Data Security
Forums should take data security seriously to protect all personal data they collect. It’s a requirement to do so in the conditions of grant. The Information Commissioners Office has data storage advice for small organisations.
- Make sure digital data is at a minimum protected by a password or encrypted.
- It is best practice to use multi- factor authentication (MFA) to ensure the risk of unauthorised access to data is minimised
- Ensure passwords aren’t saved on a device like a phone or laptop.
- Ensure you have cyber security software on your devices such as McAfee, Norton etc to protect data from malware and viruses
- Keep all software updated on all devices
- Change passwords frequently, especially when someone new takes over responsibility for the laptop or membership database.
- Never store a membership list directly onto a device that could be stolen, such as a USB drive. Ensure steering group members, staff or volunteers keep forum laptops in locked cabinets when not in use
- Some forums have support from an IT provider to make sure the forums data is secure.
- If you store personal data on the internet such as in google drive, drop box, mailchimp or attached to emails you should check that the companies storing the data comply with GDPR regulations and that the data is not transferred outside of the EU. Most big companies have privacy policies and notices which confirm they comply.
- Everyone in the forum needs to understand the importance of protecting people’s data and to keep secure.
- Keep the number of places you store data to a minimum.
- Have one central list of contacts stored electronically
- Have a named person responsible for managing the list – sometimes the forum secretary or administrator.
- Don’t refer to the person who looks after the forums data as the data protection officer (DPO) – this has a specific meaning in law and organisations with a DPO have additional obligations.
- If you’re emailing more than one person at a time, make sure all email addresses are put into the BCC box which will hide the emails from recipients – otherwise you could be in breach of GDPR
- All forum devices should be password protected
- Forum equipment should not be used for any other purpose
- Never use someone’s name in an email with information they haven’t agreed can be shared with others unless it’s in relation to Safeguarding. See Safeguarding section in policies and procedures
- Remember people can request copies of all the personal data that the forum hold about them including on emails, databases, Teams, WhatsApp etc. There is more information about this here ‘Responding to Subject Access Requests (SAR)or Freedom of Information (FOI) requests
Do forums legally require a Data Protection Officer (DPO)?
Under the UK General Data Protection Regulation (UK GDPR), a Data Protection Officer (DPO) must be appointed if an organisation:
- Is a public authority or body, or their core activities require them to:
- Carry out regular and systematic monitoring of individuals on a large scale, or
- Process special category data (e.g. health, disability, ethnicity information) on a large scale.
Most PCFs will not automatically meet these thresholds. However, many forums handle sensitive data and may engage in activities that may bring them close to -or across – the legal requirement.
Recommendation: Appoint a Person Responsible for Data Protection
Whether or not a DPO is legally required, all PCFs should appoint someone to be responsible for data protection. This does not need to be a formally designated DPO but should be a trusted individual who:
- Understands basic UK GDPR requirements,
- Oversees data collection, use, and storage,
- Ensures policies are followed,
- Acts as a contact point for data protection queries or concerns.
This individual could be a member of the steering group or a trained volunteer.
Best Practice Principles for forums
To remain compliant and build trust with families, PCFs should implement the following safeguards:
- Data audit: Know what personal and sensitive data is collected, why, and where it is stored.
- Minimisation: Only collect the data needed for your purposes.
- Transparency: Provide clear privacy information to members.
- Security: Store data securely and limit access to authorised individuals.
- Retention: Have clear timelines for data deletion and review.
- Training: Ensure all volunteers and staff handling data receive basic data protection training.
Information forums might collect
Forums need to consider the kind of information they want to collect and hold about members. Forums should only collect data that is necessary (data minimisation).
Some forums don’t collect any personal data and use their social media group to reach out to parent carers, others only collect parents name and email address and other forums gather more information such as:
- Contact details such as name, address, email and phone number.
- Details of their child’s age, condition and education type.
- How parents prefer to receive communications. It is much more cost-effective to communicate electronically, but not all parents will have an email address.
- Information about parents’ ethnicity/geographical area. This helps ensure that the forum membership is representative of the local community and if not, get to know which groups you need to target.
- Local support and campaign groups contact details
- Practitioners and organisations
Some forums carry out an annual survey to collect anonymised data about their members along with details of what’s working well for families and what the challenges are – this is a useful way of collecting non personalised data to share with partners and parents and to guide the forums work. See our communication and gathering parent voice sections
Some data that forums collect may be considered special category data under GDPR, for example data on ethnicity or health (including child disability or condition). You may decide that you need to collect this data, for example to ensure that you are representative of the families you support, or to communicate with specific groups of families. However, you need to ensure that you meet the conditions for processing this special category data, and ensure it is stored securely.
Forums should consider appropriate encryption such as Multi-factor authentication (MFA) /restricted access (strict need-to-know basis) on a secure database, when storing this data. Alternatively, if this won’t adversely affect the way the forum reports on its impact, the forum could consider anonymising data so it can be reported on effectively, but can’t be traced back to individual forum members.
There are also specific rule around collecting data about children. There is more information on this here Children and the UK GDPR | ICO
- In making the decision about the kind of information the forum want to hold about members they need to consider the rules around this such as General Data Protection Regulations and the Data Protection Act 2018.
- The Information Commissioners Office have a website with the latest guidance which you can find here: Information Commissioner’s Office (ICO).
- The ICO has specific information for small organisations here: Advice for small organisations | ICO
Purpose for collecting and storing data
- Communicate directly with parent carers about forum activity and how parent carers can become involved further
- Inform and empower parent carers
- Share feedback from the forums’ strategic work to show members the impact of sharing their views.
- Provide evidence to local authority and other partners of the collective key issues impacting on families and give them statistical information about who the forum is reaching.
- Build credibility with the forums strategic partners
- Identify gaps in the forums membership whether that’s by geographical area, ethnicity, gender, child’s disability or additional need etc.
- Hear the views and experiences of a wide range of families to build a picture of what’s working well and the issues that you need to work on.
- Keep members informed about their events and training opportunities
- Let members know about strategic work the forum is involved in and how members can share their views.
- Send out surveys to collect information from members about their experiences
- Inform members about services/events from other organisations
- Keep a mailing list so that they can send newsletters
Forums should only collect, store or use personal data if there is a clear purpose for doing so. If there is no longer a purpose for holding someone’s data then it shouldn’t be kept.
Lawful bases for handling personal data
Forums must have a lawful basis to collect and use personal data. The most appropriate basis depends on the purpose of the data processing. Here’s how different legal bases apply in the context of forums:
Consent
Use consent when the individual is genuinely free to choose whether or not to provide their data, and when no other legal basis is more appropriate — for example, for:
- Signing up to receive a newsletter
- Sharing photos publicly
- Collecting sensitive (“special category”) data such as health or ethnicity (this will require additional safeguards so please do seek appropriate advice before collecting this data)
Key rules for consent:
- Consent must be freely given, specific, informed and unambiguous
- It must be an active choice (e.g. ticking a box — not pre-ticked)
- Forums must keep clear records of who gave consent, when, and for what purpose
- Data must only be used for the purpose consent was given for
- Forums must explain how people can withdraw consent at any time
You can use verbal consent (e.g. at an event), but you must still record who consented, what they were told, and what they agreed to.
If a person doesn’t really have a choice — for example, they must provide their data to access a service — then consent is not considered valid. In such cases, another legal basis (like contract or legitimate interests) is more suitable.
Legitimate Interests
This is often the most flexible lawful basis — used where data processing is necessary for your forum’s reasonable activities, and does not override the individual’s rights.
Examples:
- Contacting members about forum-related matters
- Managing mailing lists for core communication (excluding marketing without consent)
- Collecting basic data to understand engagement
Key points:
- You must conduct a legitimate interests assessment (LIA) to weigh the forum’s interest against the individual’s rights
- Be transparent about what data is collected and why
- Allow individuals to object and respect their preferences
Performance of a Contract
Use this basis when you need to process personal data to fulfil a contract or agreement with the individual.
Examples:
- If someone must become a member to attend an event, and their personal data is required to deliver that event
- Registering attendees for workshops or training sessions
- Providing access to resources or services that require sign-up
Key points:
- The processing must be necessary to perform the contract
- Individuals must understand what they are signing up for
- You can only process data directly related to delivering the agreed service’
Privacy notices
Privacy notices are a way of giving people information about the data you are using and how you are storing it. They are a way of being clear with people, why you have their data, what you’re using it for and what their rights are.
If forums are collecting and using data on the basis of explicit consent, they should provide a privacy notice when consent is requested.
If forums are collecting data without explicit consent they should be clear about the lawful basis for collecting this data and provide a privacy notice when the data is collected or at the latest, the first time someone is contacted.
The Information Commissioners office website has an online tool that forums can use to create their own privacy notice. This can be found here: privacy notice
You can also download an adaptable template on our ‘policies and procedures’ page.
Different ways to manage a membership list
Whatever system the forum use, the forum need to ensure that it is GDPR compliant. The information must be password protected and kept securely. If the forum uses paper forms these need to be stored in a locked cabinet/cupboard.
Most forums choose one person to be responsible for managing their data. If forums core activity was large scale monitoring of individuals, managing large scale processing of special categories of data or data relating to criminal convictions and offences then they would need to appoint a Data Protection Officer, but this is not the case for the majority of forums.
All the methods listed will be subject to GDPR:
- A paper form where the information is later typed into a digital system, such as a spreadsheet or a database. While spreadsheets may be a new forums first choice, they are not ideal for managing personal data long-term due to issues such as the risk of accidental overwriting, limited access controls, and lower data security. If a spreadsheet is used, it should be password-protected, stored securely, and access should be restricted to only those who need it.
- An email list held on the forums email system
- An email list kept on other systems like mailchimp
- Customer relationships management system (CRM or database) that collects more data. These systems use an electronic form that is automatically added to the forums database. E.g Lamplight
- You can find an online tool to help you consider the most appropriate type of database for your forum via the National Council for Voluntary Organisations (NCVO) web page which is connected to the Datawise London guidance: Choosing and implementing a database – Datawise London
Let’s get digital
See how some forums have used databases to store their data.
Registering with the Information Commissioners Office (ICO)
Most small forums must register with the Information Commissioners Office and pay a data protection fee. The ICO has a self assessment tool which you can work through to see if you must register. You can also choose to register to show your members that you take the security of their data and privacy seriously.
The fee for small forums will be approximately £40. You can find the self-assessment tool here: self-assessment tool.
Please see our guidance for forums on AI notetakers here.
Do you have any thoughts about this page? Visit our How to feedback page to share them.
Looking for something else? You can find a full list of pages on our Parent carer forum handbook contents page.
Policies and Procedures
Find template policies here
Policies and ProceduresMembership
Find out more about forum membership
Membership
Communication and gathering parent carer voice
Find out more about collecting the voice of your local parent carers
Communication and gathering the parent carer voiceSubject access requests and freedom of information requests
Find out how to Respond to subject access requests (SAR) and freedom of information requests (FOI)
Subject Access requests and Freedom of Information requests
Let's get digital
Click here to watch this video on our YouTube channel
Find out moreContact adviser
Find out more about your named Contact adviser
Contact Parent Carer Participation Advisers