checks are made.

A third-party software supplier may be based in a country which isn’t compliant with the UK GDPR. In this case, even where the provider passes our security checks, you’ll need to have a special type of contract in place with them before proceeding. But, wherever they’re based, appropriate paperwork will be required.

We’re here to advise

If you’re unsure whether you need to use an SLA or a Third-Party Data Protection Undertaking Form with a particular provider, contact the Volunteer Support Team on [email protected] .

If you’re considering using a software solution which hasn’t been provided or recommended by us, contact the Data Governance Team - [email protected] – before entering into any agreements. They’re a small team, so please give them as much notice as possible to carry out their investigations — preferably at least two weeks.

Thank you for helping ensure that our third-party providers keep the data entrusted to us safe.