A website or social media account is an essential channel for the promotion of your organisation’s aims and activities.
Whatever the aims, if you are sharing personal data online, you need to comply with data protection laws. This guidance takes you through the things you need to consider.
Are you posting ‘personal data’?
Personal data is defined in data protection law as “information relating to an identified or identifiable living natural person.” Beyond obvious indicators such as name or contact details there may be other information that you hold that could directly, or in combination with other data, identify individuals. Some examples would be:
- Photographic image
- Biographic information (date and place of birth, school or occupation)
- Postal / Email address
- Car registration
- Bank / Credit Card details
- Passport or Driving Licence
- Completed membership form
- Record of donations
If you are posting personal data online you are, in data protection terms, ‘processing personal data.’ ‘Processing’ relates to any activity you carry out in regard to personal data, from collection through storage and analysis to deletion.
Are you a ‘data controller’?
If your organisation is processing personal data for the purposes of managing staff, working with volunteers or supporting individuals then it is a ‘data controller’ under data protection law, with a range of defined legal responsibilities.
A data controller:
- decides what personal data they are collecting (e.g. name, email address or bank details and home address)
- decides what purposes they are going to use the personal data for (e.g. keeping supporters updated with regular newsletters or paying staff salaries)
- is responsible for managing the personal data in compliance with the law (e.g. keeping it secure, publishing a privacy notice)
In most cases you will need to register with the Information Commissioner’s Office (ICO) and can self-assess this requirement on their website: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
Are you posting ‘special category’ or ‘criminal convictions’ data?
Certain types of personal data are considered to be more sensitive and carry greater risk. If you are posting data on individuals relating to the following areas, defined as ‘special category data’ then extra consideration is required.
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- data concerning health
- data concerning a person’s sex life or sexual orientation
- genetic data or biometric data
If you are posting data relating to criminal convictions, then other data protection requirements come into play. We will look at these in the next section.
What is our legal basis for processing personal data?
If you are processing any personal data, you need to have a good reason. In data protection law there are six legal bases for processing:
- The individual has consented to the processing
- The processing is necessary for a contract to which the individual is a party
- Your organisation has a legal obligation to process the data, perhaps under charity law or the National Heritage Act 1983
- Your organisation needs to process data to protect the vital interests of an individual
- If your organisation is a public authority, they need to process data as part of their powers established in law
- Your organisation has a legitimate interest in processing the data, balanced against the rights and freedoms of the individual
What are the most appropriate legal bases for posting information online?
Legal obligation or public task
There may be certain information related to Trustees or Senior staff in your organisation that might need to be added to a website or published in an annual report. This is likely to fit under ‘legal obligation’ or ‘public task’ as legal basis, depending on the nature of your heritage or charitable organisation.
If your reason for posting data online is that an individual has said “yes you can post this online,” then you are using consent as your legal basis. There are, however, several caveats to ensure that the consent is valid.
The ICO states that “genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.” In order to make that consent valid, it needs to be:
- a clear affirmative action: an “opt-in” rather than “opt-out”
- fully informed: people need to know what they are opting into, who will be storing their data and how
- freely given: there should be no power imbalance or implied pressure to provide the consent. The consent should be as easy to retract as it is to provide.
- must be recorded: the organisation should retain a record of the consent
For some online posts, ‘legitimate interests’ may be the correct legal basis. If you are taking group photos of an event or an overarching photo of a busy museum to publish online, then obtaining consent will not be practical. The legitimate interests of your organisation, such as promoting its collections or encouraging donations, always needs to be balanced against the rights and freedoms of the individuals. The less privacy intrusive the photo or video, the more the balance favours the legitimate interest.
What about ‘special category’ or criminal convictions data?
We have seen that certain types of data are defined in data protection law as high risk. In many cases you will not be considering posting this information online. If, in exceptional circumstances, you need to, you will require an additional legal basis to process this data. In some cases the data may have been manifestly made public by the data subject, such as a politician with well known views and allegiances or a campaigner for prison reform who spent time in prison and commonly draws on that experience. The following, however, is most likely to apply for ‘special category data’ and criminal convictions.
There is a high threshold for consent in any context, but the ICO requires ‘explicit consent’ be confirmed in a clear statement, to specify the nature of the special category data and separate from any other consents you are seeking.
Are we only using the data only for its agreed purpose?
Data collected for an online post should only be used for its agreed purpose. If you are planning to re-use and re-post the data, this information must be provided to the individual at the point of collection.
If you are reusing their data to post other information online and individuals are not aware of this, you may need to contact them for the following:
- if consent was your legal basis, re-obtain their consent,
- if public task, legal obligation or legitimate interests was your legal basis. notify them of what you are intending to do with an updated privacy notice.
Is the data we are collecting relevant to the purpose?
Posting data online needs careful consideration and you need to avoid posting more than is necessary, which could impact on the privacy of the individual. If you are taking a photo of a participant or volunteer for online publication, you may wish to avoid a background with the individual’s home or other family members.
Is the data accurate?
If your organisation is posting personal information online there is an obligation to ensure it is accurate. The impact of inaccurate posts can range from simple annoyance to demonstrable damage and distress. Any inaccuracies should be rectified as soon as possible.
How long do I keep the information posted online?
A social media or website post of personal information does not need to be available forever for public access. You may wish to manage the amount your data on your website or periodically tidy your social media posts. Some information may have a legal retention period, such as the annual report or accounts, or may be kept permanently, such as an entry into a collection catalogue. For other data, such as promotional posts containing personal data, you should consider a reasonable period when data should be removed from your site or feed.
Example – storage limitation
The National Museum of Dance website likes to only display accounts or photos from its events for the past two years. All pages are periodically reviewed and older posts are deleted. This approach is stated in its privacy notice.
How do I keep the data secure?
When managing personal information on your website or social media feed you should ensure that the data is kept secure. Websites should have robust security protections such as firewalls, penetration testing and up-to-date software. Organisational social media accounts should have robust and complex passwords to prevent hacks. Staff who are accessing personal data and posting it online should be trained in data protection and IT security principles. Further guidance from the ICO can be found at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/
How do I demonstrate we are compliant?
If there is a complaint or a data breach and the ICO decides to investigate you need to be able to document your legal position and decision making around personal data. Check the ICO accountability framework at https://ico.org.uk/for-organisations/accountability-framework/ for further information.
How do I let people know how we process their data?
Organisation are required to be transparent about how they process the personal data they collect. This is most commonly achieved by publishing a privacy notice. A privacy notice explains who the ‘data controller’ is, what data is collected and for what purpose, what the legal basis is, what data might be shared and contact details to find out more. Your organisation may find it easier to separate the notice out into categories such as staff, volunteers or individuals in online posts and publications. You can find further ICO guidance at the following link: https://ico.org.uk/for-organisations/accountability-framework/transparency/
How do I ensure I respect the rights of individuals?
Individuals have a number of rights under data protection law to find out more about how their personal data is processed. These rights have particular relevance for personal information posted online and your organisation needs to be able to identify these rights requests and act on them, in most cases, within 30 days. The key rights for information posted online are:
- Right of access (or “Subject Access Request,” “SAR” or “DSAR”)
- Right to rectification
- Right to erasure (or “right to be forgotten”)
- Right to object
For further information, see the ICO’s website at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
This guidance is a summary and based on the full texts of the UK GDPR and the Data Protection Act 2018. The Information Commissioner’s Office website www.ico.org.uk contains extensive guidance on all aspects of data protection law.
Browse related resources by smart tags:
Content Data protection Data sharing Digital content GDPR Rights Safeguarding
Please attribute as: "Is the content I’m sharing online data protection compliant? (2022) by Dr Kit Good, Naomi Korn Associates supported by The National Lottery Heritage Fund, licensed under CC BY 4.0