GDPR

What is GDPR (General Data Protection Regulations) ? 

Twenty years ago the world was a very different place. The reach of technology was limited, and the way organisations used and processed your personal data was very different to how they use it today.

The changes that have happened over the last two decades have forced the European Union (EU) to review the old legislation and bring it up to speed with the modern era. The EU’s General Data Protection Regulation (GDPR) raises the standards for processing personal data, to strengthen and unify protection for individuals across the EU. The new legislation comes into force in the UK on 25 May 2018 and will exist post-Brexit.

Scout Groups, Districts, Counties/Areas/Regions, Countries and The Scout Association Headquarters collect and process lots of personal data on the young people, adult volunteers and staff. This could be anything from names, addresses, telephone numbers right through to more sensitive data such as religion, ethnicity and disabilities. As a result, it’s important that all Scout Groups, Districts, Counties/Areas/Regions and Countries are aware of the new legislation and comply with it.

This page is an introduction to the GDPR and offers insight into how the changes may affect your local Scouting practices.  Scroll down to find some practical examples that may need to be considered within local Scout Groups, Districts, Counties/Areas/Regions or Countries. An e-learning module is also available to support members with guidance for Training Advisers here.

There are many key terms that are in the GDPR and used throughout this document. These are listed and explained below:

• Personally Identifiable Information (PII) or personal data – Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities.

• Data subject – This is an individual. For Scout Groups, Districts, Counties/Areas/Regions and Countries this could be young people, adult volunteers, parents and guardians and any staff employed locally.

• Data controller - This is the owner and user of the gathered personal data. This is anybody gathering and retaining PII data, such as the Scout Group, District, County/Area/Region or Country.

• Data processor – This is a company or individual who processes the information on behalf of the controller. This could be The Scout Association UK Headquarters, Compass or your choice of online third party system and even the Scout Groups, Districts, Counties/Areas/Regions and Countries themselves.

• Lawful processing – The legitimate reason for holding and processing PII data, such as it being necessary to protect the vital interests of the young person.

• Subject Access Request (SAR) – This is a request from an individual to the Scout Group, District, County/Area/Region or Country to find out what information you hold on them. They also have the right to request that you change or permanently remove any details that you hold on them.

• Breach – This is the loss of information. This could come from a hacker or physically losing files/folders.

• Data Protection Officer (DPO) – Representative for data protection duties.

 

Marketing

Example
Advertising for new members could include: events, email campaigns, canvassing.

What does this mean for GDPR?
It needs to be clear who you are marketing to and the lawful processing you are using as grounds to contact them. This needs to be evidenced as either:
• consent – they opted-in
• non-digital – physical event/canvassing
• legitimate interest – your use of the data is necessary and is not overridden by their interests or fundamental rights. On balance, it’s more positive for them than negative.

 

Want to join

Example
Potential new members and/or their parents or guardians communicate with you via:
• email or other electronic means
• face-to-face
• Young Person/Adult Information Form

What does this mean for GDPR?
When communicating with a potential member, parent or guardian, they are consenting to the communications but care needs to be taken to keep these communications private, especially when PII is shared, such as in the Young
Person/Adult Information Form
, where some parts will be classed as sensitive data.

 

Information Forms

Example
The Young Person/Adult Information Form is used to capture information about a young person or potential volunteer in order to begin the joining/appointment process, this could be via:
• email
• web form
• paper form

What does this mean for GDPR?
The Young Person/Adult Information Form may be the first data capture exercise for a new member. The form must state:
The purpose - What you are going to do with the form and the data.
Timeframe - How long you will hold onto the data (delete or securely destroy when no longer required).

The data collected must be:
Limited - It only includes what you need
Kept secure - Special care taken in storing

Please note: UK Headquarters are working to update the forms available for Local Scouting to use. When they have been updated, members will be informed.

 

Active

Example
The young person, parent/guardian or adult volunteer are now active within the Scout Group, District, County/Area/Region or Country.

What does this mean for GDPR?
The young person, parent/guardian or volunteer’s data will be stored in a filing system such as excel sheets on local laptops, online record keeping systems and/or paper based records.

During this period you need to consider:
Third party processors that are holding data on your behalf, such as online record keeping systems or cloud storage systems.
Accuracy of date. Is it kept up-to-date?
Data flows ie. where, how and who is the data passed to.

 

Events

Example
Scouting events are held frequently involving young people and adult volunteers.

These can be:
• sectional activities in a meeting place
• events or nights away

These events can require further data gathering, such as activity or nights away information and health forms completed by parents/guardians and adult volunteers.

What does this mean for GDPR?
When further data gathering is being completed you need to consider:
• purpose – what are you going to do with it
• limit – it only includes what you need
• retention – delete when no longer required
• secure – special care taken in storing

This activity should consider what data you already have on file and only capture what is necessary.

 

Collection of sensitive data

Example
Young person and adult volunteer information is presented to The Scout Association periodically to allow for statistical analysis. This may include:
• religion
• ethnicity

What does this mean for GDPR?
Transfer of personal data of any kind needs to be handled with care, especially with details considered sensitive, such as ethnicity and religion. In all cases the purpose of the transfer should be well understood and documented with techniques such as anonymising the data being used.

 

Register

Example
At every meeting or event, the leader in charge is obliged for safety reasons to take a register of those attending the session.

What does this mean for GDPR?
Registration of those attending each meeting is good practice from a safety perspective. What this highlights is the importance of the following:
• accurate data on members
• maintaining a log of attendees but retaining a high level of data protection, such as the use of digital data as opposed to paper records and minimised data purely for attendance.

 

Communications

Example
A requirement of being an adult volunteer in Scouting is to keep young people, parents/guardians and other adult volunteers updated.
These are updates about weekly meetings, upcoming events and general Scout Group, District, County/Area/Region or Country news.

What does this mean for GDPR?
Communication to the young people, parents/guardians or adult volunteers is essential for the effective operation of a Scout Group, District, County/Area/Region or Country. The GDPR recognises these types of communications
and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the Scout Group, District, County/Area/Region or Country and not for further advertising, unless the person receiving the communication has specifically opted-in.

 

Moving on

Example
When a young person gets to a certain age, they go through the Moving On process to the next section. In most situations, they will have a new section leader. The young person can also leave Scouting at at any point.

What does this mean for GDPR?
When data is being transferred from one person (a Section leader) to another, care needs to be taken in the transfer and receipt. In addition, the data being transferred needs to be accurate and minimised. If at any time a young person wishes to leave Scouting, their data should be deleted fully if not required for further purposes. All personal data should have a defined and appropriate retention period.

 

Data breach

Example
It may occur that personal data is disclosed externally accidently or removed from the Scout Group, District, County, Area, Region or Country via malicious means. Members and parents/guardians may exercise the rights they have over their data.

What does this mean for GDPR?
In the event of a breach, via malicious means or through accidental disclosure, the data controller is obligated to do the following:
• report the breach to the DPO
• complete an ICO data protection breach notification form

In the event that a member or parent/guardian asks for their data to be deleted, updated or disclosed, the data controller has 30 days to complete the request if it is not deemed excessive.

 

The GDPR toolkit

Duty of care for the security of data lies with everybody that gathers, handles or receives personal data. The Scout Group, District, County/Area/Region or Country Executive Committee has overall responsibility for making sure that they comply with legal requirements, including data protection legislation.

The Scout Association is working with a consulting partner, Black Penny Consulting. Together we have issued a GDPR toolkit which will give your Scout Group, District, County/Area/Region or Country an easy to follow guide on how to document, processes and best practices to follow. This GDPR toolkit will help guide adult volunteers on how to handle the data of the young people they are responsible for, and the adult volunteers in their Scout Group, District, County/Area/Region or Country.

In addition to this website page, the GDPR toolkit includes:
• a FAQ page 
• a step-by-step guide on how to fill out the documentation
• a GDPR framework register documenting the data types and lawful processes for collection, storage and use of data
• guides on how to handle data subject access requests and data breaches
• a guide on how to maintain alignment with GDPR

 

Compass

For guidance relating to the Compass membership system, please take a look at the Frequently Asked Questions on the Compass Support website.


This information is provided as guidance only and is not exhaustive. It does not supersede, amend or negate the provisions of the GDPR or any other applicable data protection legislation. For more detailed or specific guidance please go to: https://ico.org.uk/for-organisations/