We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Data protection, GDPR and Scouting

The new General Data Protection Regulations (GDPR) come into force on 25 May 2018.

Please see further guidance on GDPR here.

The Data Protection Act 1998 governs the collection, recording, storage, use and disclosure of personal data, whether such data is held electronically or in manual form. Young people have the same rights as adults under the Act, and the impact on Scouting is addressed below.

This page provides a general overview of the main ways in which data protection may be relevant to scouting. It is not intended as a detailed account and more information can be found from the Information Commission's Office (ICO) the independent governmental authority responsible for overseeing and regulating data protection. Further explanation/assistance can also be obtained by contacting the Legal Service Department at The Scout Association UK Headquarters.

Contents
1. What is 'Data Protection'?
2. What is 'Personal Data'?
3. What are the rules?
4. How does Data Protection apply to Scouting?
5. How Personal Data must be processed
6. Dealing with Subject Access Requests (SARs)

1. What is data protection?

Data protection aims to protect an individual's rights to privacy by regulating how organisations obtain, store and use their personal data. So, data protection rules provide individuals with certain rights whilst also imposing certain duties and obligations on organisations. Young people and adults have the same data protection rights under the law.

a) The Law and regulation
Data protection is governed by the Data Protection Act 1998 which is overseen and regulated by the ICO. Amongst other matters, the ICO:
• keeps a central record of those organisations that are formally registered with it;
• provides further guidance regarding particular issues e.g. marketing, fundraising etc. Interpretations and summaries of the law can all be found on the ICO website; and
• enforces the law through fines and prosecutions where applicable.

b) What records are subject to data protection?

The rules apply particularly to computer or automated records (including email) but also apply to manual records kept in such a way that specific information about a particular individual can easily be retrieved e.g. manual records filed by the name or role etc.

Examples of automated records include:
• Computer files- files stored on hard file or floppy discs, CD Roms, DVD's, hard disks, back-up files
• Audio/Video-CCTV, webcam images,
• Digitalised images- scanned photos, digital camera

Examples of manual records include:
• Files on employees, volunteers, young people
• Index systems names, addresses, other details
• Microfiche records- containing personal data

A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from such discussion in the Minutes, then the Minutes will be personal data about that individual.

2. What is personal data?

This is any information held about a living individual who can be identified from the information itself or other information also held. Names, addresses or specific roles are obvious ways of identifying individuals but they can also be identified in photos or CCTV images.

There are special rules applying to 'Sensitive Personal Data' where extra care must be taken when handling or disclosing it to third parties.

Sensitive personal data
Personal data becomes sensitive if it includes information about:
a) Racial or ethnic origin;
b) Political opinions;
c) Religious beliefs;
d) Trade union membership;
e) Physical of mental health; or
f) Sexual life;
g) Commission of offences or alleged offences.

3. What are the rules?

The law states that when processing any personal data the Data Controller must apply 8 basic Data Protection Principles.

a) What is 'Processing'?

Processing has a wide meaning and includes all aspects of handling personal data e.g. from obtaining, recording, retaining (incl. editing and revising it), storing, sharing it to archiving and destroying it.

b) What is a Data Controller?
A Data Controller can be either individuals, organisations or other incorporated or unincorporated bodies of persons who determine what personal data is held, why it is held and how it is processed.

Data Controllers are responsible for ensuring compliance with data protection. An organisation can also designate a Data Protection Officer (DPO) to ensure compliance on its behalf but the Data Controller remains ultimately responsible.

The Data Protection Act 1998 also refers to a data processor who processes personal data on behalf of the data controller e.g. usually an external company or business. Although local Scout Groups, Districts, Counties/Areas/Regions are unlikely to use a data processor, however, if and when they do it is important to ensure a proper agreement is in place specifying the Data Controller's instructions and that the processing complies with the Data Protection Act 1998. This is because the Data Controller remains ultimately responsible for what the data processer does with the data.

c) What are the 8 basic principles?
The 8 basic principles address fairness, lawfulness, relevance, excessiveness, accuracy, up-to-datedness and security. Thus, when processing personal data, the Data Controller must ensure that the data is:
• Processed fairly and lawfully;
• Obtained for a specified and lawful purpose;
• Adequate, relevant and not excessive for purpose;
• Accurate and up-to-date;
• Kept only for as long as required;
• Processed in accordance with the data subjects rights;
• Be kept secure proportionately to the level of harm that could result if unauthorised access occurs;
• Not transmitted outside the European Economic Area (EEA) without consent from the data subject.

For a more detailed explanation of these principles please see the ICO website.

4. How does data protection apply to Scouting?

4.1. Does data protection apply to all local Scout Groups, Districts and Counties/Areas/Regions (Local Scouting)?
Data protection law applies in full to all local Scouting as it does to any form of organisation including public authorities, companies, businesses and other charities. Each Scout Group, District, County/Area/Region are created and operate as independent charities and are likely to collect and store personal data about members and, in many cases, other individuals involved with local Scouting. Local Scouting must adhere to the Data Protection Act 1998 when using the Association's Membership System 'Compass'. Please see POR, Chapter 14.

The rules do not apply to individuals collecting information solely for their domestic and household affairs e.g. address book or solely for research, journalistic, artistic or literary purposes.

a) Do Scout Groups, Districts, Counties/Areas/Regions have to register with the ICO?

As smaller 'not-for-profit'; organisations, Scout Groups, Districts, Counties/Areas/Regions do not have to register provided they do not hold personal data about anyone other than members or potential beneficiaries. However, they are still subject to the rules of the Data Protection Act 1998. As a larger organisation, The Scout Association UK Headquarters is registered as a Data Controller with the ICO.

b) Who within Scout Groups, Districts, Counties/Areas/Regions is responsible for Data Protection?
Each Scout Group, District, County/Area/Region is a Data Controller and, therefore, overall responsibility for compliance with data protection will lie with the Executive Committee of each Group, District, County/Area/Region who, as the Charity Trustees, are jointly responsible for the governance of local Scouting.

c) How does data protection usually arise within local Scouting?
As Scout Groups, Districts, Counties/Areas/Regions are subject to data protection rules in full, the issue could arise in many different ways. However, it usually arises in two main ways which are:
• How personal data must be 'processed' in general; and
• When individuals make a 'Subject Access Request' ('SAR') i.e. a request for disclosure of all their personal data.

These two areas are explained further:

4.2. How personal data must be processed
Local Scouting must apply the 8 basic Data Protection Principles when processing Personal Data and the following are some basic essentials to be applied:

(a) When obtaining personal data

• have legitimate grounds for collecting and using it in the first place.
• be transparent about the purpose for which it is collected and who it will or may be shared with by providing privacy notices when collecting it.
• ensure you have consent from the individual. For many immediate purposes, consent can be implied as the individual will know why they are providing it. However, you need to explain what else you might use the information
• ensure that the source is clear.

(b) When retaining personal data
• only hold and retain data sufficient for the intended purpose.
• take reasonable steps to ensure accuracy as to facts and consider any challenges to this (personal data is not 'inaccurate' if it faithfully represents someone's opinion. In these circumstances, if challenged, the data would not have to be 'corrected'; but a note added to it recording that the data subject disagrees).
• update, edit and revise it regularly in accordance with the purpose it was collected. eg. changes to names, addresses, contact details, medical needs etc.
• review how long it should be retained in accordance with the purpose it was collected.
• give individuals access to their personal data.

(c) When storing personal data
• ensure secure system policies of storage, including encryption where necessary, and access in order to prevent accidental loss, alteration or breaches of security.
• be clear about who is responsible for ensuring information security .
• swiftly and effectively respond to any breach of security including reporting this to the ICO.

(d) When sharing personal data
• Personal data must always be processed fairly, handled for intended purpose and only in ways that an individual would reasonably expect. This means that a data controller should not share personal data without legitimate reason.
• Sharing personal data within scouting.
• It is reasonable for members to expect their data to be shared within their particular sections for practical, legitimate purpose and on a need-to-know basis.
• Email communication - Please note that extra care should be taken when using email which, once sent, can easily be shared beyond your control. Therefore, you should always consider the contents of email communications carefully to ensure that if they contain personal data, especially of a confidential or sensitive nature (whether your own or another's), they are sent with caution and to only those who will safeguard that personal data and not share it with anyone without legitimate reasons. It is good practice to make your intentions clear in the email itself and, where necessary, mark clearly as 'Strictly Confidential' or 'Sensitive' or 'Intended for recipient/s only and not to be shared' etc.
• Sensitive personal data - You must also ensure that extra special care is taken with this which, as highlighted earlier, requires explicit consent of the individual for you to obtain it and therefore whether such consent has been obtained from the subject should be checked e.g. through the Adult Information Form or directly from the subject by some other means.

(e) When deleting, destroying or archiving personal data
• Delete or destroy when no longer required securely
• Archive securely where retention is justified

(f) What are the special rules for processing 'sensitive personal data'?

• All the above rules are also applicable when processing sensitive personal data but an additional rule applies to sensitive personal data which may only be held with the explicit consent of the data subject i.e. where sensitive personal data is to be processed, you must ensure that individuals have given explicit consent for this to happen. The Data Protection Act 1998 does not define the method of obtaining explicit consent, however, the best method is to obtain such consent in writing requiring the individual to e.g. tick a box or sign a declaration etc, agreeing that their sensitive personal data may be processed.
• In order to ensure consistency The Scout Association’s Membership System 'Compass' requires users to confirm that permission has been given to hold the information. This confirmation is given via a pop-up box within Compass itself.

4.3 Data controllers must not:

• Use personal data in ways which have an unjustifiable adverse effect on the individual
• Transfer personal data to a country or territory outside the European Economic Area (EEA) unless first ensuring that country or territory also ensures a like level of protection for the processing of personal data.

5. How to deal with subject access requests (SARs)

(a) What is an SAR?
One of the main rights which the Data Protection Act 1998 gives to individuals is the right to access their personal information. An individual can make a request in writing to an organisation for a copy of any personal information held about them. This is known as a Subject Access Request (SAR).

Following a request, a data subject is entitled to a copy of personal data being held or being processed about them (with only a few exemptions possible). The data controller may charge a standard fee to the data subject (a maximum of £10) As The Scout Association is a charitable organisation, in order to cover some of its administrative costs, UK Headquarters charges £10 for providing a SAR. It is recommended that local Scouting, which all also operate as individual charities, also charge the £10 fee in order to assist towards their administrative costs.

You must comply with the SAR within 40 calendar days of receiving the said cheque. The 40 days starts ticking on receipt of the cheque (and not when it is cleared by the bank)

(b) What can the Subject do following receipt of their personal data?
Subjects can:
• ask to have inaccurate data rectified, erased or destroyed.
• ask that data be stopped from being processed if it is unnecessary or causing unjustified damage or distress.
• ask the ICO whether the Data Protection Act 1998 has been contravened.
• If necessary, apply to court to exercise their rights and may receive compensation if damages are suffered due to any contravention of the Data Protection Act 1998.

More detailed information on how to respond to Subject Access Requests can be found here and also on the ICO website.

 

CEOP
© Copyright The Scout Association 2018. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW