Skip to main content

Data Protection Policy

July 2025

Introduction

The Scout Association’s commitment to protecting privacy and data forms a key policy for Scouting. This policy underpins both this Data Protection Policy and other associated policies used by The Scout Association, local Scouting and its membership.

Each Local Scout Group, District and County are their own distinct data controllers for much of their data processing, separate to The Scout Association (TSA) and are separate legal entities. This means they are directly responsible for any personal data they process and must ensure that they are aware of their responsibilities under the law. We provide general guidance and signposting to local Scouting, including online resources such as our Scout Unit Data Protection Toolkit.

This policy sets out The Scout Association’s approach to protecting personal data and explains individuals’ rights in relation to how we process personal data. We provide more detail in respect of how we process and protect personal data below, particularly in section 5. 

The Scout Association (“We” in this document) is registered with the Information Commissioner’s Office at the following address: Gilwell Park, Chingford, London E4 7QW. If you have any queries about anything set out in this policy or about your own rights, please write to the Data Protection Officer (Black Penny Consulting) at the above address or via email at [email protected].

We may from time to time make minor changes to this policy. We will notify our members when we make any substantial or significant changes to the policy.

‘We’ means The Scout Association and The Scout Association Trust Corporation.

‘ICO’ is the Information Commissioner’s Office, the body responsible for enforcing data protection legislation within the UK and the regulatory authority for the purposes of the GDPR.

‘Local Scouting’ and ‘Scout unit’ mean Scout Groups, Districts, Counties, Areas (Wales), Regions (Scotland) or Countries.

'Personal Data' is defined in section 3.

‘Processing’ means all aspects of handling personal data, for example collecting, recording, keeping, storing, sharing, archiving, deleting and destroying it.

‘Data Controller’ means anyone (a person, people, public authority, agency or any other body) which, on its own or with others, decides the purposes and methods of processing personal data. We are a data controller insofar as we process personal data in the ways described in this policy.

‘Data processor’ means anyone who processes personal data under the data controller’s instructions, for example a service provider. We act as a data processor in certain circumstances.

‘Subject Access Request’ is a request for personal data that an organisation may hold about an individual. This request can be extended to include the deletion, rectification and restriction of processing.

‘Membership System’ This refers to the Microsoft Dynamics based system we use to store membership information. This database is used both by The Scout Association as well as local Scouting. It integrates with our Learning Management System. 

Personal data means any information about an identified or identifiable person. For example, an individual’s home address, personal (home and mobile) phone numbers and email addresses, occupation, and so on can all be defined as personal data.

Some categories of personal data are recognised as being particularly sensitive (“special category data”). These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric information, and data concerning a person’s sex life or sexual orientation.

Data protection legislation applies to all data controllers regardless of whether they are charities or small organisations. It applies to local Scouting in the same way as it does to other organisations. Scout units are created and run as independent charities and insofar as they collect and store personal data about members and young people, they are data controllers and must adhere to the law.

For the purpose of our Membership System both The Scout Association and local Scout units act as independent data controllers. This relates to:

  • Maintenance of local Scouting’s primary records, such as name, address and leadership details of the local Group, District, County, Area (Wales), Region (Scotland) or Country.
  • Local Scouting roles, such as creation, management and deletion of role and any reasons for leaving local Scouting. This includes ID checking.
  • Direct messaging in the platform.
  • Training, learning and permit management.

Each Scout unit will have its own data protection policy. In case of any doubt or questions you are advised to contact the Scout unit directly or to write to our Data Protection Officer at the above address who may be able to help.

5.1 Members and volunteers

We benefit from the service of a large number of members giving their time to Scouting at both UKHQ and local Scouting levels. We hold personal data (including special category data) about adult members and volunteers on our membership database. We believe it is important to be open and transparent about how we use personal data. Information we hold about members may include the following:

  • name and contact details
  • length and periods of membership and volunteer service (and absence from membership and volunteer service)
  • details of training received
  • details of experience, qualifications, occupation, skills and awards received
  • details of Scouting events and activities members have taken part in
  • details of next of kin
  • age/date of birth
  • legal sex
  • details of any health conditions
  • details of disclosure checks
  • any complaints we have received about the member
  • details of any safeguarding concerns raised about or by the member
  • details about role(s) in Scouting
  • details about membership status
  • diversity and inclusion data (including nationality, ethnicity, religion / belief, health information, gender, and sexual orientation)

We need this information to communicate with members and to carry out any necessary checks to make sure that members can work with young people. The diversity and inclusion information is collected to help us understand the diversity of Scouts and the growing needs of our movement. 

Much of this information is collected from the member joining forms or is input directly into the system by members themselves.

5.2 Young People

We do not centrally hold a youth membership database. The responsibility for managing youth membership sits locally. However, we do process some personal data about Young People.

For Young People, we hold information where there has been a safeguarding or safety case raised, this may include basic personal identifiers along with the details of the case. We may capture information on Young People who attend events managed by The Scout Association; this may include details on dietary and accessibility requirements. We process data about Young People where they have been put forward for an award, entered a competition run by TSA or partaken in research undertaken by TSA. We also process data on Young People where they are part of a legal claim, the data we capture may include the detail of the claim itself.

5.3 Trustees and members of the governance structure

For the members of The Scout Association’s Board of Trustees and its subcommittees, other committees and working groups, we may hold the type of information as set out in 5.1 and including the following:

  • CVs
  • Related party information

5.4 Donors

We benefit from donations from members of the public who support our work. We hold personal data about these donors so that we can process donations and tell donors about our work, campaigns and how they can support us further. This may include details of donors that wish to leave a legacy in their will. 

We hold the following types of information:

  • name and contact details
  • address
  • details of donations and interactions, such as communications and events

Where The Scout Association have assessed individuals as a major donor (based on donations of £10,000 and above), we may hold publicly available details that assist us in assessing:

  • capacity to give
  • propensity to give
  • closeness to the Scouts

5.5 Customers and visitors

We also hold personal data for visitors to our sites. This can include guests, suppliers, tradespeople and contractors. We may hold the type of information as set out in 5.1. Much of this information is taken from online registration forms, and sign in mechanisms. 

5.6 Employees and contractors (past, present and future)

As an employer, we need to keep information relating to each member of staff and contractors who have a contract with us. This will include the pre-employment stage, references, and records relating to the time they worked for us including probationary, appraisal and disciplinary information.

We have a separate Employee Privacy Notice which provides more detail to staff members about how we process their data. 

5.7 CCTV

Our sites operate CCTV networks to help prevent and detect crime and to safeguard (protect) Young People and others. If an individual can be identified from a CCTV image, that image must be treated as personal data and processed accordingly. This is governed by our CCTV Policy.

5.8 Scout Association Trust Corporation (SATC)

The Scout Association Trust Corporation (SATC) hold title deeds to property on behalf of Scout units. As part of the services that SATC provides, we are required to receive and send both hard copy and electronic documents. In many cases, we need limited personal information typically a name and contact details, including a postal address to deliver these services. We may also use contact information held in the membership system to manage SATC related matters.  

6.1 Keeping to the law

We must comply with the law when processing personal data. To do this, we must meet at least one of the following conditions:

  • Consent - to give (or have given) permission for us to use their information for one or more specific purposes.
  • Performance of a contract - we need to process the information to meet the terms of any contract we have entered into (for example, when we process personal data as part of a volunteer’s membership application or to provide goods or services, they have purchased).
  • Legal obligation - processing the information is necessary for us to comply with our legal obligations as a data controller.
  • Vital interests - processing the information is necessary to protect someone’ life.
  • Public task - processing the information is necessary for us to carry out a task in the public interest or to exercise official authority as a data controller. 
  • Legitimate interests - processing the information is necessary for our legitimate interests as an organisation (see below examples).

Lawful basis

Data processing examples

Consent
  • Sending marketing information not deemed part of legitimate interest
  • The use of photography captured by UKHQ
  • Managing TSA HQ grant applications and provisions

Performance of a contract
  • Volunteer membership application
  • Supply of goods or services purchased

Legal obligation
  • Disclosure and Barring Service referral
  • Insurance underwriting referrals
  • Submitting tax records to HMRC

Vital interests
  • Medical history disclosure to a medical professional to protect the health of the data subject 

Public task
  • Sharing information with statutory bodies such as the Police (including the Hydrant Programme) or Local Authorities

Legitimate interest
  • Photography at UKHQ organised events where consent is not appropriate (could include the publishing of the photography in TSA media channels including printed format)
  • The passing of personal data to local Scout Groups as part of the ‘Find a local group’ service online.
  • Displaying the contact details of local leaders as part of the ‘Find a local group’ service online
  • Nominations for Meritorious Conduct & Gallantry Awards, The Cornwell Scout Badge, Chief Scout’s Personal Awards and Good Service Awards Informational/operational communications directly to volunteers
  • Informational/operational communications directly to volunteers.
  • The use of membership data for the recruitment of HQ roles
  • The passing of volunteer and Young Person data to TSA’s outside legal counsel in defence of cases
  • Scout Stories that are submitted to Scouts HQ and may be published online

Also, information must be:

  • processed fairly, lawfully and in a transparent manner
  • collected for specified, clear and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • processed securely

6.2 Information that we share

We may need to share personal data within appropriate levels of the Association and with local Scouting, provided this is necessary and directly related to a member’s role within Scouting. This is subject to data sharing agreements entered into with each Trustee Board. 

TSA may also share personal data with its partners, companies and organisations and individuals who help us to fund, organise and operate events, projects, programmes and other activities. Our legal basis for this is the pursuit of our legitimate interest in working collaboratively with other organisations to operate and administer the event, project, programme or activity. 

Some of these organisations may process information in countries outside the UK / EEA, such as the United States, where data protection laws differ from those in the UK / EEA. TSA ensures that any such transfers are subject to appropriate security measures to safeguard personal data. Where transfers are necessary to countries where data protection has not yet been declared to be adequate, we rely on appropriate safeguards, as defined in the UK GDPR for these transfers.

TSA may also share information within the TSA group of companies for the purposes of managing particular events, projects, programmes, or other activities. TSA currently provides support and services to its subsidiary companies. Therefore, our legal basis for sharing information is to pursue the legitimate interests of shared resources and management reporting between the companies within the group. 

We do not share personal data with companies, organisations or people outside the Association unless we have a lawful basis for doing so and one of the following applies:

  • We have entered into a data sharing or data processing agreement with them
  • We are legally required to share the information
  • Sharing the information helps safeguard Young People 

You can view a list of the most common third parties we share personal data with. This is not exhaustive and acts as an example. Where appropriate we ensure that where data processing may include a third party, the data subject is informed. This is usually at the point data is captured.  

We use technical and organisational safeguards to protect your data and prevent the loss, misuse or alteration of your personal information. Everyone who handles personal data makes sure it is held securely to protect against unlawful or unauthorised processing and accidental loss or damage. We take appropriate steps to make sure we keep all personal data secure, and we make all our staff aware of these steps, including keeping to our internal information and computing technology (ICT) policy framework.

All staff undertake regular training to ensure that they are aware of the above rules, and work to our agreed Acceptable Usage Policy when using our equipment or systems.

The Scout Association holds ISO27001 accreditation.  

We expect our staff, managers, trustees, volunteers, members and any providers we use to adhere to data protection legislation. More details are set out below. 

8.1 Board of Trustees

Our Board of Trustees holds overall responsibility for the governance of the Association, including ensuring compliance with all   legal and regulatory obligations, this includes adherence to data protection legislation. Operational responsibility for implementing and maintaining compliance across UK Headquarters rests with our CEO and Senior Leadership Team, who are accountable for ensuring that appropriate systems, processes, and controls are in place and effectively managed.   

8.2 Data protection officer (DPO) or equivalent role holder

TSA has externally appointed a DPO to ensure the organisation is monitoring compliance with Data Protection legislations and our data protection policies. The Data Protection Officer is responsible for:

  • making sure that this data protection policy is up to date
  • advising on data protection issues
  • dealing with complaints about how we use personal and sensitive personal data
  • reporting to the ICO if we do not keep to any regulations or legislation
  • raising awareness of data protection and training
  • undertaking internal audits

8.3 Staff

All staff have a responsibility to keep to the requirements of this data protection policy and our related procedures and processes, including our Internal Data Protection Compliance Framework. Managers are responsible for making sure that staff within their teams are aware of and keep to this.

If staff do not adhere to this data protection policy and its associated policies and procedures, we may take disciplinary action against them.

8.4 Volunteers, members and local Scouting

We expect all volunteers to keep to data protection legislation and to follow the relevant rules set out in our Policy, Organisation and Rules (POR). We provide general guidance and signposting to local Scouting, including online resources such as our Scout Unit Data Protection Toolkit.

The local Trustee Boards (trustees of local Groups, Districts, Areas, Counties, Countries and so on) have overall responsibility for adhering to data protection legislation.

We may keep information for different periods of time for different purposes as required by law or business requirements. Individual departments include these time periods in their processes.

As far as membership information is concerned, to make sure of continuity (for example if someone leaves and then re-joins) and to carry out our legal responsibilities relating to safeguarding Young People, we keep membership information after it ends, and we make sure we store it securely. Only those staff who need membership information to carry out their role have access to that information.

For more information see our Data Retention Policy.

Under data protection law, individuals have a number of rights in relation to their personal data.

  1. The right to information: As a data controller, we must give you a certain amount of information about how we collect and process information about you. This information needs to be concise, transparent, understandable and accessible.
  2. The right of subject access: If you want a copy of the personal data we hold about you, you have the right to make a Subject Access Request (SAR) and get a copy of that information
  3. The right to rectification: You have the right to ask us, as data controller, to correct mistakes in the personal data we hold about you.
  4. The right to erasure (right to be forgotten): You can ask us to delete your personal data if it is no longer needed for its original purpose, or if you have given us permission to process it and you withdraw that permission (or where there is no other lawful basis for processing it).
  5. The right to restrict processing: In certain circumstances where, for lawful or legitimate purposes, we cannot delete your relevant personal information or if you do not want us to delete it, we can continue to store it for restricted purposes. This is an absolute right unless we have a lawful purpose to have it that overwrites your rights.
  6. The obligation to notify relevant third parties: If we have shared information with other people or organisations, and you then ask us to do either (c), (d) or (e) above, as data controller we must tell the other person or organisation (unless this is impossible or involves effort that is out of proportion to the matter).
  7. The right to data portability: This allows you to transfer your personal data from one data controller to another.
  8. The right to object: You have a right to object to us processing your personal data for certain reasons, as well as the right to object to processing carried out for profiling or direct marketing.
  9. The right to not be evaluated on the basis of automatic processing: You have the right not to be affected by decisions based only on automated processing which may significantly affect you.
  10. The right to bring class actions: You have the right to be collectively represented by not-for-profit organisations.

If you wish to exercise any of your data subject rights, you should contact UKHQ legal department at [email protected] or by writing to:

The Scout Association
Legal Services
Gilwell Park
Chingford
London
E4 7QW

Please note, subject rights requests for data held by Local Scouting should be made directly to the relevant Scout unit as each Scout unit operates as a separate charity and each is a Data Controller in its own right.

The most commonly exercised data subject right is the right to access. More information is provided on this below. 

You are entitled to ask us, in writing, for a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). In line with legislation, we will not charge a fee for this information and will respond to your request within one calendar month, though if the request is deemed to be complex, we may take up to three months. If the request is deemed excessive, we will contact you within the month of making the SAR to state the reason and discuss how we will proceed which may include making a charge. 

Our members or anyone else can also ask for information from local Scouting. The relevant Scout unit, as data controller in their own right, must answer these requests. UKHQ is not legally responsible for these local SARs but we advise Scout units to respond to them in line with the law, and we provide guidance at Subject Access Requests.

When making a request we recommend that you are as specific as possible in relation to what you are looking for. This will help us ensure we provide you with what you want. 

If you are unhappy with the way your data has been processed, you have the right to raise a complaint with us. Complaints will be investigated by our Information Governance Team and will be responded to within one month. If the matter is deemed to be complex, we may take up to three months but will acknowledge the complaint within the first month.

To raise a complaint, you should email [email protected]

In situations where you feel The Scout Association has not handled your personal data complaint appropriately you have the right to raise the matter with the Information Commissioners Office, though you may contact them at any time.

Contact the Information Commissioner’s Office.

Data Protection Officer contact details: [email protected]