We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

GDPR Step 1: What do I need to know about GDPR?

Version 4, September 2018

Twenty years ago, the world was a very different place. The reach of technology was limited, and the way organisations used and processed your personal data was very different to how they use it today.

The changes that have happened over the last two decades have forced the European Union (EU) to review the old data legislation and bring it up to speed with the modern era. The EU’s General Data Protection Regulation (GDPR) raises the standards for processing personal data, to strengthen and unify protection for individuals across the EU. The new legislation came into force in the UK on 25 May 2018 and will exist post-Brexit. In addition, the regulation has been nationalised into UK law and is known as the Data Protection Act 2018.

Scout Groups, Districts, Counties/Areas/Regions (Scotland), Countries and the Scouts UK headquarters collect and process lots of personal data on the young people, adult volunteers and staff. This could be anything from names, addresses, telephone numbers right through to more sensitive data such as religion, ethnicity and disabilities. As a result, it’s important that all Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries are aware of the new legislation and comply with it.

Duty of care for the security of data lies with everybody that gathers, handles or receives personal data. The Scout Group, District, County/Area/Region (Scotland) or Country Executive Committee has overall responsibility for making sure that they comply with legal requirements, including data protection legislation.

There are many key terms that are in the GDPR and used throughout this guidance:

Personal data – Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities.

Data subject – This is an individual. For Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries this could be young people, adult volunteers, parents and guardians and any staff employed locally.

Data controller - This is the owner and user of the gathered personal data. This is anybody gathering and retaining personal data, such as the Scout Group, District, County/Area/Region (Scotland) or Country.

Data processor – This is a company or individual who processes the information on behalf of the data controller. This could be the provider of a membership platform, cloud service provider or event organiser.

Lawful processing – The justified reason for holding and processing personal data, such as it being necessary to contact members about Scout affairs.

Subject Access Request (SAR) – This is a request from an individual to the Scout Group, District, County/Area/Region (Scotland) or Country to find out what information you hold on them. They also have the right to request that you change or permanently remove any details that you hold on them.

Breach – This is the loss of information. This could come from a hacker or physically losing files/folders.

Data Protection Officer (DPO) – Representative for data protection duties.
An e-learning module is also available to support members. This can be found online here.

The below examples are scenarios that may exist at local scouting level, these scenarios have been used to demonstrate some of the key terms in action:


Marketing

Advertising for new members could include: events, email campaigns, canvassing.

What does this mean for GDPR?
It needs to be clear who you are marketing to and the lawful processing you are using as grounds to contact them. This needs to be evidenced as either:
• consent – they opted-in
• non-digital – physical event/canvassing
• legitimate interest – your use of the data is necessary and is not overridden by their interests or fundamental rights. On balance, it’s more positive for them than negative.


Want to join

Potential new members and/or their parents or guardians communicate with you via:
• email or other electronic means
• face-to-face

What does this mean for GDPR?
When communicating with a potential member, parent or guardian, they have usually enquired with you already giving you legitimate interest for the communications. Care needs to be taken to keep these communications private, especially when personal data is shared amongst groups.


Information Forms

The Young Person/Adult Information Form is used to capture information about a young person or adult volunteer in order to begin the joining/appointment process, this could be via:
• email
• web form
• paper form

What does this mean for GDPR?
The Young Person/Adult Information Form may be the first data capture exercise for a new member. The form must state:
The purpose - What you are going to do with the form and the data.
Timeframe - How long you will hold onto the data (delete or securely destroy when no longer required).

The data collected must be:
Limited - It only includes what you need
Kept secure - Special care taken in storing

Please note: UK headquarters are working to update the forms available for Local Scouting to use. When they have been updated, members will be informed. 


Active

The young person, parent/guardian or adult volunteer are now active within the Scout Group, District, County/Area/Region (Scotland) or Country.

What does this mean for GDPR?
The young person, parent/guardian or volunteer’s data will be stored in a filing system such as excel sheets on local laptops, online record keeping systems and/or paper based records.

During this period you need to consider:
• Third party processors that are holding data on your behalf, such as online record keeping systems or cloud storage systems.
• Accuracy of date. Is it kept up-to-date?
• Data flows ie. where, how and who is the data passed to.


Events

Scouting events are held frequently involving young people and adult volunteers.
These can be:
• sectional activities in a meeting place
• events or nights away

These events can require further data gathering, such as activity or nights away information and health forms completed by parents/guardians and adult volunteers.

What does this mean for GDPR?
When further data gathering is being completed you need to consider:
purpose – what are you going to do with it
limit – it only includes what you need
retention – delete when no longer required
secure – special care taken in storing

This activity should consider what data you already have on file and only capture what is necessary.


Collection of sensitive (special category) data

Young person and adult volunteer information may be collected as part of the joiners process. This may include:
• religion
• ethnicity

What does this mean for GDPR?
Capturing and processing of personal data of any kind needs to be handled with care, especially with details considered sensitive, such as ethnicity and religion. In all cases the purpose of the processing should be well understood and documented.


Register

At every meeting or event, the leader in charge is obliged for safety reasons to take a register of those attending the session.

What does this mean for GDPR?
Registration of those attending each meeting is good practice from a safety perspective. What this highlights is the importance of the following:
• accurate data on members
• maintaining a log of attendees but retaining a high level of data protection, such as the use of digital data as opposed to paper records and minimised data purely for attendance.


Communications

A requirement of being an adult volunteer in Scouting is to keep young people, parents/guardians and other adult volunteers updated.

These are updates about weekly meetings, upcoming events and general Scout Group, District, County/Area/Region (Scotland) or Country news.

What does this mean for GDPR?
Communication to the young people, parents/guardians or adult volunteers is essential for the effective operation of a Scout Group, District, County/Area/Region (Scotland) or Country. The GDPR recognises these types of communications and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the Scout Group, District, County/Area/Region (Scotland) or Country and not for further advertising, unless the person receiving the communication has specifically opted-in.


Moving on

When a young person gets to a certain age, they go through the Moving On process to the next section. In most situations, they will have a new section leader. The young person can also leave Scouting at any point.

What does this mean for GDPR?
When data is being transferred from one person (a Section leader) to another, care needs to be taken in the transfer and receipt. In addition, the data being transferred needs to be accurate and minimised. If at any time a young person wishes to leave Scouting, their data should be deleted fully if not required for further purposes. All personal data should have a defined and appropriate retention period.


Data breach

It may occur that personal data is disclosed externally accidently or removed from the Scout Group, District, County/Area/Region (Scotland) or Country via malicious means. Members and parents/guardians may exercise the rights they have over their data.

What does this mean for GDPR?
In the event of a breach, via malicious means or through accidental disclosure, the data controller is obligated to do the following:
• remediate the breach
• report the breach to the data subject if deemed severe enough
• report the breach to the ICO if deemed serious enough and within 72 hours of becoming aware of the breach


Subject Access Request

In the event that a member or parent/guardian asks for their data to be deleted, updated or disclosed, the data controller has 30 days to complete the request if it is not deemed excessive.

This is covered further in Step 4: Understanding data subjects’ rights.

 

CEOP
© Copyright The Scout Association 2018. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW