7. Keeping personal data secure

Everyone who handles personal data (including members and volunteers) must make sure it is held securely to protect against unlawful or unauthorised processing and accidental loss or damage. We take appropriate steps to make sure we keep all personal data secure, and we make all of our staff aware of these steps, including keeping to our internal information and computing technology (ICT) policy. In most cases, personal data must be stored in appropriate systems and encrypted when taken off-site. The following is general guidance for everyone working within Scouting, including staff, members and volunteers in local Scouting. 

  • You must only store personal data on OSM or Microsoft 365. 
  • You should have proper entry-control systems in place, and you should report any stranger seen in entry-controlled areas. 
  • You should keep paper records containing personal data secure. If you need to move paper records, you should do this strictly in line with data protection rules and procedures. 
  • You must not download personal data to mobile devices such as laptops and USB sticks unless absolutely necessary. Access to this information must be password protected and the information should be deleted immediately after use. 
  • You must keep all personal data secure when travelling. 
  • Personal data relating to members and volunteers should usually only be stored on the membership database or other specific databases which have appropriate security in place; such as Microsoft 365 services and OSM. 
  • When sending larger amounts of personal data by post, you should use registered mail or a courier. Memory sticks should be encrypted. 
  • When sending personal data by email this must be appropriately authenticated and password- protected. Do not send financial or sensitive information by email unless it is encrypted. 
  • Emails to multiple recipients outside of 10th Leicester (Syston) Scout Group must be use the BCC feature to protect the recipients data.  
  • You must not share any passwords with anyone. 
  • Third party apps such as WhatsApp, that allow the sharing of recipients personal data must not be used for external communications to parents or members.  
  • You must not let others use any of your accounts such as OSM or Microsoft 365 on your behalf. 
  • Different rights of access should be allocated to users depending on their need to access personal or confidential information. You should not have access to personal or confidential information unless you need it to carry out your role. 
  • Before sharing personal data with other people or organisations, you must ensure that they are GDPR compliant and only share data if absolutely necessary. 
  • In the event that you detect or suspect a breach you should follow your defined breach response process. 

All members and volunteers undertake regular training to ensure that they are aware of the above rules and have to complete the Scouts GDPR training.