Data Protection Policies

By Paul Ticher

When organisations become aware of their responsibilities under the 1998 Data Protection Act, they often ask if there is a standard or model policy they can adopt. Unfortunately, there isn't.

Data Protection is not about following a fixed set of rules, which are the same for everyone; it's about complying with Principles.  These Principles are very general.  In any given situation there are probably several courses of action that would be equally compliant.  Which one you choose depends on how your organisation works, what kind of clients you work with, and so on.

So instead of providing a model policy, this article looks at the sort of things a Data Protection policy might need to cover, and gives some suggestions for how you might work out for your organisation what needs to be in it. Links to some background resources are also provided.

Why have a Data Protection Policy?

A Data Protection policy is not about explaining Data Protection; there are plenty of places you can find more information.  It is about setting down the decisions your organisation has made about how it will comply with its legal responsibilities, and about making sure that everyone in the organisation knows what their individual responsibilities are.

Data Protection is important, not because it is about protecting data, but because it is about protecting people.  People can be harmed if their data is misused, or if it gets into the wrong hands, through poor security or through careless disclosures.  They can also be harmed if their data is inaccurate or insufficient and decisions are made about them, or about what services to provide them with.

Being unclear about Data Protection also runs the risk that people misunderstand it and possibly over-react, becoming obstructive when there is no need to be, causing hassle for individuals and other organisations.

If you harm someone through a breach of Data Protection, your organisation may well have to pay them compensation.  But it's not really about protecting your organisation from financial harm; it's about making sure that everyone in your organisation is able to treat people properly because they know what they supposed to do.

Framework for policies

The Data Protection Policy Framework Document (152 Kb RTF) contains suggested headings, topics and sample text which will be applicable for a typical Data Protection Policy for a voluntary sector organisation.

The framework has attempted to cover most of the areas which will be required for a Data Protection Policy, but not all need be adopted.  For example if you don't fundraise from individuals or try to sell them products or services you will not need to address the issue of direct marketing. Of course, should the organisation change its activities then the policy may need to be revised: we suggest that it is reviewed every three years or so.

You may also find that areas where Data Protection overlaps with other issues - such as Confidentiality - and this will need to be examined to ensure compatibility between policy documents.

For convenience, the framework is split into 10 main areas which are then subdivided.  These areas are:

  • Introduction
  • Responsibilities
  • Confidentiality
  • Security
  • Data recording and storage
  • Subject access
  • Transparency
  • Consent
  • Direct marketing
  • Staff training & acceptance of responsibilities

Data Protection Policy implementation process

The following is a suggested process for initiating and implementing a Data Protection Policy.  This will differ depending on the size and nature of the organisation.

  1. Initiate - discuss in team/staff/volunteer/management committee meetings etc.
  2. Form working group (if appropriate)
  3. Consult departments, teams or individuals to check what purposes they hold personal data for and what policies they already have
  4. Draft policy and circulate amongst working group for comment
  5. Write up final policy
  6. Publish and distribute
  7. Publicise to people in organisation
  8. Monitor and review


An article explaining in depth the rules and regulations relating to the Data Protection Act.

The Office of the Information Commissioner has useful guidance notes, and can also be consulted directly with specific questions  (Helpline 01625 545700).

See also: Data Protection for Voluntary Organisations, Paul Ticher, 2002 (Second edition) and Lasa’s Computanews Guide to Data Protection (209 kb PDF document - requires Adobe Reader. Download free from Adobe)

Copyright © 2006 Paul Ticher

Creative Commons Attribution

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.0 UK: England & Wales License.

Helpful Advice from those Friendly People at DOT-COMmunICaTions