We suggest you allocate responsibility for managing the equality data you collect to one person within your organisation. This could be someone who works in the office or a member of your management committee. Ideally the person should not be someone who has any authority for taking decisions about who can and cannot take part in your project activities or services.
If any data you collect is linked to an individual (so that someone looking at the data could identify the individual) it becomes personal data and is subject to the requirements of the Data Protection Act.
If you do collect personal data you should comply with the eight Data Protection Act principles.
1. Personal data must be fairly and lawfully processed. Individuals must be told that their data is being collected, who holds their information, what their data will be used for, how long the data will be kept and who will have access to it.
2. Personal data must be processed for limited purposes. Your organisation must know why the data is being collected and must not use the data for any other purposes.
3. Personal data must be adequate, relevant and not excessive. Your organisation must satisfy itself that the data collected is adequate and relevant to fulfil the purpose for which it is collected.
4. Personal data must be accurate and up to date. The purpose for which the data is used will determine whether there is any need to update the data collected.
5. Personal data must not be kept longer than necessary. The data must only be kept as long as is necessary to fulfil the purpose it was intended for.
6. Personal data must be processed in accordance with the individual’s rights. The Act grants certain rights to individuals, including the right to know what information is held about them and the right to correct information that is wrong.
7. Personal data must be kept secure. Whatever approach you take to data collection, it is likely that you will want to store this information on a computerised database. You should store the personal data in such a way that someone looking at the data isn’t able to identify any individuals from it. This means keeping any personal identifiers (such as the individual’s name) in a separate place. You must also take appropriate measures to prevent unauthorised or unlawful access to personal data and against accidental loss or destruction of personal data. So you should make sure that only staff who need to view this information are given access to it.
8. Personal data must not be transferred to countries outside the European Economic area. Unless the country has adequate protection for the individual.
If you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision. The Act doesn’t state a precise age at which a child can act in their own right. But as a general rule we suggest not collecting information from children under 12 without first obtaining the permission of a parent or guardian.
Bear in mind that if you don’t comply with the Data Protection Act your organisation could face a claim for compensation from individuals who have suffered damage or distress, or you could receive a fine from the Information Commissioner.
For more information about the Data Protection Act visit the Information Commissioner’s Office website.