GDPR Top Tips – dos and don’ts Trainer instruction: Talk through the content, below. These GDPR top tips have been created for trainers to use as appropriate, so please select slides relevant to the training you are doing. Trainers may wish to use them along with another GDPR activity, such as the activity in Creating a Net Oo Protection Activity Plan GDPR 001, or use within a training they are delivering, such as 1st Response or A Safe Space. Insert your name here! Today’s trainer: 1

GDPR – Top tips Use official Girlguiding forms and add data to the membership system (GO) as soon as you can. Always keep member information up to date. Only use personal data to support guiding activities. Only download or print personal information when absolutely necessary, using the minimum amount of information required. Destroy/delete personal data as soon as you have finished with it. Keep downloaded data on a device that is password protected. Trainer instruction: Talk through the content, below. Use official Girlguiding forms and add data to the membership system (GO), as soon as you can. (Note: you can still accept care forms from parents/carers if they have these already.) Always keep member information up to date. Only use personal information to support guiding activities. Only download or print personal information when absolutely necessary and use the minimum amount of information required. Destroy/delete personal information as soon as you have finished with it. Keep downloaded information on a device that is password protected. 2

For more guidance, see www.girlguiding.org.uk GDPR webpages GDPR – Top tips 7. Keep printed information in a secure place. 8. Don’t share personal data unless you have consent. 9. Follow Girlguiding’s rules for keeping and sharing data safely. 10. If you lose any personal data or share it by mistake, report it to Girlguiding HQ straight away. For more guidance, see www.girlguiding.org.uk GDPR webpages For help, or to report lost data, call Data Protection on 020 7834 6242 extension 3060. Trainer instruction: Talk through the content, below. 7. Keep printed information in a secure place, for example, zipped up in your bag out of sight, or in a cupboard at home. 8. Do not share personal information unless you have the person’s consent. If needed, use the consent form to gather consent. 9. Follow Girlguiding’s rules for keeping and sharing information safely. 10. If you lose any personal information, or share it by mistake, report it to Girlguiding HQ straight away. If in doubt, report it. 3

GDPR top tips – Collecting and sharing data via email Always explain who you are and why you’re collecting the information. Collect and record only what you need for your purpose. Make sure the information is accurate. Keep personal information in a secure place. Where possible, transfer the information into GO as soon as you can. Trainer instruction: Talk through the content, below. Always explain who you are and why you’re collecting the information. Collect and record only what you need for your purpose. Make sure the information is accurate. Keep personal information in a secure place. Where possible, transfer the information into GO as soon as you can. 4

GDPR top tips - Collecting and sharing data via email GO information should be sent via an encrypted zip file using 256 AES encryption. Never use a shared email account to collect data. If sending email messages that include fundraising or marketing content, ensure you have opt-in consent to do this. If sending emails, use the BCC field so individual email addresses are not shared. Trainer instruction: Talk through the content, below. If you need to send GO information by email you need to do so in a secure way using an encrypted zip file (256 AES encryption). When sharing the password to open the document, ensure you send through a different channel (for example, SMS or phone). Never use a shared email account. If sending email messages for guiding purposes, which include fundraising or marketing content (marketing refers to things like promotion of discounts or non-essential guiding events), make sure you have opt-in consent to do this. For more information on this please see the GDPR webpages on the Girlguiding website. If sending emails for Girlguiding purposes, use the BCC field so that individual email addresses are not shared. 5

GDPR top tips - Collecting and sharing data via phone Find a private place to talk. Explain who you are and why you’re collecting data. Only ask for, and record, data you need. Make sure information is accurate. Keep personal information securely. Transfer data into GO as soon as you can. Securely destroy data once in GO. Trainer instruction: Talk through the content, below. Make sure no one can overhear you on the phone. Always explain who you are and why you’re collecting the information. Only ask for and record the information you really need. Make sure you’ve collected information accurately. Keep any personal information you collect in a secure place. Where possible, transfer the information into GO as soon as you can. Securely destroy information once transferred to GO. 6

GDPR top tips - Collecting and sharing data via forms Always use up-to-date official Girlguiding forms. Keep completed forms securely. Transfer information into GO as soon as you can. When the form is no longer needed, destroy it securely. Copies of official forms and further guidance are on the Girlguiding website. Trainer instruction: Talk through the content, below. These include new starter, activity consent and health information forms. Always use the official forms on the Girlguiding website as these are designed to comply with the law. Note: you may still accept ‘care plans’ from parents/carers who already have these to share. • These include new starter, activity consent and health information forms. Always use the official forms on the Girlguiding website as these are designed to comply with the law. Keep completed forms in a secure place. • Where possible, transfer the information on the form into GO as soon as you can. • When the form is no longer needed, destroy it (shred it, or tear it up so it can’t be put back together). • Copies of official forms and further guidance on using them are on the membership section of the Girlguiding website. 7

GDPR top tips – Printing and downloading data Don’t include more personal data than needed. Keep printouts and electronic devices in a secure place. Password protect electronic devices. Encrypt electronic documents containing personal data. Avoid downloading data onto shared/work PCs or public PCs (in a library, say). Delete/destroy information once no longer needed. Don’t use old lists, which may be out of date. Trainer instruction: Talk through the content, below. Sometimes, you may need to download or print out personal information (for example, for an activity or trip). Only print or download information you absolutely need and before you do, think carefully about how you can reduce the risks of losing personal data or sharing it with people you shouldn’t. If you have to print or download data, don’t include more personal details than you need. (For example, for an emergency contact list, just use first names and contact numbers.) • Keep printouts and electronic devices in a secure place and don’t carry them around if you don’t need to. • Make sure all electronic devices are password protected. Encrypt electronic documents containing personal data. • Avoid downloading data onto shared computers or work computers, as other people could access the information. • Delete/destroy the information once you have finished using it, and don’t use old lists as they quickly become out of date. 8

GDPR top tips – Collecting and sharing data via post When sending personal data, don’t use the ordinary post, use ‘signed for’ delivery. If you need to send special category data (for example health information) or personal data for more than ten people, use a ‘tracked and signed for’ service. If sending special category or personal data for 100+ people, contact the Data Protection team to discuss. Trainer instruction: Talk through the content, below. When sending personal information, don’t use the ordinary post, use ‘signed for’ delivery. If you need to send special category data (for example, health information) or personal information for more than ten people, this needs to be more secure. Use a ‘tracked and signed for’ service. If sending special category or personal data for 100+ people, contact the Data Protection team to discuss this by emailing them at dataprotection@girlguiding.org.uk. Note: costs associated with this can be considered legitimate costs. 9

GDPR top tips – Using multi-media data (video/photo/audio) Don’t photograph or video anyone who has not given permission (consent). Only use content collected for the purpose you stated when gathering consent. Record where you have used photos, so if someone retracts their consent you can easily delete them. Delete photos/video/audio and any back-ups when you’ve finished with them. Trainer instruction: Talk through the content, below. Photos and video are personal information, too. That’s why we ask for permission to capture and use media content such as photographs or video of members/volunteers. We do this through such things as the new starter form. Don’t photograph or video anyone who has not given permission (consent). Only use content collected for the purpose you stated when gathering consent. Know where you have used a photo, so you can easily delete it if consent is withdrawn. Remember to delete photos/video/audio and any back-ups when you’ve finished with them. 10

GDPR top tips – Using social media Ensure consent is in place before posting on social media. Don’t accidentally share data with others. Remove members who have left groups. Ensure groups are ‘interest/closed’ and not public. Delete the data as soon as you can, or when out of date. Ensure social media platforms have more than one administrator. Contact members under 14 via their parents/carers. Trainer instruction: Talk through the content, below. Make sure you have the necessary levels of consent before posting on social media. Make sure you don’t accidentally share data with others. Remove members who have left. Ensure groups are ‘interest/closed’ and not public. Use of ‘secret’ groups is allowed. Delete the data from your social media account when you’ve finished with it or it becomes out of date. Make sure any social media platforms in use have more than one administrator to manage content. Note: if you want to contact members under the age of 14, this must be done via their parents/carers. 11

GDPR top tips – Stop and think before sharing Trainer instruction: Talk through the content, below. Data protection legislation doesn’t mean you can’t share personal information, but you have to do it in the right way. The following guidelines will help you share information within the law: • Remember to only share personal information when it is needed to administer a member’s participation in guiding activities. For example, you can share personal data when you book a young member on an activity or trip, or share personal details when a member is moving section or relocating. If you need to share data for a different reason, you must get the person’s consent. OR • You can share personal information in an emergency situation without consent if for a legitimate reason, for example, health information with the emergency services in the event of an accident. However, you can’t share the same health information with a girl’s family member unless that person is recorded on GO as a named primary contact. Data protection legislation doesn’t mean you can’t share personal data, but you have to do it in the right way. 12

GDPR top tips – Retention of data Keep data only for as long as it is needed. Be aware of the set retention times for data in Girlguiding. Ensure data is securely and comprehensively destroyed. Trainer instruction: Talk through the content, below. Personal data should only be kept for as long as it is needed. Be aware of the retention times for data in Girlguiding and follow them. Some data may be needed for much longer (for example safeguarding and financial data). Ensure data is securely and comprehensively destroyed in all formats (for example, any places it has been electronically backed up). 13

GDPR top tips – Data breaches Work to minimise the chance of breaches happening. Identify a breach and report it as soon as possible. (It must be within 48 hours.) Contact the Data Protection team at Girlguiding HQ dataprotection@girlguiding.org.uk 020 7834 6242, extension 3060 If you’re unsure if something is a breach – report it. Trainer instruction: Talk through the content, below. Explain breaches can lead to personal data being used maliciously and therefore could create big issues. We want as much as possible to follow good practice and minimise the likelihood of any breaches from taking place. Explain the key message from this is to identify a breach and report it (as soon as possible, but no longer than 48 hours after the breach). If unsure if something is a breach you need to err on the side of caution and report it as soon as possible to the data protection officer at Girlguiding HQ by email or phone. They will tell you if there is anything else you need to do. 14

GDPR top tips – Safeguarding When submitting notes on a disclosure: Scan notes, password protect and email safeguarding@girlguiding.org.uk or Copy and securely post to Girlguiding HQ (with notification form). When HQ confirms receipt, securely destroy your copies. Trainer instruction: Talk through the content, below. The following guidelines should be adhered to: Scan (and password protect) or copy the notes. (If you cannot scan, try to scan through your CR office. If this is not possible, post the originals securely (for example, ‘signed for’) to Girlguiding HQ, along with a completed notification form. Send the documents by email to safeguarding@girlguiding.org.uk. Girlguiding HQ will confirm receipt of the notes. Once you have confirmation, securely destroy the copies/electronic version you have. Note: Explain that 'destroy’ means to shred or tear up, so that it won’t be possible to reassemble the information. This is a data security requirement, as well as the prevention of retaining duplicated information. 15

GDPR top tips – Safeguarding If in doubt, don’t give out personal information. You have a duty to share personal data when it is in the public interest or for the purposes of detecting or preventing a crime. Know what to do if you are stepping down from a role in terms of handing over information. Trainer instruction: Talk through the content, below. If in doubt, don’t give out personal information. Do not share personal information with anyone who is not a named primary contact on GO. Do not give in to pressure and, if unsure, speak to a data protection officer at Girlguiding HQ. We at Girlguiding state in our Privacy notice (on the website): ‘We will share personal data when it is in the public’s interest to do so., Aa safeguarding investigation/case is a situation in which, if doing so has the purpose ofto protecting a child or vulnerable person, or is for the purposes of detecting or preventing a crime, this is when Girlguiding can and will share personal data.’ Know what to do if you are stepping down from a role in terms of handing over information in regards to a safeguarding case. If the safeguarding case is still active, you will need to make sure that you provide all the necessary information to allow the new volunteer to carry on in the role/case. In other words, you should notify the Safeguarding, Complaints and Compliance teams of the change and agree the handover of information and notes. If the case is closed and there is a restriction on a member of the unit/region, etc, this information will need to be passed on to the new volunteer. If the case is closed and no action was taken or was necessary, the case details do not need to be passed on as there is no purpose for sharing this information. However, we ask you not to until you have checked with the Safeguarding team and before you destroy the material, in case they do not have a copy. 16

GDPR top tips – Events/trips Health and consent forms to be securely destroyed. If an accident has occurred, make a copy of their accident/incident form and health form and send the originals to Girlguiding HQ. Securely destroy the copy once Girlguiding HQ has confirmed receipt of the form. Ensure no data remains at venue or in transit. Securely destroy all other personal data not needed after an event. Trainer instruction: Talk through the content, below. Once the event/activity that the form was used for is over, it can then be securely destroyed. However, if someone had an accident, please send the form to insurancesupport@girlguiding.org.uk at Girlguiding HQ. Ensure you make a copy before sending it in, just in case we don't receive it. We'll then let you know when we receive it, so you can securely destroy the copy. 17

GDPR top tips – 1st Response If an accident has occurred, send their accident/incident form, information and consent event/activity form, the health form and risk assessment to Girlguiding HQ. Once sent to Girlguiding HQ, you do not need to keep copies locally at the unit. If a first aider from an external agency is supplying first aid, it is OK to share the injured individual’s personal health details. Trainer instruction: Talk through the content, below. Once the event/activity that the form was used for is over, it can then be securely destroyed. However, if someone had an accident, please send the form to insurancesupport@girlguiding.org.uk at Girlguiding HQ. It's always a good idea to take a copy before sending it in, just in case we don't receive it. We'll then let you know when we receive it, so you can securely destroy the copy. If a first aider from an external agency is supplying first aid, it is OK to share the injured individual’s personal health details, for example, if they are allergic to a medicine, have diabetes, etc. 18

GDPR top tips – For commissioners Commissioners are vital for getting these important messages to units. Commissioners are likely to be seen as a key person to go to for initial advice. Commissioners may be asked to follow up on a query or a request that has been sent to a unit. Commissioners may need to help a unit make changes to their internal processes to keep data safe. Trainer instruction: Talk through the content, below. Commissioners are vital for getting these important messages to units. Commissioners are likely to be seen as a key person to go to for initial advice. Commissioners may be asked to follow up on a query or a request that has been sent to a unit. Commissioners may need to help a unit make changes to their internal processes to keep data safe. 19

Contact the Data Protection team at Girlguiding HQ If in doubt… Contact the Data Protection team at Girlguiding HQ dataprotection@girlguiding.org.uk 020 7834 6242, extension 3060 20