Obtaining Consent

It is likely that your group is processing personal data in some way. You may be gathering and  storing the names, addresses, email addresses or phone numbers of your membership, volunteers and/or staff for example.  Your committee members have a legal duty to ensure that your group is complying with the requirements of Data Protection Act 1998 which regulates the protection of personal data.

Under Data Protection legislation, your committee should first be clear as to why you need to process personal data. What are you going to use it for? For example, you might want to keep a membership list so that you can keep members informed of what you do. You may need to administer a membership subscription database. You may also want to keep contact details for volunteers or donors. If you have staff you will need to keep personnel records.  

Under Data Protection legislation, your committee has a legal duty to ensure that:-

  • the individuals (the data subjects) concerned are aware of what you intend to do with their personal data.
  • the individuals (the data subjects) concerned have given their consent for you to use/store their personal data for that purpose(s).

Consent to use personal data must be specific, informed and freely given. Consent does not need to be in writing, although this is preferrable. Verbal consent should be recorded at the time it is asked for and given.

If you are processing sensitive personal data consent must be explicitly given – it cannot simply be implied.

Remember that an individual has the right to withdraw their consent at any time. Give them the opportunity to review and refresh their data and consent on a regular basis to ensure that your records are up to date and accurate.

Data Protection Statements

A Data Protection Statement will state clearly who your group is and why you are asking someone for their personal data. It should set out enough information for the individual to make an informed choice as to whether or not they give their permission or consent for their details to be used.

Your data protection statement can take the form of a short statement on your forms or letters, a standard paragraph in letters welcoming new members or a notice in your waiting room.  If possible, it is a good idea to use the Information Commissioners' 'padlock' logo.

State clearly who you are and why you are asking for their personal details.  If your group intends to share the personal data in any way make that clear. Where relevant, offer the individual the chance to opt-out from disclosure to third parties and/or direct marketing.

Website Data Protection Statements

If your group has a website, you should add an online Data Protection and Privacy Statement.

This should include:-

  • why you are asking for the personal data
  • who you are 
  • how long you will keep the personal data
  • where the data might be transferred to
  • what rights the individual has with respect to the data and how they can be exercised
  • how an individual can decline email advertising
  • who to contact for more information
  • what security is in place
  • whether anonymous browsing is possible
  • the policy on IP addresses and cookies. 

The Information Commissioners Office (ICO) has published guidance for UK website owners, setting out specific examples of what cookie compliance looks like.  You will find a link to the guidance at the bottom of this page.

Your online Data Protection Statement should be followed by an option for the individual to agree their consent for you to use their personal data for the purpose you have stated.

This statement should be positioned prominently, linked to all pages that gather information, and should be reviewed, updated regularly and complied with.

We are always interested in your views and experience of using the Community Toolkit. If you have any feedback or questions please complete our Feedback Form

The Community Toolkit is owned and maintained by Skye and Lochalsh CVO Conditions of Use
Last Updated 26/03/2013 08:41