Why This Matters

As a volunteer for IWA, you may handle personal information about individuals. The UK GDPR (General Data Protection Regulation) sets rules for how organisations must protect people’s information. So, what is personal data? How can we protect it and still fulfil our duties? Here are some guidelines

What Is Personal Data?

Personal data means any information that can identify a living person, directly or indirectly. If you can figure out who someone is from the information – on its own or combined with other data – then it’s personal data.

Common Examples

• Names (full name, first name + context)
• Postal addresses
• Email addresses (personal or work if tied to an individual)
• Phone numbers
• Photos or video of a person
• Date of birth
• Membership or donor IDs
• IP addresses, device identifiers
• Location data
• Login details
• Bank details

Special Category Personal Data (extra protection)

This type of data is more sensitive. Volunteers should be especially careful with it:

• Health information (allergies, disabilities, medical conditions)
• Religious or philosophical beliefs
• Racial or ethnic origin
• Political opinions
• Sexual orientation
• Biometric data (face scans, fingerprints)
• Genetic data

If you handle special category data, only do so if your role explicitly requires it.

What Isn’t Personal Data?

Information is not personal data if it cannot identify a person, even indirectly.

• Completely anonymous data
  (e.g., “120 people attended the event” with no way to trace individuals)
• Information about organisations, not people
  (e.g., “The Greenway Canal Trust”)
• Organisation email addresses [email protected] or [email protected].
• Data of someone who is no longer alive
  (UK GDPR applies only to living individuals)
• Fictional or invented characters
• Aggregated statistics
  (e.g., “70% of visitors were first-time attendees”)

But be careful:

If data is supposed to be anonymous but could be combined with other info to identify someone (e.g., “The only 92-year-old volunteer”), it is still personal data.

Common volunteer situations

Sign-up sheets

• Names + contact info = personal data
  ✔ Keep secure.
  ✔ Don’t leave visible for others to read.

Emails

• Email addresses of individuals = personal data
  ✔ Be very careful when using BCC to email small groups.

✔ Always use your waterways.org.uk account, never your personal e-mail.

✔ Mailings to large groups should always go via IWA’s membership system.

✔ Be careful not to inadvertently divulge other people’s private e-mail addresses by listing them as a cc addressee.

Newsletters

• Personal email addresses of individuals appearing in newsletters
  ✔ You can only publish personal email addresses if you have their permission.

Photos from events

• Faces = personal data
  ✔ Always follow consent rules.
  ✔ Check IWA social media policy before sharing.

Health or accessibility notes

• Highly sensitive
  ✔ Only collect or share if necessary and authorised. Keep very secure.

Conversation notes

If you write down things someone told you (name, concerns, situations, etc.), it can easily be personal data. Treat it carefully.

Volunteer Responsibilities (Simple Rules)

You should:

• Only collect or use personal data you genuinely need for your role.
• Keep information secure (locked away, password-protected).
• Report lost papers or data breaches immediately.
• Follow organisational guidance on consent and retention.

You should NOT:

• Share personal data unless authorised and necessary.
• Leave lists, forms, or screens with personal data unattended.
• Store IWA-related personal data on your personal device unless permitted.
• Post identifiable photos without permission.

When in Doubt

A helpful question:

“Could someone be identified from this information?”
If yes – or even maybe – treat it as personal data.

If you’re unsure, contact the IWA Data Protection Officer [email protected]

Last Updated: December 2025