The Information Commissioner’s Office has warned charities to ensure they have adequate policies for data sharing and retention after it carried out a study into the practices of some charities.
The report draws on findings from voluntary visits to five VSA members and the results of a survey completed by a further 27 members.
The report says that staff generally had good awareness of the requirement to keep data safe and were keen to do so, that personal data was anonymised by these organisations when producing statistics to share with funders, or for management information, and that office premises were generally physically secure.
But the report also makes a number of recommendations for improvement. It says formal agreements should be in place for the sharing of personal information, and VSA members should be clear which party is ultimately responsible for the security of personal information when sharing between organisations.
The report says charities should consider how long they need to retain information. "All VSA organisations should review the types of records holding personal data and identify how long they need to be retained after the relationship with the client, employee, counsellor or therapist ends," the report says. "If the information is no longer required, it should be securely destroyed."
The ICO says charities "need to have a formal home and remote working policy to ensure personal information continues to be handled correctly outside of the office", and it found inadequate protection for staff using portable or mobile devices or using personal devices for work purposes. The report says organisations must make sure their IT providers can give the same level of data security the charity itself would.
Victoria Heath, good practice group manager for the criminal and justice sector at the ICO, said: "Members of the VSA face a difficult challenge when it comes to looking after personal information. They often rely on a regular stream of volunteers to provide support to the victims they care for, while handling sensitive details relating to the abuse or mistreatment of vulnerable people. This creates a unique challenge and one we are pleased to say many organisations are meeting. Nevertheless, there are still a number of areas where organisations could be doing more to keep people’s information secure."