Volunteers are not employees. They are not paid, they do not have employment contracts, and they sit in a different legal category for employment law purposes. But GDPR does not distinguish between employees and volunteers when it comes to personal data. If you collect, store, or use personal information about a volunteer, the same data protection rules apply.
This creates a compliance gap that affects tens of thousands of charities, sports clubs, community groups, faith organisations, and social enterprises across the UK and EU. Most volunteer coordinators have never thought about GDPR in relation to the people they rely on — and most have not established the lawful bases, privacy notices, or retention policies that the law requires.
Why Volunteer Management Involves Significant Personal Data Obligations
When you recruit, manage, and retain volunteers, you collect personal data at every stage:
- Application forms with names, addresses, contact details, and background
- Availability and scheduling information
- Skills assessments and role suitability notes
- References and referee contact details
- DBS (Disclosure and Barring Service) check results
- Training records and qualifications
- Health information for reasonable adjustments
- Emergency contact details (family members or next of kin)
- Photographs used in newsletters, social media, or annual reports
- Expense claims with bank details
Each of these data types has different handling requirements under GDPR. Some are standard personal data (Article 4). Some — DBS results and health information — are special category or criminal conviction data requiring additional legal protections. And some, like emergency contact details, belong to third parties who have not interacted with your organisation at all.
Types of Volunteer Data and Their Lawful Bases
GDPR requires you to identify a lawful basis for every processing activity. For volunteer management, the most relevant are:
Contract or pre-contract steps (Article 6(1)(b)): Although volunteers are not employees, many organisations use written volunteer agreements. Where processing is necessary to enter into or perform that agreement — collecting name, contact details, role information — this basis may apply.
Legitimate interests (Article 6(1)(f)): For operational communications, scheduling, and maintaining volunteer records while the relationship is active, legitimate interests can be a defensible basis — provided you conduct a Legitimate Interests Assessment (LIA) and document it.
Legal obligation (Article 6(1)(c)): Some processing is required by law. Charities working with children or vulnerable adults must conduct DBS checks — the legal framework mandating this check provides part of the lawful basis.
Consent (Article 6(1)(a)): For processing that is genuinely optional — sending the volunteer your fundraising newsletter, sharing their photo on social media, adding them to an alumni contact list after they leave — explicit consent is appropriate.
DBS Checks: Criminal Conviction Data Under Article 10
The Disclosure and Barring Service check is one of the most sensitive data types in volunteer management. DBS results contain information about criminal convictions, cautions, and — for enhanced checks — information held by police forces. This falls under Article 10 of GDPR, which restricts processing of criminal conviction data to specific circumstances.
In the UK, the Data Protection Act 2018 (DPA 2018) implements Article 10. Processing DBS data is only lawful if it is authorised by law or if you are acting under the control of official authority. For charities, this means:
- You must have a legal obligation or power requiring or enabling the check
- You should only obtain DBS certificates for roles where they are legally required or explicitly permitted
- You must not make blanket DBS requests for roles that do not meet the eligibility criteria
Once you receive a DBS certificate, handling requirements are strict:
- Do not photocopy DBS certificates (in most cases)
- Do not store DBS certificate numbers unnecessarily — record the date, the type of check, and the outcome only
- Delete records of DBS results when no longer required — typically when the volunteer leaves, unless legal obligations require longer retention
Health and Disability Data: Article 9 Special Category
Health information — including disability status, medical conditions, or information about mental health — is special category data under Article 9 of GDPR. This means it receives the highest level of protection, and processing it requires both a standard lawful basis (Article 6) and one of the specific conditions in Article 9(2).
In volunteer management, health information typically arises in two contexts:
Reasonable adjustments: If a volunteer discloses a disability or health condition to request adjustments to their role or working environment, you may need to record this to ensure appropriate support is provided.
Emergency health information: Some organisations ask volunteers to disclose medical conditions that might be relevant in an emergency (severe allergies, epilepsy, diabetes requiring insulin). This falls under Article 9 and requires explicit consent.
Practical requirements:
- Collect health information separately from general volunteer records
- Restrict access to those who need to know (role coordinators, first aiders, safeguarding leads)
- Do not retain health information longer than necessary
- Provide a clear mechanism for volunteers to withdraw consent or update their information
- Never make volunteering conditional on disclosing non-essential health information
Emergency Contact Data: Third-Party Data and the Consent Gap
Emergency contact information — a partner's name and mobile number, a parent's details — is personal data about a third party. The volunteer has provided it, but the person it describes has not consented to being in your database.
The ICO's guidance acknowledges the practical difficulty and permits an indirect approach: provide the information that the emergency contact's details will be held as part of the volunteer's own privacy notice, and ask the volunteer to inform their emergency contact.
Key rules:
- Emergency contact data should be used only for emergencies — never for marketing or other communications
- When a volunteer leaves, emergency contact data should be deleted promptly
Volunteer Management Platforms as Data Processors
Many charities use digital platforms to manage scheduling, communications, training, and records. Common tools include Better Impact, VolunteerHub, Galaxy Digital, Rosterfy, and Assemble. When you use these platforms, the provider becomes a data processor under GDPR.
This means you must:
- Have a written Data Processing Agreement (DPA) with every platform you use
- Confirm that the platform processes data only on your instructions
- Check where data is stored — US-based storage requires additional safeguards (Standard Contractual Clauses)
- Include the platform in your Record of Processing Activities
Photography and Social Media: Consent Requirements
Photographs of volunteers are personal data. You cannot publish photographs of volunteers without their consent:
- Obtain explicit written consent before taking or using photographs for publications or social media
- Be specific about how photos will be used — consent for an internal newsletter does not extend to public Instagram posts
- Allow volunteers to withdraw consent at any time
- Children volunteering or attending events require parental consent for any photography
Data Retention After Volunteering Ends
GDPR's storage limitation principle requires that personal data is not kept longer than necessary. A proportionate retention framework:
| Data Type | Suggested Retention Period |
|---|---|
| Basic contact details | 6–12 months after leaving |
| Training records | 3–6 years |
| DBS check records | 6 months after leaving (date & outcome only) |
| Health information | Delete on leaving |
| Emergency contact details | Delete on leaving |
| Expense claim records | 6 years (HMRC) |
| Safeguarding incident records | As required by law |
Compliance Checklist
Small volunteer-run groups:
- [ ] Privacy notice available to all volunteers before collecting data
- [ ] Lawful basis documented for each category of data
- [ ] Volunteer data stored securely
- [ ] Emergency contact data used only for emergencies and deleted on leaving
- [ ] No DBS checks for ineligible roles
- [ ] Photographs only published with explicit consent
- [ ] Process in place for data subject access requests within 30 days
Larger charities (all of the above, plus):
- [ ] Formal RoPA documenting all volunteer data processing
- [ ] DPAs in place with all volunteer management platforms
- [ ] Designated Data Protection Lead aware of volunteer data obligations
- [ ] Privacy Impact Assessment for DBS processing and health data
- [ ] Staff trained on GDPR responsibilities
- [ ] Formal data retention schedule implemented and enforced
- [ ] Annual compliance review of volunteer data practices
Getting Started
One of the most common compliance failures is organisations not knowing what data they actually hold or where it lives. Before you can build a compliant volunteer data programme, you need visibility.
Custodia's free website scanner gives charities and community organisations an immediate view of what personal data their website is collecting and processing — a useful starting point for any compliance review. No account required.
This guide is for informational purposes only and does not constitute legal advice. Consult a qualified privacy lawyer for advice specific to your situation.
Top comments (0)