Volunteer - Data Protection

Policy

The Institution of Engineering and Technology

Futures Place
Kings Way
Stevenage
SG1 2UA
 When printed this becomes an uncontrolled document and might not be at the current version

Volunteer - Data Protection Policy

1. Why we have this Policy

1.1. The Institution of Engineering and Technology (The IET) and our associated
organisations need to collect and use certain types of information about people
(personal data) with whom we deal in order to operate and carry out our legitimate
charitable and business purposes.

1.2. This policy provides information about data protection and how it applies to the IET
and its volunteers, together with providing the steps to be taken by IET volunteers
who have access to or store the personal data of individuals with whom the IET has
or may have a relationship. This could include IET members, staff, customers,
suppliers, volunteers and donors; any individual we deal with.

2. Who this Policy relates to

2.1. This policy applies to all volunteers engaged in activities supporting and delivering the
IET’s objectives. Members of staff are required to abide by an equivalent policy.

2.2. The IET is a UK-based organisation and subject to UK law, all those who work on
behalf of the IET are required to comply with the relevant standards. We work closely
with our subsidiary organisations, IET Beijing, IET India, and the Hong Kong and USA
offices to ensure that those residents’ data is processed in accordance with the data
protection laws of those countries. Where required we produce specific guidance and
procedures.

3. Other Policies, Procedures and/or Guidelines you need to read in relation to

this Policy

3.1. You should also read the following IET policies available in the IET EngX Volunteering
community:

3.1.1. IT Acceptable Use Policy

3.1.2. Data Disposal Guidance
3.1.3. Information Security Facts and Guidance
3.1.4. Password Guidance
3.1.5. Volunteer Code of Conduct, and:

On the IET website:

3.1.6. Treasurers Handbook (role applicable):

3.1.7. Disciplinary regulations
3.1.8. Member Rules of Conduct

4. Overview of this Policy

4.1. The UK General Data Protection Regulation (UK GDPR) govern the collection,
storage and use of personal data by UK organisations.

4.2. This Policy is written in line with those requirements and is designed to ensure we are
all aware of and meet our responsibilities towards IET personal data.

Volunteer – Data Protection Policy v5.1 Page 2 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

4.3. All UK organisations must comply with the UK GDPR, and the potential impact of not
meeting these obligations being significant fines of up to 4% of global turnover.

4.4. The Data Protection principles are ‘rules’ to be followed when personal data is
processed:

Lawfulness, Whenever you collect personal data from an individual you must
fairness and provide clear information on why and how the information will be
transparency processed along with data rights information. This is demonstrated
in our general Privacy Notice available to members, customers and
staff via the IET Website and Intranet.

Where personal data is collected indirectly or supplied via a third

party the individual must be contacted within one month and given
details of the processing and their rights as explained above.

Collecting and using personal data in new ways not highlighted in

our Privacy Notices is likely to be unfair and exceed individuals
reasonable expectation and so, must be agreed in advance with
your IET staff contact or the Data Protection Officer.

For processing to be lawful one of the following lawful basis must be

met (see glossary appendix for more information)
• Consent
• Contract
• Legal obligation
• Vital interests
• Public interest
• Legitimate interests to both the IET and that individual – A three-
point test is required.

Purpose limitationa) Ensure that you are clear, open and transparent about your reasons
for obtaining personal data, and that what you do with the data is in
line with the reasonable expectations of the individuals concerned
and the IET procedures.

Data minimisation Personal data shall be adequate, relevant and limited to what is
necessary for the purposes for which they are processed. So you
should identify the minimum amount of personal data you need to
fulfil your purpose on behalf of the IET and process no more than
that.

Accuracy Personal data shall be accurate and, where necessary, kept up to

date; every reasonable step must be taken to ensure that personal
data that are inaccurate, having regard to the purposes for which
they are processed, are erased or rectified without delay

Storage limitation Personal data shall be kept in a form which permits identification of
individuals for no longer than is necessary for the purposes for
which they are processed. So, even if you collect and use personal
data fairly and lawfully, you cannot keep it for longer than you
actually need it. Personal data held for too long will, by definition, be
unnecessary. You are unlikely to have a lawful basis for retention.

Volunteer – Data Protection Policy v5.1 Page 3 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

Integrity and Personal data shall be processed in a manner that ensures

confidentiality appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organisational measures. You must ensure that you have
appropriate security measures in place to protect the personal data
you process.

Accountability The IET (Controller) shall be responsible for and be able to

demonstrate compliance with the UK GDPR.

4.5. By following this Policy, the IET and its volunteers will be able to meet their legal and
best practice obligations and as such reduce the risk of reputational damage,
enforcement, or financial penalty by the Information Commissioner’s Office (ICO) or
other countries Data Protection Authorities. These are the regulatory bodies
responsible for monitoring compliance with data protection law and can impose
enforcement and financial penalties on organisations that are found to be non-
compliant.

5. The Policy itself

5.1. In UK law Controllers must comply with, and demonstrate compliance with, all the
data protection principles as well as the other UK GDPR requirements and are also
responsible for the compliance of those who process personal data on processor(s).

5.2. The Information Commissioner’s Office (ICO) and individuals may take action against
a controller regarding a breach of its obligations.

5.3. The IET is a Controller and registered with the Information Commissioners Office for
the processing of member, customer, volunteer and staff personal data.

5.4. The IET, as such, is responsible and accountable for the processing of personal data
which is collected and used in its name.

5.5. The IET supports the need for volunteers to have access to, and in some
circumstances store the personal data of IET member data if appropriate.

5.6. Examples of this include:

a. Process member data to enable the administration and management of a Local

Network;

b. Access to minimal member data to use to communicate event organisation,

administration, promotion and marketing.

6. Access to personal data

6.1. To ensure the IET meets its legal obligations, before sharing personal data with
volunteers for usage and communications, volunteers must adhere to the following:

6.1.1. Online data protection training must be successfully completed prior to using IET
personal data. For further information on this please contact the Volunteer Support
Unit via [email protected].

Volunteer – Data Protection Policy v5.1 Page 4 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

6.1.2. This Data Protection Policy, IT Acceptable Use Policy, Information Security Facts and
Guidance, and Password Guidance must be adhered to when using IET personal
data. The IET reserves the right to withdraw your access or formally notify you to stop
processing IET personal data if it finds you are not keeping to these policies.

6.1.3. You must never use the IET personal data for your own purposes. Personal data must
be processed only to meet the IET activities you volunteer to support.

6.1.4. Always follow the IET approved methods when you process personal data of IET
customers, members and volunteers. Contact your designated staff contact to check
you are following correct procedures.

6.1.5. Events, marketing and promotional activities should be conducted using the IET
applications. You must obtain approval from your staff contact or Local Network
(whichever is applicable) before conducting an event. The Treasurers Handbook (if
an applicable Local Network role undertaken) must be followed for charged for events
and only via IET approved methods and payment applications.

6.1.6. Always use corporate branding when you are conducting voluntary activity on behalf
of the IET, to demonstrate that the email is legitimately from the IET, in agreement
with your designated support staff. If you have been provided an IET Email address
you must use this to conduct your volunteer role.

6.1.7. Always send messages individually, or use BCC option, taking care to ensure that
email addresses are not inadvertently shared without prior agreement.

6.1.8. Volunteers can communicate directly with IET members who respond to requests for
support in relation to an event or activity, and retain the email contact data in Outlook,
or a chosen email platform e.g. Office 365.

6.1.9. Volunteers are not required to purge email addresses which are stored in Outlook or
the chosen email platform each and every time they have satisfied the purpose,
although they are asked to manage their contact data appropriately.

6.1.10. Volunteers should not retain lists of IET member contact data nor retain
communications or correspondence of IET members once the purpose for which it
was originally shared has been satisfied.

• This helps us meet the requirement to always know where IET personal data
resides and allows us to respond to data subject rights requests.

6.1.11. Members can change contact information or opt out of further communications by
either contacting the IET directly by post, following the link on a received email or
amending communication preferences, if they have a MyIET online account. If a
volunteer receives a data subject rights request directly they should inform the Data
Protection Officer immediately on [email protected]

6.1.12. The IET may wish to oversee marketing campaigns and to support marketing
communications compliance with the Privacy and Electronic Communications
Regulations. Please contact your IET staff contact for approval before progressing
marketing activity.

6.1.13. Alternatively, an initial email message can be sent by your designated IET staff
contact. Text for the message should be agreed between yourself and your contact
who will send the message and marketing responses to the email will be directed to
the appropriate IET staff member.

Volunteer – Data Protection Policy v5.1 Page 5 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

7. Storage of personal data

7.1. Personal data storage, which may be necessary to carry out administration of Local
Networks, must also comply with the current IET methods and the following storage
requirements:

7.1.1. Volunteers should ensure the personal data retained is accurate, relevant and kept
up to date. Out of date personal data should be removed. For example, Local
Network members who have left the network should be removed from contact lists.

7.1.2. Personal data should not be held which is not required but may be ‘nice to have’. For
example, attendee lists for events.

7.1.3. Critically, the personal data can only be used for a purpose that is consistent with an
individual’s expectations – typically what they were told by the volunteer representing
the IET when they initially provided their personal data.

7.1.4. Whilst retaining the personal data it must be stored securely according to the IET’s IT
Acceptable Use Policy.

7.1.5. Always inform IET staff if you are notified of any personal data updates or
modifications such as change of email address or change of postal address.

7.1.6. Whilst retaining the personal data for the above activities, its use should be strictly
limited to IET staff and volunteers who have a valid business need to access the
data.

8. Personal data collection

8.1. Any personal data collected whilst acting as an IET volunteer from individuals should
immediately be passed to your IET staff contact unless you are using an IET
Volunteer Office 365 account. Personal data collected from those who are not already
engaged with the IET should be immediately passed to your staff contact. This
supports our requirement to inform individuals we have their data as per our Privacy
Notice.

9. Definitions

9.1. Data Controller

Controller: the organisation (or individual) which, either alone or jointly with another
organisation (or individual) decides why and how to process personal data. The
Controller is responsible for compliance with the DPA and GDPR. A contract or
agreement between the Controller and Processor must be in writing and the UK
GDPR sets out what information must be included in that agreement.

Joint Controller: Two or more Controllers jointly determining the purposes and
means of the processing of the same personal data.

Processor: A Processor is an organisation or individual (such as a consultant but not

an employee of the Controller) that processes data on behalf of a Controller. A
Processor can only act in line with the instructions of the Controller.
9.2. Personal Data

9.2.1. Personal data means any information relating to an identified or identifiable natural
person.

Volunteer – Data Protection Policy v5.1 Page 6 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

9.2.2. An identifiable person is one who can be identified, directly or indirectly, by reference
to an identifier such as a name, an identification number, location data, online
identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that person.

9.2.3. Personal data can also include items such as name, email address, home telephone
number, mobile number, IP Addresses, film footage and photographs.

9.2.4. As a matter of practice, it is best to treat any information about an individual as

personal data.

9.3. Processing of Personal Data

9.3.1. In relation to personal data, the definition of processing includes the collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction of personal
data.

9.3.2. Personal data may be held electronically, digitally or in hard copy as CCTV
recordings, video and photographs.

9.3.3. If a volunteer captures personal data on behalf of the IET, such as at an event or in
the course of their activities, they must forward the personal data onto their staff
contact so it can be centrally held.

10. What happens if you do not follow this Policy

10.1. By following this Policy, the IET, its volunteers and staff, will be able to meet their
legal and best practice obligations and as such reduce the risk of reputational
damage or financial penalty by the Information Commissioner’s Office (ICO). The
ICO is the UK body responsible for monitoring compliance with data protection law
and can impose penalties on organisations that are found to be non-compliant.

10.2. The charity sector is always under scrutiny. For example, the Information
Commissioner ordered a well-known charity to take action after discovering that
volunteers were using personal email addresses to receive and share information
about people who use the charity, storing unencrypted data on their home computers
and failing to keep paper records locked away. In addition, volunteers were not
trained in data protection, and the charity’s policies and procedures were not
explained to them and they had little supervision from staff.

10.3. More recently, in their finding on a case involving another large charity organisation,
the Information Commissioner, stated “the fact that it is a charity is not an excuse. In
fact, the public is arguably entitled to expect charities to be especially vigilant in
complying with its legal obligations”.

10.4. If you do not follow this Policy, the risks to the IET are breach of data protection law,
which could result in reputational damage, fines, and court proceedings.

10.5. If you do not follow this Policy, the IET may take appropriate action which could
include referral to the Disciplinary Board or removal from the role.

Volunteer – Data Protection Policy v5.1 Page 7 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

11. Incidents and Data Breaches

11.1. An incident or data breach is when data is lost, stolen, inadvertently shared or
damaged. These can happen in many ways. The most common surround human
error, equipment failure or criminal activity. However, they occur, all incidents and
data breaches must be reported immediately to your designated staff contact at the
IET, even if the full facts have not yet been collected.

11.2. Incidents and data breaches should also be reported to the Data Protection Officer as
soon as possible via [email protected] or call +44 (0)7808 102171.

11.3. The IET will follow an agreed process on dealing with the incident and may be
obliged to report it to the Information Commissioners Office or applicable Data
Protection Authority and those individuals whose personal data has been breached, if
the breach is likely to result in a high risk of adversely affecting individuals’ rights and
freedoms. The Incident may also be reportable to the UK Charity Commission.

11.4. We strongly encourage volunteers to report potential incidents so that we can act to
mitigate risks to individuals.

12. Queries and Comments

12.1. Your staff contact will be able to assist you with any queries you have about data
protection or obtaining access to IET data. Please contact the Privacy Office if you
have any concerns or questions about how personal data is processed by the IET
and its members and volunteers.

12.2. An online data protection training module is also available through our e-learning
environment, InfoAware. If you would like to undertake this training to support your
understanding of Data Protection, please contact the Volunteer Support Unit via
[email protected].

12.3. If you have any queries regarding how this Policy works in practice, or comments or
suggestions as to how it could be improved, please contact [email protected].

Volunteer – Data Protection Policy v5.1 Page 8 of 9

 When printed this becomes an uncontrolled document and might not be at the current version

Appendix

Control Sheet

Volunteer – Data Protection Policy

Document owner: Data Protection Officer

Document reviewer: Data Protection Officer
Document adopted on: 1 January 2018
Next review date: 1 February 2024

Review/change history

Date of
Summary of changes Version no.
Review/Change
January 2018 First volunteer-specific Data Protection Policy 1.0
published in line with new EU General Data
Protection Regulations coming into force May 2018.
(Data Protection was previously presented to
volunteers in a combined staff/volunteer policy,
version 4.1)
May 2019 Updated to incorporate further guidance on sharing, 2.0
storing and collecting data.
July 2020 Review but no updates 3.0
May 2021 Replaced GDPR and DPA with UK GDPR and 4.0
changed contact to privacy office mailbox.
December 2022 Full review and update 5.0
February 2023 Other policy location references changed to IET 5.1
EngX ‘Volunteering’ community.

Volunteer – Data Protection Policy v5.1 Page 9 of 9