5th Douglas Scout Group Data Protection Policy
As a large organisation, The Scout Association is registered with the Information Commissioners Office (ICO) as a data controller. However, data protection law applies to all data controllers (whether registered with the ICO or not) and therefore applies to each local Scouting Group or Unit. All adults in the 5th Douglas Scout Group have a responsibility to comply with data protection law, which includes EU General Data Protection Regulation (GDPR), when handling or dealing with any personal data. The Scout Group Executive Committee have responsibility for ensuring that adequate data protection systems are in place. The units within the Group hold a variety of personal data on members and their families to ensure efficient administration and running of the group. This data is described below:
Data Type |
Description |
Held By |
Access |
---|---|---|---|
Membership Records | Name, address, date of birth, telephone, email, parents | Group Leader and Section Leaders | Leaders of the unit of the individual. May include District leaders if attending large event. |
Medical Data | Medical conditions, allergies and ailments that potentially impact on Scouting activities | Group Leader and Section Leaders | Leaders, plus medical practitioners if necessary. May include District leaders if attending large event. |
Progress Records | Meetings, activities and camps attended, badges and awards gained and similar data | Section Leaders | Leaders. Summary information e.g. specific awards may be shared with Scouting District |
Financial Records | Subs, membership fees, gift aid, camp fees, group accounts and other monies | Group Treasurer and Section Leaders | Leaders and group executive. Summary information (e.g.awards) passed to Scout District and HMRC |
Photographic Data | Photographs and video clips of members and other participants taken during Group activities | Section Leaders | Selected items – made available to public for publicity, see notes below |
- Scouting photographs and video clips may be used on the Group’s website, social media pages and local press. These will only be used with Parental / Carer consent. Full names and addresses of individuals are not shown.
- Scouting photographs may be used in posters displayed in public places to promote the Group, to advertise events or recruit members. These will only be used with Parental / Carer consent. Full names and addresses of the individuals are not shown.
- Scouting photographs may be sent to local newspapers for promotional purposes or newspaper reporters may visit the Group to take photographs. These will only be used with Parental / Carer consent. The Group does not hold photographs taken by newspaper reporters. Newspaper policies usually involve the publication of the individuals’ names but not their addresses.
- The Group will not take part in direct marketing and will not use or share details for this purposes
- The Group will send out newsletter and updates on fundraising activities as part of the Group’s legitimate interest. If you do not wish to receive such information, please contact your Leader.
- Personal Data will only be used for the purpose in which it was requested as detailed in our Privacy Notice
- The Executive Committee and Leaders are instructed: –
- – to ensure all Personal data is secure.
- – to ensure they only collect and use data if it is necessary for the legitimate interests of running the unit with the Group and the Association as long as its use is fair and does not adversely impact the rights of the individual.
- – that they do not share or sell personal data to third party organisations for marketing, fundraising or campaigning purposes.
- – to securely destroy personal data in accordance with our Privacy Notice
Use of Cookies
Please see our separate Cookie Policy
Data Protection Officer
Under the GDPR, a DPO must be appointed if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
The Executive Committee have agreed that as a local Scout group, this small organisation is not required to appoint a Data Protection Officer
Data Breaches
The Executive Committee is responsible for the security, integrity and confidentiality of all the data it holds. The Executive Committee is also obliged under GDPR to keep personal data safe and secure and respond promptly and appropriately to any data security breaches. Although all adult volunteers have a responsibility for the information they generate, manage, transmit and use in line with GDPR, it is the Executive Committee’s legal duty to secure personal and confidential data at all times. A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the Scout, District, County/Area/Region in any format. Any person who knows or suspects that a breach of data security has occurred should report the breach immediately. For a breach in Scouting this will be reported according to the Data Breach Response Plan.. Ideally a breach will reported straight away but no longer than 48 hours after the breach.
The Data Protection Principles
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime Article 5(1) requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Further Information
Scout Association Data Protection Policy http://scouts.org.uk/media/927472/SCOUTS-data-protection.pdf Scout Association Privacy policy http://scouts.org.uk/privacy-policy/ Policy agreed by 5th Douglasl Executive Committee Appendix 1 Privacy Notice Under data protection law, individuals have a right to be informed about how the Scout Group uses any personal data that we hold about them. We comply with this right by providing a ‘privacy notice’ (sometimes called ‘fair processing notice’) to individuals where we are processing their personal data. This privacy notice explains how we collect, store and use personal data about children, teenagers and adults in the Scout Group. The Executive Committee of the Scout Group is the ‘data controller’ for the purposes of data protection law.
The personal data we hold
Personal data that we may collect, use, store and share (when appropriate) about children, parents and carers includes, but is not restricted to:
- Contact details, contact preferences, date of birth,
- Details of any medical conditions, including physical and mental health
- Details of any Special Educational Needs and Care Plans
- Photographs
Why we use this data
We use this data to:
- To register the children with the Scout Association
- To administer waiting lists
- To be able to contact parents / carers in emergency situations
- To be able to administer emergency medical treatment if necessary
- To provide appropriate care for the children
- To produce attendance registers
- To administer gift aid claims
- To produce event contact lists and event co-ordination
- To produce health care plans
- For the day to day running of the units
- To deal with enquires from our website
Our legal basis for using this data
We only collect and use children’s and parents’ / carers’ personal data when the law allows us to, most commonly, we process it where:
- We need to comply with a legal obligation, for example Gift Aid claims, DBS checks for adult members
- We only collect personal data that is necessary for the purpose of its legitimate interests as a membership organisation. We need this information to contact you regarding meetings, events, membership fees, fundraising and the day to day running of the Group.
- It is fair to use the personal data in our interests, where there is no disadvantage to you – this can include where it is in our interests to contact you about products or services within Scouting.
Collecting this information
The majority of the personal data we hold is provided to us directly by the parent or carer on completion of a joining form. Online membership systems are used to manage personal data. Event consent forms are completed prior to a trip / event. The online membership system for Scouting can be accessed by parents / carers to check and update personal information.
How we store this data
We are committed to the protection of your personal data. We generally store personal data in securely held paper form and a secure online membership system. Online Scout Manager run by Online Youth Manager Ltd, are secure membership databases where personal data of adults and children members are stored for the day to day running of the Group. Event consent forms are stored securely prior to the event. In order to fulfil our legal obligations, we will be required to potentially have a less secure means of accessing personal data such as emergency contact and medical details taken off the premises during the event. We will minimise the risk by ensuring the data is secure and is securely destroyed after the event using either a cross shredding machine or securely burned. If personal data is transferred from one leader to another, we will audit that they return them when the event is complete.
When we destroy the data
We will retain personal data, through the time individuals are in the Scout Group. When a member leaves a unit, their details are removed from the online database (OSM) unless a member is waiting to join another unit and their details are kept on the online database. Emergency contact details, consent and health forms are destroyed after the event. If medical treatment has been administered, these are sent to Group Scout Leader. The Scouts keep personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purpose of satisfying any legal, accounting or reporting requirements. Consideration is given to the amount, nature and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which it is processed, whether this can be achieved through other means and the legal requirements.
Data sharing
We do not share information about children or parents / carers with any third party without consent unless the law and our policies allow us to do so. Where it is legally required, or necessary (and it complies with data protection law) we may share personal information with:
- Scouts
- Duke of Edinburgh Award
- Online Management system run by Online Youth Manager
- Insurance
- Other Scout Groups if a child transfers to another unit
- Emergency services
We will never sell personal data to any third party for the purposes of marketing. Your personal data will be treated in the strictest confidence and we will only share your data with third parties where there is a legitimate reason to do so. If identifiable data is to be shared where there is not legitimate reason, we will seek your consent.
Third Party Data Processors
Scouts – via its membership system “Compass” which is used to record the personal data of leaders, adults and parents / carers who have undergone a Disclosure and Barring Service check. Outside the UK – if an event is taking place outside of the UK, it will be necessary to provide personal data to comply with our legal obligations. Generally, such an event will have its own data collection form which will be securely held and disposed of after the event.
Photography and Social Media
Promoting Scouting is important to the Group, as such it is in the interest of all members to advertise the Group through the use of appropriate positive images. Social media is used as a means of promoting our brand, fundraising and our activities. Our Public Facebook Page, Twitter and Website allows us to quickly share news and photos that we think are appropriate to a wider audience. As these are used as promotional tools neither is restricted or “closed” in any way. When we are away at events, and at our weekly meetings, photos may be taken and published on social media sites and website. These photos are stored securely on the unit leader’s computer or in paper form in a locked cupboard. If photos need to be shared with children or parents, consent will be obtained prior to distribution. We will:
- Seek consent before using photo / image / video that identify the individual (consent required from parent / carer if under the age of 18)
- Consider the content of all photo/image/video for good taste before publication
- Only publish photos/images relating to Scouting
- Not publish a child’s full name or address with a photograph
- Remove any photo/image/video that breaches these guidelines or remove if requested by the individual, parent / carer as quickly as possible after it is brought to our attention
- Not hold photo / image / video for longer than is necessary. When they are no longer required, they will be securely destroyed
- Endeavour to keep to the above guidelines, we cannot control the legal right of third party photographers to take pictures taken in a public place and publish them to websites and other publications that are outside of our control. At large scale events (over 100 people) photo permissions do not apply as it is recognised that it is not possible for a leader to control photographs that are taken by others
Some units may have a separate social media site. The individual unit will monitor and seek separate consent for use of photo / image / video on these sites.
Parent / carer and child rights regarding personal data
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the Group holds about them. Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent. If you make a subject access request, and if we do hold information about you or your child, we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you or your child
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- Give you a copy of the information in an intelligible form
Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances. If you would like to make a request please contact the Group’s Chairperson as detailed on our website.
Other rights
Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:
- Object to the use of personal data if it would cause, or is causing, damage or distress
- Prevent it being used to send direct marketing
- Object to decisions being taken by automated means (by a computer or machine, rather than by a person)
- In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
To exercise any of these rights, please contact your leader in the first instance and then Group Chairperson.
Breach Notification
We will notify our users of any breach of data via email within 72 hours of identifying the breach.
Complaints
We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance. To make a complaint, please contact our Executive Committee using the contact details via the Groups website. Alternatively, you can make a complaint to the Information Commissioner’s Office: online at https://ico.org.uk/concerns/ , call 0303 123 1113, or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF