We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

Data protection and digital technology

This page is free to all

Data protection and information sharing 

You must understand the current regulations under the General Data Protection Regulation (GDPR) on how your organisation manages data safely and securely. Your organisation must have a written policy and procedure in place to show how it meets the rules. This includes a policy for what happens when a data breach – someone getting hold of information they should not have had – occurs.

Your data protection policy should work with your safeguarding policy, making sure you keep the highest standards of confidentiality.

Lofton Bicycle Club provide refurbished bikes and road safety classes for adults with additional needs. In order to risk assess their activities they need information about their service users, including relevant medical conditions. This is explained on the form used to collect the data. Their data protection policy restricts access to this information to relevant staff only and sets out when the information should be deleted.  

You must make sure that staff and volunteers:

  • understand how to collect, store and share information, in line with GDPR
  • understand how to follow up a data breach using both your data protection policy and your safeguarding policy.
Lofton Bicycle Club is supported by a national network of instructors. Their policy and permissions shared data with those instructors in case they need to provide first aid. One day when she was helping someone up a hill, the instructor dropped the paper folder with all the notes in. Volunteers and participants all helped to gather them up. Participants were able to see each others details. The instructor reported the incident to both the club and the network. A formal apology was made to all the participants, and documented as a data breach by both the network and the club, but with low risk of harm (as all the papers were back in the instructors hands within five minutes). The national network updated their policies and their agreements with clubs, and developed a secure system for storing the first aid information online for leaders to use.

Your data protection policy can never be used to stop you reporting safeguarding concerns. If it is necessary to share relevant personal information when someone is at risk of harm or has been accused of causing harm you can still do. The GDPR says you may share information even without permission from the person for a number of reasons. Two of them are important.

  • If you are required to do so under the law
  • It is of vital interest in order to protect someone’s life 

Want to know more about how to comply with GDPR? Read NCVO’s 12-Point Plan on How to Comply with GDPR.

Want to understand the details of the legislation as it relates to children? The Information Commissioners Office (ICO) guide Children and the GDPR provides technical advice on the child-specific considerations of GDPR. 

Digital technology

It is likely your organisation relies on digital technology for day to day running. In order to carry out your safeguarding responsibilities, you must make sure that the digital technology you use is reliable, secure and fit for purpose.

Digital technology includes:

  • your website
  • social media accounts and posts
  • IT network and servers
  • hardware (laptops, iPads and PCs, photocopiers, printers)
  • software (programs and apps)
  • mobile phones.

Digital technology can be a great asset to effective safeguarding. However, you must manage the associated risks. For instance, you must assess the likelihood and impact of certain situations and plan for them. Here are some examples to consider.

  • Your server fails and you lose or cannot get access to information.
  • A staff member on outreach cannot be contacted due to unreliable mobile phone or network.
  • A laptop containing sensitive information is lost or stolen.
  • Inappropriate or bullying comments are posted by someone on your Facebook page.
  • A virus is downloaded onto your IT system which may compromise security.

 Steps you can take to prevent and reduce risks include:

  • sourcing reliable equipment and software that meets your organisation’s needs
  • keeping equipment and software maintained
  • having policies in place
  • training all staff and volunteers in policy and procedure so they understand the risks and what to do
  • regularly reviewing your digital technology and making sure you take into account accidents, incidents, near misses and complaints where digital technology is a factor.

This list shows policies covering risk areas and what needs to be included.

  • Data protection and document retention. Make it clear how and where information should be kept securely, how to use passwords, and what to do if information is lost or stolen. Restrict access to sensitive or confidential information.
  • Acceptable use policy for IT equipment. Set out how equipment should be used, what it may not be used for and consequences.
  • Lone and remote working. Cover how staff keep themselves and equipment/information safe. 
  • Social media policy. Make sure people know what is not acceptable. You should appoint moderators who can check content and report any breaches or risks. 
  • Back up systems, disaster recovery and continuity plans. Set out how you will back up information and manage operations in the event of an emergency

Want to learn more about how you can use digital technology effectively in your organisation? Then work through our digital technology pages.

BYTE IT is a community computer club. They have controls set up so that all users have individual login details and certain sites (eg online gambling) are blocked. One of their adult members realised this when they were trying to check their winnings for something and complained to one of the volunteers. The group leader held a discussion session which talked about online risk, the age range (six to 71) of the group and helped the group create an acceptable use policy and understand why keeping the controls was important given how young some members were.
Page last edited Sep 30, 2019

Help us to improve this page – give us feedback.