We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Subject Access Requests

The new General Data Protection Regulations (GDPR) coming into force on 25th May 2018.

Please see further guidance on GDPR here.

The following is provided by way of general advice.

For more detailed explanation and guidance please refer directly to the Information Commissioner's Office (ICO) website.

Subject Access Request (SAR)

When a person requests a copy of all their personal data from either The Scout Association UK Headquarters or a Scout Group, District, County/Area/Region, then they are in effect making a Subject Access Request (SAR) under the Data Protection Act 1998, which provides rules as to how an SAR must be complied with. As the Data Protection Act 1998 applies to both The Scout Association UK Headquarters as well as local Scouting (as each Scout Group, District, County/Area/Region is created and operates as an independent charity in its own right) both must comply with SAR's.

The following is provided as guidance on how to respond and comply with an SAR and for more detailed explanation, please refer to the ICO website.

The Data Protection Act 1998 allows an organisation to charge a maximum £10 Subject Access Fee to process a SAR request. As The Scout Association is a charitable organisation, in order to cover some of its administrative costs, UK Headquarters charges £10 for providing a SAR. It is recommended that local Scouting, which all also operate as individual charities, also charge the £10 fee in order to assist towards their administrative costs.

A request for a SAR should be made in writing and the deadline for compliance is 40 days commencing from receipt of any SAR Fee applicable.
(It is important to note that the Data Protection Act 1998 rules do not apply to individuals collecting information solely for their own domestic and household affairs eg an address book or solely for research, journalistic, artistic or literary purposes and also that the subject will not be requesting information under the Freedom of Information Act (FOI) (which they may sometimes believe): the FOI applies to Public Authorities and does not apply to The Scout Association UK Headquarters or local Scouting).

When your Scout Group, District, County/Area/Region receives a SAR these are the steps to take.

1. Has the request for the SAR been made in writing and the procedure been sent to the subject?

If a verbal request for an SAR is received, you should request that the request is put in writing to you to keep an audit trail (email is acceptable) and you should also request the subject to provide any other information you may need in order to verify their identity e.g. copy passport, driving licence, utility bill. You need to ensure that the person making the request is the correct person.

You should also request the Subject Access Fee (maximum £10), if this is being charged. We suggest that responses to initial requests are dealt with as soon as possible and within five days of receiving the initial query.

The following example letter can be used in order to respond to a request and which can be amended according to what is required in your circumstances:

Dear xx

Re: Subject Access Request (SAR)

Further to your request under the Data Protection Act regarding personal data about you held by the 'xx' Scout Group/District/County/Area/Region (delete as appropriate), can you please send us the following (delete from list as appropriate):

  1. Your request in writing
  2. Copies of your XX and XX in order to verify your identity;
  3. The £10 Subject Access Fee (Please make cheques payable to 'xx' and send to the address provided below).

By way of reassurance, once we have received the fee, we will endeavour to process your request as soon as we are able but, in any event, within 40 days thereafter in accordance with statutory period. We look forward to receiving the said fee and progressing the matter.

Yours sincerely

xx

On behalf of the xx (Scout Group/District/County/Area/Region)
(provide an address also)


2. Wait for the Subject Access Fee to arrive

On the date of arrival, check the 40 day period - including weekends - starting from the date the Subject Access Fee has been received (i.e. do not wait for a cheque to clear). The final day of the 40 day period represents the deadline by which time the SAR must be received by the subject (not sent by the Scout Group, District, County/Area/Region - so take account of postage time and any double-checking time). To ensure delivery and security as much as possible, SAR disclosures should be sent by Special Delivery 'next day' and the receipt retained`.


3. Compliance with SAR

For more detailed information and advice please visit the ICO website.

The ICO also operate a helpline which you can use to ask about general information/questions (you do not have to identify yourself or the organisation you are calling from). Please also let us know if you have any queries. The following is a brief guide only.

a) What is personal data?

A SAR only applies to 'personal data'. This is any information held about the subject whereby the subject can be identified from the information. Names, addresses or specific roles are obvious ways of identifying individuals but they can also be identified in photos or CCTV images.

A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from the Minutes, then the Minutes will be 'personal data' about that individual.

b) What kind of records does data protection apply to?

The rules apply particularly to computer or automated records (including email) but can also apply to manual records which enable information about a particular individual to be easily retrieved e.g. filed by the name or role. Due to the nature of Scouting, deciding what information is relevant can be tricky, however, we would advise that the rules will apply to data regarding the subject held by the Scout Group, District, County/Area/Region itself and also shared by the Executive Committee members either between themselves or with others.

Please note, the rules only apply to information actually held: it may be that certain information has been destroyed/deleted locally as should be normal practice when it is no longer required. Examples of automated records include:
• Computer files - files stored on removable storage devises, CD-Roms, DVDs, hard disks, back-up files, emails
• Audio/Video - CCTV, webcam images,
• Digitalised images - scanned photos, digital camera
Examples of manual records include:
• Files - on volunteers, young people, employees
• Index systems - names, addresses, other details
• Microfiche records - containing personal data

c) What data can be withdrawn or redacted (i.e. deleted) when disclosing the SAR to the subject and how?

There are exemptions to disclosure but, in the main, these are very specific and tend to apply to particular cases e.g. confidentiality of police investigation or certain HR records. It is quite rare for exemptions to apply more generally and decisions must be made on a carefully considered discretionary basis, which can be justified. Also, when they do apply this does not necessarily mean that a whole document is exempt eg the exemption could apply to a part or parts of a document too. Please see the ICO website for further explanation and to see whether any exemptions may apply.

Redactions/deletions of exempt or third party data should be deleted using a black pen or white corrector tape and the subject should be sent photocopies of the redacted documents (not the originals) so that any redaction data cannot be deciphered by close inspection or by removing the corrector tape.

Practical guidance on redacting information in documents can be found here.

 

CEOP
© Copyright The Scout Association 2018. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW