We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Data protection and Scouting

For information about the new General Data Protection Regulations 'GDPR' coming into force on 25 May 2018. 

Over the coming months, we will produce further communications, advice
and guidance. In March 2017 an overview was shared, followed by some frequent questions in September with information on the areas in which the Association is considering to signpost further information to help you comply with GDPR.

The Data Protection Act 1998 governs the collection, recording, storage, use and disclosure of personal data, whether such data is held electronically or in manual form. Young people have the same rights as adults under the Act, and the impact on Scouting is addressed in the factsheet below.

This page provides a general overview of the main ways in which data protection may be relevant to scouting. It is not intended as a detailed account and more information can be found from the Information Commission Office (ICO) the independent governmental authority responsible for overseeing and regulating data protection. Further explanation/assistance can also be obtained by contacting the Legal Service Department at The Scout Association (TSA) Headquarters.


1. What is 'Data Protection'?
2. What is 'Personal Data'?
3. What are the rules?
4. How does Data Protection apply to Scouting?
5. How Personal Data must be processed
6. Dealing with Subject Access Requests (SARs)

1. What is data protection?

Data protection aims to protect an individual's rights to privacy by regulating how organisations obtain, store and use their personal data. So, data protection rules provide individuals with certain rights whilst also imposing certain duties and obligations on organisations. Young people and adults have the same data protection rights under the law.

a) The Law and regulation

Data protection is governed by the Data Protection Act 1998 ('DPA') which is overseen and regulated by the ICO. Amongst other matters, the ICO:
I) keeps a central record of those organisations that are formally registered with it;
II) provides further Guidance regarding particular issues e.g. marketing, fundraising etc. Interpretations and summaries of the law as well as downloadable which can all be found on the ICO websitewww.ico.gov.uk; and
III) enforces the law through fines and prosecutions where applicable.

b) What records are subject to data protection?

The rules apply particularly to computer or automated records (including email) but also apply to manual records kept in such a way that specific information about a particular individual can easily be retrieved e.g. manual records filed by the name or role etc.

Examples of automated records include: Examples of manual records include: A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from such discussion in the Minutes, then the Minutes will be personal data about that individual.

2. What is personal data?

This is any information held about a living individual who can be identified from the information itself or other information also held. Names, addresses or specific roles are obvious ways of identifying individuals but they can also be identified in photos or CCTV images.

There are special rules applying to 'Sensitive Personal Data' where extra care must be taken when handling or disclosing it to third parties (See further under Part II) .

Sensitive personal data

Personal data becomes sensitive if it includes information about:

a) Racial or ethnic origin;
b) Political opinions;
c) Religious beliefs;
d) Trade union membership;
e) Physical of mental health; or
f) Sexual life;
g) Commission of offences or alleged offences.

3. What are the rules?

The law states that when processing any personal data the Data Controller must apply 8 basic Data Protection Principles.

a) What is 'Processing'?

Processing has a wide meaning and includes all aspects of handling personal data e.g. from obtaining, recording, retaining (incl. editing and revising it), storing, sharing it to archiving and destroying it.

b) What is a Data Controller?

A Data Controller can be either individuals, organisations or other incorporated or unincorporated bodies of persons who determine what personal data is held, why it is held and how it is processed.

Data Controllers are responsible for ensuring compliance with data protection. An organisation can also designate a Data Protection Officer ('DPO') to ensure compliance on its behalf but the Data Controller remains ultimately responsible.

The DPA also refers to a data processor who processes personal data on behalf of the data controller e.g. usually an external company or business. Although Scout units are unlikely to use a data processor, however, if and when they do it is important to ensure a proper agreement is in place specifying the Data Controller's instructions and that the processing complies with the DPA. This is because the Data Controller remains ultimately responsible for what the data processer does with the data.

c) What are the 8 basic principles?

The 8 basic principles address fairness, lawfulness, relevance, excessiveness, accuracy, up-to-datedness and security. Thus, when processing personal data, the Data Controller must ensure that the data is: For a more detailed explanation of these principles please see the ICO website .

4. How does data protection apply to Scouting?

4.1. Does data protection apply to all Groups, District and Counties ('Scout Units')?

Data protection law applies in full to all Scout Units as it does to any form of organisation including public authorities, companies, businesses and other charities. Scout Units are created and operate as independent charities and are likely to collect and store personal data about members and, in many cases, other individuals involved with the unit. Scout Units must adhere to the DPA when using the Association's Membership System 'Compass'. Please see POR, Chapter 14.

The rules do not apply to individuals collecting information solely for their domestic and household affairs e.g. address book or solely for research, journalistic, artistic or literary purposes.

a) Do Scout Units have to register with the ICO?

As smaller 'not-for-profit'; organisations, Scout Units do not have to register provided they do not hold personal data about anyone other than members or potential beneficiaries. However, they are still subject to the rules of the DPA. As a larger organisation, TSA Headquarters is registered as a Data Controller with the ICO.

b) Who within Scout Units is responsible for Data Protection?

Each Scout Unit is a Data Controller and, therefore, overall responsibility for compliance with data protection will lie with the Executive Committees of each Unit who, as the Managing/Charity Trustees, are jointly responsible for all the affairs of the Unit.

c) How does data protection usually arise within Scout Units?

As Scout Units are subject to data protection rules in full, the issue could arise in many different ways. However, it usually arises in two main ways which are:

(I) How personal data must be 'processed' in general; and
(II) When individuals make a 'Subject Access Request' ('SAR') i.e. a request for disclosure of all their personal data.

These two areas are explained further:

4.2. How personal data must be processed

Scout Units must apply the 8 basic Data Protection Principles when processing Personal Data and the following are some basic essentials to be applied:

(a) When obtaining personal data

(b) When retaining personal data

(c) When storing personal data

(d) When sharing personal data

  • It is reasonable for members to expect their data to be shared within their particular sections for practical, legitimate purpose and on a need-to-know basis.
  • Email communication - Please note that extra care should be taken when using email which, once sent, can easily be shared beyond your control. Therefore, you should always consider the contents of email communications carefully to ensure that if they contain personal data, especially of a confidential or sensitive nature (whether your own or another's), they are sent with caution and to only those who will safeguard that personal data and not share it with anyone without legitimate reasons. It is good practice to make your intentions clear in the email itself and, where necessary, mark clearly as 'Strictly Confidential' or 'Sensitive' or 'Intended for recipient/s only and not to be shared' etc.
  • Sensitive personal data - You must also ensure that extra special care is taken with this which, as highlighted earlier, requires explicit consent of the individual for you to obtain it and therefore whether such consent has been obtained from the subject should be checked e.g. through the AA Form or directly from the subject by some other means.

  • (e) When deleting, destroying or archiving personal data

  • Delete or destroy when no longer required securely
  • Archive securely where retention is justified

  • (f) What are the special rules for processing 'sensitive personal data'?

    4.3 Data controllers must not:

  • Use personal data in ways which have an unjustifiable adverse effect on the individual
  • Transfer personal data to a country or territory outside the European Economic Area (EEA) unless first ensuring that country or territory also ensures a like level of protection for the processing of personal data.

  • 5. How to deal with subject access requests (SARs)

    (a) What is an SAR?

    One of the main rights which the Data Protection Act gives to individuals is the right to access their personal information. An individual can make a request in writing to an organisation for a copy of any personal information held about them. This is known as a Subject Access Request (SAR).

    Following a request, a data subject is entitled to a copy of personal data being held or being processed about them (with only a few exemptions possible). The data controller may charge a standard fee to the data subject (a maximum of £10) As the Association is a charitable organisation, in order to cover some of its administrative costs, Headquarters charges £10 for providing a SAR. It is recommended that scout units, which all also operate as charities, also charge the £10 fee in order to assist towards their administrative costs.

    You must comply with the SAR within 40 calendar days of receiving the said cheque. Remember the 40 days starts ticking on receipt of the cheque (and not when it is cleared by the bank)

    (b) What can the Subject do following receipt of their personal data?

    Subjects can: For a more detailed account check out how to respond to Subject Access Requests and also the ICO website.


    © Copyright The Scout Association 2018. All Rights Reserved.
    Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
    Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW