Data Protection

What is data protection?

The Data Protection Act determines how personal information is used by organisations including charities, businesses and government bodies. The regulator is the Information Commissioner’s Office (ICO) and they provide a wealth of guidance on compliance.

What does data protection have to do with open data?

In general, open data should not contain personal or sensitive personal data that could allow a living person to be identified. Data published to the 360Giving standard should be anonymised to protect privacy as outlined in the ICO’s anonymisation code of practice. There are cases where publishing personal data is in the public interest or where data can be published with the consent of the individual. We explore those cases below.

Publishing personal data with 360Giving

We encourage publishers to carefully consider the value of sharing any personal data as part of their 360Giving publication and discourage sharing of sensitive personal data (including racial or ethnic origin, medical information).

Before making a decision on including personal data:

  1. Review the ICO’s Key definitions of the data protection act to understand the difference between non-personal data, personal data and sensitive personal data;
  2. Review the ICO’s Guide to data protection to understand your organisation’s obligations;
  3. Ensure your organisation has the power to share the data;

Once you’ve decided to include personal data in your publication:

  1. Restrict personal data to names used in official capacity, for example the contact names at the funding and recipient organisations, names of recipients of funds e.g. scholarships and identifiers that are open or in the public domain, for example orcid;
  2. Ensure individuals formally consent to share their data, for example as part of grant, sponsorship or employee contracts. Be aware that consent can be withdrawn at any time;
  3. Ensure individuals are informed of the scope of personal data to be shared as open data.