FAQ Group: Data Protection Policy

  • Introduction – Privacy and data protection as a key policy for Scouting

    The Scout Association’s commitment to protecting privacy and data protection has been adopted as a key policy for Scouting. This key policy underpins both this Data Protection Policy and other associated policies used by The Scout Association, local Scouting and its membership. It is important to note that as Data Controllers, local Scout Groups, Districts, Counties/Areas/Regions and Countries are directly responsible for any personal data they process and must therefore ensure that they are aware of their responsibilities under the law.

  • 1. Purpose of this Data Protection policy and what it covers

    This policy sets out 10th Leicester (Syston) Scout Group’s approach to protecting personal data and explains your rights in relation to how we may process personal data. More detail in respect of how we process and protect your data is provided below, in particular in section 5.

    The Scout Association [is registered with the Information Commissioner’s Office at] the following address: Gilwell Park, Chingford, London E4 7QW. If you have any queries about anything set out in this policy or about your own rights, please write to the Data Protection Officer (Black Penny Consulting) at the above address or via email at Enquiries.dpo@scouts.org.uk.

    We may update this policy from time to time in minor respects, although we will make sure that any substantial or significant changes will be notified to you directly.

  • 2. Some Important Definitions

    ‘We’ means 10th Leicester (Syston) Scout Group

    ‘ICO’ is the Information Commissioner’s Office, the body responsible for enforcing data protection legislation within the UK and the regulatory authority for the purposes of the GDPR

    ‘Local Scouting’ and ‘Scout unit’ mean Scout Groups, Districts, Counties, Areas, Regions (Scotland) or Countries.

    Personal Data’ is defined in section 3

    ‘Processing’ means all aspects of handling personal data, for example collecting, recording, keeping, storing, sharing, archiving, deleting and destroying it.

    ‘Data Controller’ means anyone (a person, people, public authority, agency or any other body) which, on its own or with others, decides the purposes and methods of processing personal data. We are a data controller insofar as we process personal data in the ways described in this policy.

    Data processor’ means anyone who processes personal data under the data controller’s instructions, for example a service provider. We act as a data processor in certain circumstances.

    Subject Access Request’ is a request for personal data that an organisation may hold about an individual. This request can be extended to include the deletion, rectification and restriction of processing.

    Compass’ Compass is a The Scouts Association web-based membership system. Local Scouting must comply with the Data Protection Act 1998 and the GDPR when using The Scout Association’s Membership System Compass.

    ‘OSM’ Online Scout Manager (OSM) is a third party data processor used by 10th Leicester (Syston) Scout Group and our leaders.

    ‘Microsoft 365’ Microsoft 365 is a third party software that is used as secure storage and email.

  • 3. What is personal data?

    Personal data means any information about an identified or identifiable person. For example, an individual’s home address, personal (home and mobile) phone numbers and email addresses, occupation, and so on can all be defined as personal data.

    Some categories of personal data are recognised as being particularly sensitive (“sensitive personal data”). These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric information, and data concerning a person’s sex life or sexual orientation.

  • 4. How does data protection apply to local Scouting?

    Data protection legislation applies to all data controllers regardless of whether they are charities or small organisations. It applies to local Scouting in the same way as it does to other organisations. Scout units are created and run as independent charities and insofar as they collect and store personal data about

  • 5. What type of personal data do we collect, and why?

    5.1 Members and Volunteers 

    We benefit from the service of a large number of members giving their time to Scouting at both UKHQ and local Scouting levels. We may hold personal data (including sensitive personal data) about members and volunteers on our membership database. We believe it is important to be open and transparent about how we will use your personal data. Information we may hold about you includes the following: 

    • name and contact details 
    • length and periods of service (and absence from service) 
    • details of training you receive 
    • details of your experience, qualifications, occupation, skills and any awards you have received 
    • details of Scouting events and activities you have taken part in 
    • details of next of kin 
    • age/date of birth 
    • details of any health conditions 
    • details of disclosure checks 
    • any complaints we have received about the member 
    • race or ethnic background and native languages 
    • religion 
    • nationality 

    We need this information to communicate with you and to carry out any necessary checks to make sure that you can work with young people. We also have a responsibility to keep information about you, both during your membership and afterwards (due to our safeguarding responsibilities and also to help us if you leave or re-join). 

    Much of this information is collected from the member joining forms and waiting list forms found on our website. 

    5.2 Employees (past, present and future) 

    This part, 5.2, does not apply to 10th Leicester (Syston) Scout Group. 

    5.3 Trustees and members of the governance structure 

    For the members of The Scout Association’s Board of Trustees and its subcommittees, other committees and working groups, we may hold the type of information as set out in 5.1 and also including the following: 

    • CVs 
    • Related party information 

    5.4 Donors 

    We benefit from donations from members of the public who support our work, and we hold personal data about these donors so that we can process donations and orders and tell donors about our work and campaigns and how they can support us further. We may hold the type of information as set out in 5.1. 

    5.5 Customers and visitors (External HQ Bookings & Online Shop Orders) 

    We also hold personal data from customers and visitors to our Scout HQ, as well as on our Online Shop that is used occasionally for various events. We may hold the type of information as set out in 5.1 and also including the following: 

    • purchase history 
    • taxpayer and payment details 

    Much of this information is taken from online registration forms located on our website. 

    5.6 CCTV 

    Our Headquarters operates a CCTV network to help prevent and detect crime and safeguard (protect) young people and others. If we can identify somebody from a CCTV image, the image must be processed as personal data. 

  • 6. Conditions for collecting personal data

    6.1 Keeping to the law 

    We must keep to the law when processing personal data. To achieve this, we have to meet at least one of the following conditions: 

    • you have to give (or have given) your permission for us to use your information for one or more specific purposes 
    • we need to process the information to meet the terms of any contract you have entered into 
    • processing the information is necessary to keep to our legal obligations as data controller 
    • processing the information is necessary to protect your vital interests 
    • processing the information is necessary for tasks in the public interest or for us as the data controller to carry out our responsibilities 
    • processing the information is necessary for our legitimate interests (see below) Also, information must be: 
    • processed fairly and lawfully 
    • collected for specified, clear and legitimate purposes 
    • adequate, relevant and limited to what is necessary 
    • accurate and, where necessary, kept up to date 
    • kept for no longer than is necessary 
    • processed securely 
    1. Information that we share 

    We may have to share your personal data within appropriate levels of the Association and with local Scouting, as long as this is necessary and directly related to your role within Scouting. We do not share personal data with companies, organisations and people outside the Association, unless one of the following applies; 

    6.2 All data subjects 

    • We have clear permission from you to do so. 
    • If we have to supply information to others (for example payroll providers) for processing on our behalf. We do this if we are asked and to make sure that they are keeping to the GDPR and have appropriate confidentiality and security measures in place. 
    • For safeguarding young people or for other legal reasons. 
    • We will share the personal data of youth members and their parents/guardians with The Scout Association Headquarters including for the following purposes: 
    • managing safeguarding cases. 
    • anonymous data for reporting including census information 
    • The privacy and security notice for The Scout Association can be found here: https://www.scouts.org.uk/DPPolicy. The sharing of this data will be via the Online Scout Manager platform which is used by 10th Leicester (Syston) Scout Group to manage adult and youth membership. The privacy and security notice for OSM can be found here: https://www.onlinescoutmanager.co.uk/security.html 
    • We will however share your personal information with others outside of 10th Leicester (Syston) Scout Group where we need to meet a legal obligation. This may include The Scout Association and its insurance subsidiary (Unity Insurance Services), local authority services and law enforcement.  We will only share your personal information to the extent needed for those purposes. 
    • We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so. 
    • We will never sell your personal information to any third party. 
    • Sometimes we may nominate a member for national / county or district awards, (such as Scouting awards or Duke of Edinburgh awards) such nominations would require us to provide contact details to that organisation. 
    • Where personal data is shared with third parties, we will seek assurances that your personal data will be kept confidential and that the third party fully complies with the GDPR and DPA 2018 

    A list of the most common third parties we share personal data with can be found below: 

    3rd Party Data Category Purpose 
    Atlantic Data Personal and Special Disclosure management services 
    Disclosure and Barring Service Personal and Special Criminal records check (England and Wales) 
    Police Personal and Special Police information requests 
    Online Scout Manager (OSM) Personal and Special Member management system 
    Microsoft Personal and Special Data storage and email. Teams, SharePoint, Exchange etc 
  • 7. Keeping personal data secure

    Everyone who handles personal data (including members and volunteers) must make sure it is held securely to protect against unlawful or unauthorised processing and accidental loss or damage. We take appropriate steps to make sure we keep all personal data secure, and we make all of our staff aware of these steps, including keeping to our internal information and computing technology (ICT) policy. In most cases, personal data must be stored in appropriate systems and encrypted when taken off-site. The following is general guidance for everyone working within Scouting, including staff, members and volunteers in local Scouting. 

    • You must only store personal data on OSM or Microsoft 365. 
    • You should have proper entry-control systems in place, and you should report any stranger seen in entry-controlled areas. 
    • You should keep paper records containing personal data secure. If you need to move paper records, you should do this strictly in line with data protection rules and procedures. 
    • You must not download personal data to mobile devices such as laptops and USB sticks unless absolutely necessary. Access to this information must be password protected and the information should be deleted immediately after use. 
    • You must keep all personal data secure when travelling. 
    • Personal data relating to members and volunteers should usually only be stored on the membership database or other specific databases which have appropriate security in place; such as Microsoft 365 services and OSM. 
    • When sending larger amounts of personal data by post, you should use registered mail or a courier. Memory sticks should be encrypted. 
    • When sending personal data by email this must be appropriately authenticated and password- protected. Do not send financial or sensitive information by email unless it is encrypted. 
    • Emails to multiple recipients outside of 10th Leicester (Syston) Scout Group must be use the BCC feature to protect the recipients data.  
    • You must not share any passwords with anyone. 
    • Third party apps such as WhatsApp, that allow the sharing of recipients personal data must not be used for external communications to parents or members.  
    • You must not let others use any of your accounts such as OSM or Microsoft 365 on your behalf. 
    • Different rights of access should be allocated to users depending on their need to access personal or confidential information. You should not have access to personal or confidential information unless you need it to carry out your role. 
    • Before sharing personal data with other people or organisations, you must ensure that they are GDPR compliant and only share data if absolutely necessary. 
    • In the event that you detect or suspect a breach you should follow your defined breach response process. 

    All members and volunteers undertake regular training to ensure that they are aware of the above rules and have to complete the Scouts GDPR training. 

  • 8. Responsibilities

    We expect our staff, managers, trustees, volunteers, members and any providers we use (for example payroll or pension providers) to keep to the guidelines as set out in our Data Policy and under ICO and GDPR guidance when they are using or processing personal data and other confidential or sensitive information. This is set out more clearly below. 

    8.1 Board of Trustees (Executive Committee) 

    Our Board of Trustees (Executive Committee) has overall responsibility for 10th Leicester (Syston) Scout Group and for making sure that we keep to legal requirements, including data protection legislation. Our Chair and Executive Committee are responsible for making sure we keep to these requirements across 10th Leicester (Syston) Scout Group. 

    8.2 Data protection officer (DPO) or equivalent role holder 

    TSA has externally appointed a DPO to ensure the organisation is monitoring compliance with GDPR and other Data Protection laws, our data protection policies, awareness- raising, training, and audits. Local Scouting Units should consider appointing their own DPO. The data protection officer is responsible for: 

    • making sure that this data protection policy is up to date 
    • advising you on data protection issues 
    • dealing with complaints about how we use personal and sensitive personal data 
    • reporting to the ICO if we do not keep to any regulations or legislation 

    8.3 Staff 

    This part, 8.3, is not applicable for 10th Leicester (Syston) Scout Group at this time. 

    8.4 Volunteers, members and local Scouting 

    We expect you to keep to data protection legislation and this data protection policy, and to follow the relevant rules set out in our Policy, Organisation and Rules (POR). 

    The executive committee or 10th Leicester (Syston) Scout Group has overall responsibility for keeping to data protection regulations. 

    As part of your data protection duties, you should report urgently (to your local manager or the executive committee) any instance where the rules on how we handle personal data are broken (or might be broken). 

  • 9. Data Retention

    We may keep information for different periods of time for different purposes as required by law or best practice. Individual departments include these time periods in their processes. We make sure we store this in line with our Data Retention Policy.

    As far as membership information is concerned, to make sure of continuity (for example if you leave and then re-join) and to carry out our legal responsibilities relating to safeguarding young people, we keep your membership information throughout your membership and after it ends, and we make sure we store it securely.

    Only those volunteers who need membership information to carry out their role have access to that information.