We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Data protection and Subject Access Requests (part one)

For information about the new General Data Protection Regulations 'GDPR' coming into force on 25th May 2018 please see here .

The following is provided by way of general advice

For more detailed explanation and guidance please refer directly to the Information Commissioner's Office website at: ico.gov.uk.

Please also see Data protection and Scouting.

Subject Access Request (SAR)

When a person requests a copy of all their personal data from either TSA Headquarters or a Scout Unit, then they are in effect making a Subject Access Request (SAR) under the Data Protection Act (DPA), which provides rules as to how an SAR must be complied with. As the DPA applies to both TSA Headquarters as well as Scout Units(as each is created and operates as an independent charity in its own right) both must comply with SAR's.

The following is provided as guidance on how to respond and comply with an SAR and for more detailed explanation, please refer to the ICO website.
The DPA allows an organisation to charge a maximum £10 Subject Access Fee to process an SAR request. As the Association is a charitable organisation and thus in order to cover some of the administrative costs, this is the fee which Headquarters charges. It is recommended that scout units, which all also operate as individual and separate charities in their own right, also charge the maximum £10 fee in order to assist towards their administrative costs.

A request for an SAR should be made in writing wherever possible and the deadline for compliance is 40 days commencing from receipt of an SAR or, where charged, receipt of the Subject Access Fee.

(It is important to note that the DPA rules do not apply to individuals collecting information solely for their own domestic and household affairs eg an address book or solely for research, journalistic, artistic or literary purposes and also that the subject will not be requesting information under the Freedom of Information Act (FOI) (which they may sometimes believe): the FOI applies to Public Authorities and does not apply to TSA Headquarters or Scout Units).

The steps to take are below.

1. Have you requested the SAR in writing and the fee?

If a verbal request for an SAR is received, you should request that the request be put in writing to you (email will suffice) and for the subject to provide any other information you may need in order to verify their identity.

You should also request the Subject Access Fee (maximum £10), if this is being charged. We suggest that responses to initial requests are dealt with as soon as possible and within five days of receiving the initial query.

The following example letter can be used in order to respond to a request and which can be amended according to what is required in your circumstances:

Dear xx

Re: Subject Access Request (SAR)

Further to your request under the Data Protection Act regarding personal data about you held by the 'xx' Scout Unit, can you please send us the following (delete from list as appropriate):

  1. Your request in writing
  2. Copies of your XX and XX in order to verify your identity;
  3. The £10 Subject Access Fee (Please make cheques payable to 'xx' and send to the address provided below).

By way of reassurance, once we have received the fee, we will endeavour to process your request as soon as we are able but, in any event, within 40 days thereafter in accordance with statutory period. We look forward to receiving the said fee and progressing the matter.

Yours sincerely

xx

On behalf of the xx (Scout Unit)

(provide an address also)

2. Wait for the cheque to arrive

On date of arrival, check the 40 day period - including weekends - starting from the date cheque was received (i.e. do not wait for the cheque to clear). The final day of the 40 day period represents the deadline by which time the SAR must be received by the requester (not sent by the Scout Unit - so take account of postage time and any double-checking time). We advise, sending the SAR by Special Delivery 'next day'.

3. Compliance with SAR

For more detailed information/Advice please visit the ICO website.

The ICO also operate a helpline which you can use to ask about general information/questions (you do not have to identify yourself or the Scout Unit). Please also let us know if you have any queries. The following is a brief guide only.

a) What is personal data?

A SAR only applies to 'personal data'. This is any information held about the subject whereby the subject can be identified from the information. Names, addresses or specific roles are obvious ways of identifying individuals but they can also be identified in photos or CCTV images.

A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from the Minutes, then the Minutes will be 'personal data' about that individual.

b) What kind of records does data protection apply to?

The rules apply particularly to computer or automated records (including email) but can also apply to manual records which enable information about a particular individual to be easily be retrieved e.g. filed by the name or role. Due the nature of scouting, deciding what information is relevant can be tricky, however, we would advise that the rules will apply to data regarding the subject held by the scout unit itself and also shared by the Executive officials either between themselves or with others.

Please note, the rules only apply to information actually held: it may be that certain information has been destroyed/deleted locally as should be normal practice. Examples of automated records include:

Examples of manual records include: Data protection and subject access requests (part two)

 

CEOP
© Copyright The Scout Association 2017. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW