We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Data Protection and Compass

For information about the new General Data Protection Regulations 'GDPR' coming into force on 25th May 2018 please see here .

Reference to a County also refers to an Area in Wales and a Region in Scotland.

1. What is Data Protection and why is it relevant to Scouting?

Data protection aims to protect an individual's rights to privacy by regulating how organisations obtain, store and use their personal data. So, data protection rules provide individuals with certain rights whilst also imposing certain duties and obligations on organisations. Young people and adults have the same data protection rights under the law. Data protection is governed by the Data Protection Act 1998 ('DPA') which is overseen and Regulated by the Information Commissioner's Office (ICO).

Data protection law applies to The Scout Association as well as all Scout Units (i.e. Groups, Districts, Counties or Countries) which are each created and operate as independent charities and are likely to collect and store personal data about members and perhaps other individuals involved with the unit. Scout Units must comply with the DPA when using the Association's Membership System 'Compass'. Please see POR Chapter 14 Rules 14(11) and (12).

The Scout Association provides guidance and best practice to assist members meet their data protection obligations.

The Information Commissioner also provides general guidance on how to comply.

2. What is a Data Controller and how is this relevant to Scouting?

Please also refer to Question 1.

The Scout Association and Scout Units (i.e. Groups, Districts, Counties or Countries), as separate charities/organisations, are each Data Controllers under the Data Protection Act (DPA). Each is responsible for the personal data it handles. Scout Executive Committees, as the charity trustees, are responsible for ensuring that proper systems are in place locally for their relevant Group, District, County or Country and that any personal data is collected, managed, shared, kept and generally handled locally in compliance with the DPA.

The same applies to The Scout Association's Board of Trustees who, as charity trustees, are responsible for ensuring that proper systems are in place for The Scout Association. Scout Units must comply with the DPA when using The Scout Association's Membership System 'Compass'.

Please see Question 1 above for links to the POR and the guidance available to Scout Units.

3. Who is the Data Controller for data for Compass?

With regard to personal data stored on Compass, The Scout Association is a Data Controller in Common with Groups, Districts, Counties and Countries. Data Controller's in Common may each use and access a shared database but each remains responsible for the personal data within its own control and capacity. Accordingly, Scout Units (Groups, Districts, Counties or Countries) remain responsible for ensuring that their handling of personal data locally is in compliance with the DPA and POR (which includes uploading and maintaining such data onto Compass) and The Scout Association remains responsible for ensuring that its handling of personal data nationally is also in compliance with the DPA and POR (including its particular responsibilities for data held on Compass).

Whilst the general data protection responsibilities of both parties towards the data it handles are similar in nature, there are differences according to the level of control each has over the data e.g. whilst The Scout Association will not be responsible for how personal data is handled locally, likewise, Groups, Districts, Counties or Countries will not be responsible for the technical or security aspects of Compass which are not within their control.

4. Does the Group need to register as a Data Controller with the Information Commissioner Office (ICO)?

As smaller 'not-for-profit' organisations, Groups, Districts, Counties do not have to register provided they do not hold personal data about anyone other than members or others directly connected to the Group, District or County.

However, they are still subject to the rules of the DPA. As a larger organisation, The Scout Association Headquarters is registered as a Data Controller with the ICO.

Please see Question 1 above for links to the relevant sections of POR and the guidance available to Scout Units.

5. What will the data held on Compass be used for?

The data held on Compass will be used for membership of Scouting purposes only. It will enable the local Scout Units (Groups, Districts, Counties) to manage scouting and will also enable an annual census to be undertaken which and can be used both locally by Groups, Districts, Counties/Areas/Regions as well as nationally to look at trends, and to identify areas for development locally and nationally.

Compass has been developed to save you time and help make all your Scout administration easier to manage, it has also been developed to help you keep your Scout records and data held on young people, parents and adults safe, and is compliant with the Data Protection Act.

6. How can Members manage the marketing and communications they receive?

Members can manage how their personal information is used for certain communications from The Scout Association. They can control what communications content they receive by logging into their account via the Compass website and selecting the Communications Preferences section on their Profile.

This ability to manage how their personal information is used only applies to marketing-led content. The Scout Association and a Member's local Scout unit will send Members communications about Scouting relevant to their role or association with Scouting. The communication will contain essential information and will not contain marketing content.

7. Who is responsible for the accuracy of information held on Compass?

Adult members are responsible for maintaining their own data e.g. name, address, contact details either directly or via a nominated individual. Certain other data may only be updated/maintained by authorised persons e.g. roles, training records, permits etc. All membership data should be checked as regularly as possible to ensure it is correct and factually accurate and must, in any event, be checked on an annual basis.

Guidance about the Data Protection Act (DPA) from the Information Commissioner's Office (ICO) states that it may be impractical to check the accuracy of personal data someone else provides. In recognition of this, the DPA says that even if you are holding inaccurate personal data, you will not be considered in breach   as long as:
When assessing what might be 'reasonable steps' the ICO notes that this will depend on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort you should put into ensuring its accuracy.

Therefore the DPA recognises that a risk-based approach to ensuring the accuracy of personal data should be adopted, and this is reflected in the POR requirements.

8. Will The Scout Association perform data quality cleansing on Compass at HQ?

In addition to a Member's responsibility to keep their own data for which they are responsible up-to-date, The Scout Association will annually run a set of general data cleansing routines dealing with issues such as duplication, addressing search returns which indicate that a member is 'no longer at' or has 'gone away' from the recorded address etc.

9. Does the Adult Information Form need to be signed before we can upload that information on Compass?

There are two methods of uploading the information onto Compass: directly online with the applicant present or by transferring information from the paper form onto Compass. The paper forms should be filled out with the applicant present. Whilst these paper forms are not intended to be retained, the member's signature provides surety to the person inputting the information onto Compass (which may be a different person to who helped member who helped the new adult complete the form) that the information has been provided by the new adult and of their understanding that the information will be uploaded onto Compass. In all cases, the person uploading the information onto Compass must make sure the applicant understands everything on the Form  and what is being asked.

11. Do we need to keep the Information Forms after the information has been uploaded onto Compass?

No, the forms are not intended to be retained. They should be kept securely at all times whilst being used and also securely disposed of/destroyed after use.

12. Is there any data protection training available for leaders before they have to use Compass?

Compass has been designed to provide technical controls in line with the requirements of the Data Protection Act and all users are provided with guidance on how to use the controls and functionality of Compass which also deliver data protection compliance. Further guidance is also being developed based on frequent questions being asked. The Scout Association is and will continue to regularly review member needs and provide necessary further guidance and one area that is currently being assessed is the need and development of a suitable toolkit for local scout units to help them self-assess their current approach. These measures are in addition to the general data protection training covered as part of the administration training along with all the many other administrative matters.

Additional specific, stand-alone, data protection training is not therefore necessary in order to use Compass.

Executive Committees have always have been and will remain responsible for ensuring that proper systems are in place locally for DPA compliance - which includes ensuring that their personnel are reliable in handling personal data and are aware of their responsibilities.

Members should be directed to POR Chapter 14 Rules 14 (11) and (12). Please see Question 1 above for links to the POR and the guidance available to Scout Units.

13. Who has access to view or download a Group's data once loaded onto Compass?

Only members with suitable authorisation have access to member data which is relevant to their role in Scouting. For example, a Section leader only sees the data for the adults in their section and a District Commissioner will only see the data for adults within the District etc. At HQ, only authorised staff have access to membership data as required by their role for HQ administration purpose.

14. Are there any special circumstances where access to Member data can be restricted e.g. vulnerable adults, or those who may be involved in cases of domestic violence or others who have good reason to keep their details private?

Compass allows for exceptions to be made e.g. adult members who are suspended, in which case their personal details will be visible only to a very small select group of people with special roles, e.g. the safeguarding team. Other exceptions may also be possible dependent on the circumstances. These restrictions can be set by speaking with The Scout Association HQ to discuss the situation.

15. Am I allowed to download the personal details of members for taking to a camp or for any other purpose and what should I do to comply with data protection requirements?

Provided you have the relevant authorisation, you can download details of members for taking to camp etc.

You must then follow any data protection requirements, guidance or processes established by your Scout Unit to handle the downloaded information in accordance with the Data Protection Act. For example, the information should only be kept for the required purpose and time, after which it must be securely destroyed i.e. after the end of the camp or event.

16. Can a Member's data be shared with third parties in an emergency such as a doctor or hospital i.e. providing address, date of birth, GP's name and any medical information?

The Data Protection Act enables the sharing of sensitive personal information in the event of an emergency - i.e. where the sharing is necessary in order to protect the 'vital interests' of the person.

You must follow any data protection requirements, guidance or processes established by your Scout Unit to ensure such sharing is done in accordance with the Data Protection Act. For example, the sharing must be done securely, and only share the information required to assist with the emergency.

17. Where is the data held?

The data is held in the UK.

18. Is data on Compass secure?

The Scout Association treats the safety and security of its member data as a main priority. For these reasons The Scout Association has spent considerable time and funds designing and testing Compass to ensure that data is held securely in accordance with the Data Protection Act and industry standards. The two external companies contracted to host Compass both comply with international data security standards and, where applicable, are certified by the BSI (British Standards Institute) and have all achieved International Organization for Standardisation (ISO) certification status. The Scout Association has also employed highly regarded contractors to ensure compliance with data protection legislation, and also ensures that the system undergoes regular security testing.

The system has been designed to restrict access at different levels of the database to those that have authorisation to use it. The hierarchy of Scouting is reflected in the authorisation matrix and we have an inbuilt audit trail for all transactions so that users and their use can be identified. Every adult with a leadership role, and hence with access authorisation rights within Compass, would have gone through a stringent appointment process and will be subject to the Policy, Organisation and Rules (POR) of the organisation which lay down strict guidelines in respect of use of their use of system and their duty to ensure compliance with data protection.


19. What precautions should I take when using Compass in different places e.g. in a public place, the office, at home or at a campsite?

Compass is a web-based membership system. It is therefore possible to access the system at any location with an internet connection. The following guidance highlights some simple security points that must be followed when accessing Compass:

1

In public places

For example, an internet café or on public transport and at the campsite.

  • Avoid accessing Compass in a public place if possible.
  • If you have to access Compass, always consider the volume and sensitivity of personal information you will be accessing.
  • Do not access sensitive personal information in a public place.
  • Always try and position yourself where you cannot be overlooked by other people.
  • Always log out and lock the screen if you leave your device unattended for any period of time.
  • Use a privacy screen to reduce the likelihood of someone being able to view your screen.

2

In the office/your place of work

  • Consider the office layout. Ensure you cannot by overlooked by colleagues or guests from a public reception area, walkways or areas where staff congregate, such as a canteen or water cooler.
  • Always lock the screen if you leave your device unattended for any period of time.

3

At home

  • Always try and position yourself where you cannot be overlooked by family members or visitors.
  • Ideally you should access Compass when in a room or area of the house that is not in use by family or guests at the time.
  • Always log out and lock the screen if you leave your device unattended for any period of time.

20. What if there's a data breach?

The Information Commissioner office (ICO), which regulates data protection in the UK, provides guidance as to the procedures in the event of a security breach which will be followed by The Scout Association.

This guidance should also be followed by Scout Units (Groups, Districts, Counties and Countries) who, as part of their responsibilities for data protection awareness, should incorporate these into their general handling data of the personal data they are responsible for. The guidance deals with the 4 main elements of a security breach i.e.:

1. Containment and recovery

2. Assessment of ongoing risk

3. Notification of breach (e.g. informing people and/or organisations including, where necessary, the ICO)

4. Evaluation and response

View this guidance online.

To ensure consistency, any actual or potential data breach concerning the use of Compass should be reported to The Scout Association HQ.

21. How long is personal data to be retained?

In line with Data Protection requirements, The Scout Association will only retain personal data for as long as it is required for membership purposes. The retention period will need to take into consideration any official statutory guideline/requirements deemed applicable.

At present and especially in light of general safeguarding concerns, The Scout Association is in the process of consulting with a number of agencies with regard to the relevant guidelines in order to finalise its retention policy in this regard. However, it is important to note that when a person's membership ends, their role will be closed on Compass and their data archived so that it will no longer be accessible online. This data will only be accessible by a few authorised members of staff.

If a person re-joins Scouting in the future, their membership data will be reactivated and again be accessible in accordance with the hierarchy settings set on Compass.

22. Can a Group keep historical Member data locally for archive or statistical purpose?

Whilst personal data should only be retained until no longer require and also kept up-to-date, the Data Protection Act (DPA) does enable the retention and use of personal information for statistical and research purposes if certain criteria and rules are followed.

Compass can produce certain statistical data. Scout units may retain records simply for statistical/archive purpose and the Data Protection Act (DPA) states that personal data held for these purposes may be kept indefinitely as long as it is not used in connection with decisions affecting particular individuals or in a way that is likely to cause damage or distress. This does not mean that the information may be kept forever as it should be securely and safely deleted/destroyed when it is no longer needed for those historical, statistical or research purposes. If you are retaining records for archive or statistical purpose you must ensure that the data is kept very securely.

23. Who is responsible for responding to Subject Access Requests?

A Subject Access Requests (SAR) is when a person requests a copy of all their personal data from either The Scout Association Headquarters or a Scout Unit (i.e. Group, District, County or Country), under the Data Protection Act (DPA). As the DPA applies to both The Scout Association Headquarters as well as Scout Units (as each is created and operates as an independent charity in its own right) both must comply with any SAR it receives.

Of course, whilst the data held on Compass will be the same for both HQ and the Scout Unit, each may also hold certain other information which may also need to be disclosed e.g. emails, letters, reports etc. Guidance about how to respond to an SAR can be found online.

 

CEOP
© Copyright The Scout Association 2017. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW