Keeping and Using Personal Data

Personal Data 

Personal data is any information about individual, identifiable, living people. It includes things like names, addresses, phone numbers, email addresses.

Your community group will typically be handling personal data as part of volunteer and/or staff records, membership lists, mailing lists or lists of donors. You may be gathering and storing this data on a spreadsheet or database on a computer or as a paper filing system.

The protection of personal data is regulated under the Data Protection Act 1998. With this legislation, people have a right to prevent you from processing information about them.

If your community group or organisation processes personal data, your group’s committee (board) is responsible for ensuring that you comply with the Data Protection Act 1998.  

Sensitive Personal Data

Sensitive Personal Data is information about a person’s physical or mental health, political opinions, religious beliefs, racial or ethnic origins, sexual life or offences/alleged offences. 

The Data Protection Act 1998 includes special regulations governing the use of sensitive personal data.

Processing Personal Data

The definition of ‘processing’ in the context of personal data refers to the gathering, exchanging, storage or handling of information, whether on computer databases or paper. If your group processes personal data they are defined under the Data Protection Act 1998 as a ‘data controller’.

Under Data Protection legislation individuals have a right to prevent you from processing information about them, especially for direct marketing.  Unless they are exempt, every organisation processing personal data must notify the Information Commissioner. Failure to do so is a criminal offence.

Is my group exempt? 

Exemption from mandatory notification to the Information Commissioner extends to some community groups/organisations. Your group may be exempt if you only process personal data for the purpose of:-

  • establishing or maintaining a membership database
  • and/or providing or administering activities for existing, past or prospective members or people who have regular contact with the organisation

Although some 'data controllers' are exempt from notification, your group (its trustees or board of directors) will still need to comply with other aspects of the Data Protection Act including the eight Data Protection principles.

Other Community Toolkit Topics to look at:



Further sources of information

We are always interested in your views and experience of using the Community Toolkit. If you have any feedback or questions please complete our Feedback Form

The Community Toolkit is owned and maintained by Skye and Lochalsh CVO Conditions of Use
Last Updated 26/03/2013 08:40