We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Subject Access Requests

The new General Data Protection Regulations (GDPR) came into force on 25 May 2018.

Please see further guidance on GDPR here.

The following is provided by way of general advice.

For more detailed explanation and guidance please refer directly to the Information Commissioner's Office (ICO) website.

Subject Access Request (SAR)
When a person requests a copy of all their personal data from either The Scout Association UK Headquarters or a Scout Group, District, County/Area/Region, then they are in effect making a Subject Access Request (SAR) under the GDPR, which provides rules as to how an SAR must be complied with. As the GDPR applies to both The Scout Association UK Headquarters as well as local Scouting (as each Scout Group, District, County/Area/Region is created and operates as an independent charity in its own right) both must comply with SAR's.

The following is provided as guidance on how to respond and comply with a SAR and for more detailed explanation, please refer to the ICO website. The GDPR reverses the ability to charge a £10 Subject Access fee as a default unless the SAR is manifestly unfounded, excessive or repetitive. A request for a SAR can be made in writing or any other means the Data Subject choses as their preferred communication channel, (verbally for example), within reason. The deadline for compliance is one month commencing from receipt of the SAR request. This deadline can be extended if the SAR is complex or numerous to three months but the explanation for why needs to be communicated within the first month.

(It is important to note that the GDPR rules do not apply to individuals collecting information solely for their own domestic and household affairs e.g. an address book or solely for research, journalistic, artistic or literary purposes and also that the subject will not be requesting information under the Freedom of Information Act (FOI) (which they may sometimes believe): the FOI applies to Public Authorities and does not apply to The Scout Association UK Headquarters or local Scouting).
When your Scout Group, District, County/Area/Region receives a SAR the GDPR subject access request process for Executive Committees should be followed, this is part of the GDPR toolkit and can be found here.

Compliance with SAR
For more detailed information and advice please visit the ICO website.
The ICO also operate a helpline which you can use to ask about general information/questions (you do not have to identify yourself or the organisation you are calling from). Please also let us know if you have any queries. The following is a brief guide only.

a) What is personal data?
A SAR only applies to 'personal data'. This is any information held about the subject whereby the subject can be identified from the information. Names, addresses or specific roles are obvious ways of identifying individuals, but they can also be identified in photos or CCTV images.
A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from the Minutes, then the Minutes will be 'personal data' about that individual.

b) What kind of records does data protection apply to?
The rules apply particularly to computer or automated records (including email) but can also apply to manual records which enable information about a particular individual to be easily retrieved e.g. filed by the name or role. Due to the nature of Scouting, deciding what information is relevant can be tricky, however, we would advise that the rules will apply to data regarding the subject held by the Scout Group, District, County/Area/Region itself and also shared by the Executive Committee members either between themselves or with others.

Please note, the rules only apply to information actually held: it may be that certain information has been destroyed/deleted locally as should be normal practice when it is no longer required. Examples of automated records include:
• Computer files - files stored on removable storage devises, CD-Roms, DVDs, hard disks, back-up files, emails
• Audio/Video - CCTV, webcam images,
• Digitalised images - scanned photos, digital camera
Examples of manual records include:
• Files - on volunteers, young people, employees
• Index systems - names, addresses, other details
• Microfiche records - containing personal data

c) What data can be withdrawn or redacted (i.e. deleted) when disclosing the SAR to the subject and how?
There are exemptions to disclosure but, in the main, these are very specific and tend to apply to particular cases e.g. confidentiality of police investigation or certain HR records. It is quite rare for exemptions to apply more generally and decisions must be made on a carefully considered discretionary basis, which can be justified. Also, when they do apply this does not necessarily mean that a whole document is exempt e.g. the exemption could apply to a part or parts of a document too. Please see the ICO website for further explanation and to see whether any exemptions may apply.


Redactions/deletions of exempt or third party data should be deleted using a black pen or white corrector tape and the subject should be sent photocopies of the redacted documents (not the originals) so that any redaction data cannot be deciphered by close inspection or by removing the corrector tape.
Practical guidance on redacting information in documents can be found here.

 

CEOP
© Copyright The Scout Association 2018. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW