This policy is directly cascaded down from that of the Scout Association nationally, and is modified appropriately for local use at District level.
Introduction – Privacy and data protection as a key policy for Scouting
The Scout Association’s commitment to protecting privacy and data protection has been adopted as a key policy for Scouting. This key policy underpins both this Data Protection Policy and other associated policies used by The Scout Association, local Scouting and its membership. It is important to note that as Data Controllers, local Scout Groups, Districts, Counties/Areas/Regions and Countries are directly responsible for any personal data they process and must therefore ensure that they are aware of their responsibilities under the law.
Purpose of this Data Protection policy and what it covers
This policy sets out East Surrey District’s approach to protecting personal data and explains your rights in relation to how we may process personal data. More detail in respect of how TSA and local Groups may process and protect your data is provided below
If you have any queries about anything set out in this policy or about your own rights, please write to the Data Protection Officer (Black Penny Consulting) at Gilwell Park, Chingford, London E4 7QW or via email at Enquiries.firstname.lastname@example.org.
The Scout Association may require that we update this policy from time to time in minor respects, although we will make sure that any substantial or significant changes will be notified to you directly.
Some Important Definitions
‘We’ means East Surrey District Scouts
‘TSA’ means The Scout Association
‘ICO’ is the Information Commissioner’s Office, the body responsible for enforcing data protection legislation within the UK and the regulatory authority for the purposes of the GDPR
‘Local Scouting’ and ‘Scout unit’ mean Scout Groups, Districts, Counties, Areas, Regions (Scotland) or Countries.
‘Processing’ means all aspects of handling personal data, for example collecting, recording, keeping, storing, sharing, archiving, deleting and destroying it.
‘Data Controller’ means anyone (a person, people, public authority, agency or any other body) which, on its own or with others, decides the purposes and methods of processing personal data. We are a data controller insofar as we process personal data in the ways described in this policy.
‘Data processor’ means anyone who processes personal data under the data controller’s instructions, for example a service provider. We as a District act as a data processor in certain circumstances.
‘Subject Access Request’ is a request for personal data that an organisation may hold about an individual. This request can be extended to include the deletion, rectification and restriction of processing.
‘Compass’ Compass is a The Scouts Association web-based membership system. Local Scouting must comply with the Data Protection Act 1998 and the GDPR when using The Scout Association’s Membership System Compass.
What is personal data?
Personal data means any information about an identified or identifiable person. For example, an individual’s home address, personal (home and mobile) phone numbers and email addresses, occupation, and so on can all be defined as personal data.
Some categories of personal data are recognised as being particularly sensitive (“sensitive personal data”). These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric information, and data concerning a person’s sex life or sexual orientation.
How does data protection apply to local Scouting?
Data protection legislation applies to all data controllers regardless of whether they are charities or small organisations. It applies to local Scouting in the same way as it does to other organisations. Scout units are created and run as independent charities and insofar as they collect and store personal data about members and young people, for example, they are data controllers and must adhere to the law.
Each Scout Group should have its own data protection policy and is expected to state that it adheres to this policy.
What type of personal data do Scout Groups and the District collect and why?
Members and volunteers
District and it’s Groups benefits from the service of a large number of members giving their time to Scouting. TSA may hold personal data (including sensitive personal data) about members and volunteers on the COMPASS membership database. It is important to be open and transparent about how this personal data may be used. Information TSA may hold includes the following:
- name and contact details
- length and periods of service (and absence from service)
- details of training you receive
- details of your experience, qualifications, occupation, skills and any awards you have received
- details of Scouting events and activities you have taken part in
- details of next of kin
- age/date of birth
- details of any health conditions
- details of disclosure checks
- any complaints we have received about the member
- race or ethnic background and native languages
TSA and East Surrey District need this information to communicate with you and to carry out any necessary checks to make sure that you can work with young people. We also have a responsibility to keep information about you, both during your membership and afterwards (due to our safeguarding responsibilities and also to help us if you leave or re-join).
NB this information will be held for uniformed young people (that is, persons under 18) by the individual Scout Groups within the District. Only in the context of District level residential events will this information for young people (under 18) fall under the responsibility of East Surrey District.,
Conditions for collecting personal data
Keeping to the law
We must keep to the law when processing personal data. To achieve this, we have to meet at least one of the following conditions:
- you have to give (or have given) your permission for us to use your information for one or more specific purposes
- we need to process the information to meet the terms of any contract you have entered into
- processing the information is necessary to keep to our legal obligations as data controller
- processing the information is necessary to protect your vital interests
- processing the information is necessary for tasks in the public interest or for us as the data controller to carry out our responsibilities
- processing the information is necessary for our legitimate interests (see below)
Also, information must be:
- processed fairly and lawfully
- collected for specified, clear and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- processed securely
Information that we share
We may have to share your personal data within appropriate levels of the Association and with local Scouting, as long as this is necessary and directly related to your role within Scouting. TSA and we in East Surrey do not share personal data with companies, organisations and people outside the Association, unless one of the following applies;
- We have clear permission from you to do so.
- If we have to supply information to others (for example payroll providers) for processing on our behalf. We do this if we are asked and to make sure that they are keeping to the GDPR and have appropriate confidentiality and security measures in place.
- For safeguarding young people or for other legal reasons.
Keeping personal data secure
Everyone who handles personal data should make sure it is held securely to protect against unlawful or unauthorised processing and accidental loss or damage. TSA and local Scouters will take appropriate steps to make sure we keep all personal data secure, and we make all of our uniformed leaders are aware of these steps, including keeping to our internal information and computing technology (ICT) policy. In most cases, personal data must be stored in appropriate systems and encrypted when taken off-site. The following is general guidance for everyone working within Scouting, including staff, members and volunteers in local Scouting.
- You must only store personal data on networks, drives or files that are password protected and regularly backed up.
- You should have proper entry-control systems in place, and you should report any stranger seen in entry-controlled areas.
- You should keep paper records containing personal data secure. If you need to move paper records, you should do this strictly in line with data protection rules and procedures.
- You should not download personal data to mobile devices such as laptops and USB sticks unless absolutely necessary. Access to this information must be password protected and the information should be deleted immediately after use.
- You must keep all personal data secure when travelling.
- Personal data relating to members and volunteers should usually only be stored on the membership database or other specific databases which have appropriate security in place.
- When sending larger amounts of personal data by post, you should use registered mail or a courier. Memory sticks should be encrypted.
- When sending personal data by email this must be appropriately authenticated and password-protected. Do not send financial or sensitive information by email unless it is encrypted.
- You should not share your passwords with anyone.
- Different rights of access should be allocated to users depending on their need to access personal or confidential information. You should not have access to personal or confidential information unless you need it to carry out your role.
- Before sharing personal data with other people or organisations, you must ensure that they are GDPR compliant.
- In the event that you detect or suspect a breach you should follow your defined breach response process.
All Scout Association adult members undertake regular training to ensure that they are aware of the above rules
We expect our trustees, volunteers, members and any providers we may use to keep to the guidelines as set out in our Data Policy and under ICO and GDPR guidance when they are using or processing personal data and other confidential or sensitive information. This is set out more clearly below.
Volunteers, members and local Scouting
We expect volunteers to keep to data protection legislation and this data protection policy, and to follow the relevant rules set out in the Scout Association’s Policy, Organisation and Rules (POR).
The District Executive committee and local Group Executive Committees have overall responsibility for keeping to data protection regulations.
As part of your data protection duties, you should report to the appropriate executive committee any instance where the rules are broken (or might be broken) on how personal data is handled.
TSA may keep information for different periods of time for different purposes as required by law or best practice.
As far as membership information is concerned, to make sure of continuity (for example if you leave and then re-join) and to carry out our legal responsibilities relating to safeguarding young people, we keep your membership information throughout your membership and after it ends, and we make sure we store it securely.
Only those volunteers who need membership information (the DC and above, the ADCs, the Appointments Secretary and the Local Training Manager and Administrators) have access to that information to carry out their role.
Rights to accessing and updating personal data
Under data protection law, individuals have a number of rights in relation to their personal data.
- The right to information: As a data controller, we must give you a certain amount of information about how we collect and process information about you. This information needs to be concise, transparent, understandable and accessible.
- The right of subject access: If you want a copy of the personal data we hold about you, you have the right to make a subject access request (SAR) and get a copy of that information within 30 days.
- The right to rectification: You have the right to ask us, as data controller, to correct mistakes in the personal data we hold about you.
- The right to erasure (right to be forgotten): You can ask us to delete your personal data if it is no longer needed for its original purpose, or if you have given us permission to process it and you withdraw that permission (or where there is no other lawful basis for processing it).
- The right to restrict processing: In certain circumstances where, for lawful or legitimate purposes we cannot delete your relevant personal information or if you do not want us to delete it, we can continue to store it for restricted purposes. This is an absolute right unless we have a lawful purpose to have it that overwrites your rights.
- The obligation to notify relevant third parties: If we have shared information with other people or organisations, and you then ask us to do either (c), (d) or (e) above, as data controller we must tell the other person or organisation (unless this is impossible or involves effort that is out of proportion to the matter).
- The right to data portability: This allows you to transfer your personal data from one data controller to another.
- The right to object: You have a right to object to us processing your personal data for certain reasons, as well as the right to object to processing carried out for profiling or direct marketing.
- The right to not be evaluated on the basis of automatic processing: You have the right not to be affected by decisions based only on automated processing which may significantly affect you.
- The right to bring class actions: You have the right to be collectively represented by not-for-profit organisations.
Subject access requests
You are entitled to ask us, in writing, for a copy of the personal data we hold about you. This is known as a subject access request (SAR). In line with legislation, we will not charge a fee for this information and will respond to your request within one month. This is unless this is not possible or deemed excessive, in which case we will contact you within the month of making the SAR.
Our members or anyone else we hold personal data about can also ask for information from local Scouting. The relevant Scout unit, as data controller in their own right, must answer these requests. The Association nationally is not legally responsible for these local SARs but advises Scout units to respond to them in line with the law (that is, within the specified one-month time frame and without asking for a fee).
Further information and contacts
Subject access requests
Subject access requests for data held by East Surrey Scouts – as clearly distinct from data held by the Scout Association in the COMPASS database – can be made by writing to the District Commissioner.
Subject access requests for data held by individual Groups within East Surrey District should be made to the GSL or the group contact at each Group.
Contact details for the DC and the GSLs and group contacts can be found elsewhere on the District website.