Ten things volunteers should know about data privacy

1. Privacy intro – right to privacy

People have the right to expect their data to be treated carefully and confidentially, and not to be shared unnecessarily or indiscriminately. Think how you would like your data treated. Individuals have the right to be informed about the collection and use of their personal data – a key requirement under the General Data Protection Regulations (GDPR).

2. People have rights over their data
  • The right to be informed [about what data is held on them]

  • The right of access [to see what data is held]

  • The right to rectification [to have errors corrected]

  • The right to erasure [to ask for data to be deleted]

  • The right to restrict processing [to exclude particular purposes]

  • The right to data portability [in some instances, to transfer their data]

  • The right to object [to raise a complaint]

  • Rights in relation to automated decision making and profiling [the right to opt out of certain processes].

For more information, click here.

3. Know your organisation’s privacy policy

It is important to understand data protection legislation and how it applies to your volunteering. Your host organisation will have policies related to data and privacy and will issue guidance to volunteers. Make sure you treat data as confidential and follow any guidance issued.

4. Never ask for any information unless you need it to carry out your role

​Information should only be collected and/or shared if it is necessary for an activity to be carried out. Collecting or sharing unnecessary information goes against GDPR legislation. Treat information as being on a “need to know” basis.

5. Never record unnecessary information

If you are dealing with a service user, they might share all manner of personal information. This must not be recorded unless it is necessary for you and others to support the individual. If you consider an individual is sharing too much information, then talk to your host organisation.

6. Never record information except as allowed by your host organisation

Your host organisation will provide guidance on how information can be safely recorded and stored. Always be careful to follow this guidance and do not record any information outside the systems designated by your host organisation.


7. Never discuss your work or share information outside your organisation

During your volunteering, you may receive sensitive information about individuals and organisations, including your host organisation. This information should never be shared except as needed in the course of your volunteering role. Never share information outside your host organisation except as required by your volunteering – or to safeguard a vulnerable individual.

Some organisations may ask you to sign a “volunteer confidentiality agreement” setting out clear rules.


8. Always report any data breaches

Within their data protection policies, your host organisation will have its own procedures for reporting data breaches. You should use these procedures whenever you hear about a breach of data security – or a breach of data policy.


9. Never pry into people’s personal business

In some roles, such as befriending or emotional support, volunteers may learn a great deal about particular individuals. It may be important to listen and reflect back during a conversation. It will only be necessary to record details as instructed by your host organisation. Never ask questions that pry unnecessarily into people’s private lives. Think carefully about how you would like your own personal information to be treated.


10. Raising concerns about wellbeing or safeguarding

It is vital that you respect an individual’s privacy. You should treat any information given to you in strict confidence. Do not pass on personal information to anyone outside the organisation.

The exceptions to this rule are:

  • When an individual gives you their express consent to disclose information (for example, to make a referral to another service and/or to seek additional support)

  • Where, in order to support an individual, your host organisation needs to involve another agency because of concerns about safeguarding or wellbeing

  • If they give you information that leads you to believe that you, or someone else, is at serious and imminent risk of harm

  • Where the law requires you to break confidentiality (this would be a serious crime such as terrorism and drug-trafficking, rather than misdemeanours)

Raise concerns directly within your host organisation and follow any policies or procedures shared with you.