This is a question that arose through a Facebook contact of one of our team that we thought was interesting:
“We all expect businesses to protect our personal information, so why is it that some community led groups who expect this, have started processing personal data themselves without giving due consideration to the same protection?”
This is actually a really good question.
Those with a little knowledge might believe that because this is being done by members of the public, that it's exempt from data protection law as there is a specific exemption for processing personal data in the context of our personal lives. This is so we don't all have to have formal policies and data privacy notices to keep our friends and families information for our own personal use.
When a community group forms, through Facebook or otherwise, they are effectively forming an "organisation" providing a function, be that a shoulder to cry on, support and advice, help with shopping or anything else. COVID-19 did see a vast number of people step up to help those in need, which must be applauded, but they must also realise that data protection law still applies to them.
We don't really know how many groups have been set up, you only need to read this article as one example to see how there could be thousands. Think about it;
- There are 49,000+ cities, towns and villages in the UK, and many cities or towns are split into districts (like Northampton has Duston, Hunsbury, Collingtree and many more).
- Even if we said only 1 in 100 towns, villages or districts have set up a group, that's still 4,900 new groups across the UK.
- If each group has an average of say 50 vulnerable people in each group, nearly a quarter of a million peoples details, not an insignificant number, and each group might have several people using or accessing that information without the controls around it that a business might have.
Why is this important? Well, the UK regulator has like us welcomed the efforts to help in the pandemic, but also stressed that the law does apply. This is not least because those with less honest intent, are taking advantage of this current COVID-19 pandemic to undertake scams, and prey on the fear and desperation of others. If someone knows you're collecting information about lovely old ladies living alone, with nice antiques and needing help, you make yourself a target. What stops them becoming a 'volunteer' and gaining access to a goldmine of information they can use after this is all finished! Be vigilant and suspicious of everyone!
What do you need to do?
We're not going to repeat what the ICO have already said and, Ian Hulme (Director for Regulatory Assurance at the ICO) wrote a really good blog about community groups and data protection, which you can read here.
We will however urge you to please reach out to us at email@example.com or by phone on 01604 807120 if you are at all uncertain about your legal obligations or simply keeping that information safe and secure. We are only happy to help in these difficult times and would rather help you ensure what you do is lawful, than see someone penalised for trying to do good!