Data Retention Policy
Purpose
This is the Data Retention Policy of The Scout Association, by which we mean, the Association as the national charity (306101) and all its subsidiaries and business units for which its board is responsible for. This includes Scout Stores, Scout Adventures and World Scout Shop).
The purpose of this policy is to specify The Scout Association's (“TSA”) guidelines for retaining different types of personal data and for how long.
For clarity, this policy does not include the movement data retention provision. This is because each Local Scout Group, District and County are their own distinct data controllers, separate to TSA.
Scope
This policy covers all data in the possession or control of TSA regardless of the medium in or on which those data are held. Where statute or regulation departs from the requirements of this policy, TSA will comply with the relevant statute or regulation. This policy may be updated from time to time.
Policy
Personal data
Personal data retention is governed by current Data Protection legislation. These data must be kept accurate, up to date and retained for no longer than is necessary for the purpose for which they were obtained. Detail of retention periods can be found in Annex A – Retention periods.
Where a person has requested that we delete all data we hold about them, we may need to retain basic personal data to evidence that we have completed the request.
Lawful purpose for processing
Personal Data can only be processed (including how it is retained) where there is a lawful basis.
TSA relies on different lawful bases depending on what the Personal Data is being used for. In some cases, TSA has a legal need or right to keep the data, but in other cases TSA’s relies on Data subjects consenting or TSA’s legitimate interests, where this needs to be actively managed.
Data subjects also have a number of rights that they can exercise over their Personal Data, such as to delete or rectify it.
Maintaining consent or legitimate reasons for retention
TSA needs to communicate with these data subjects to clearly sign post them to their ability to withdraw their consent or challenge the legitimate interest that has been assessed, this is commonly known as ‘opt out’. Where appropriate the data subject should be informed every 2 years of the consent or legitimate interest being used to process their data with an option to update this preference.
A formal retention period for data processing based on consent has not been defined in this policy and is assumed as permanent until the data subject exercises their rights to cease the processing activity. Examples of processing covered by this statement are subscribers to newsletters, photograph consents and marketing communications.
Annex A - Retention periods
The following retention periods are analysed into the categories of data held within TSA, these are as follows:
- Members’ and volunteers’ data
- Donors’ data
- Event registrants’ and participants data
- Insurance customers’ data
- Scout Store customers’ data
- Scout Adventure and Scout Venues’ customer data
- Heritage archives
- Legal services
- TSA staff data
- Complaints, Customer Service & Communication & Whistleblowing
The retention period is applicable at the point where the relationship has finished, for example where a member has left the organisation.
The same piece of data may be held by different teams and for different purposes. It will therefore be covered by the retention policy for each purpose, and so retained by the organisation for the longer of the stated periods.
Members and volunteer's data
|
Data Process |
Data Type |
Retention |
Justification |
| Want to Join | Personal data | 1 year after enquiry or until member joins, whichever is shorter. | To keep them informed of their joining status. |
|
Joining – including the role, dates of joining and permits |
Personal and Sensitive data (special category) | 10 years after leaving the data will be reduced to only include name, membership number, date of birth, awards, training records, events attended, roles, permits held and any complaints in summary format. This remaining data will be retained for 100 years. | The 10-year retention of all data is required to provide tenure and service records in the event an individual wants to re-join. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations. |
| Youth Top Award registrations | Personal and Sensitive data | 6 months after the member turns 25. | To retain their award registrations for the duration of the eligibility period. |
| Youth Top Award completions |
Personal data and Sensitive data |
Permanent for basic data; name, location, award, membership number, HQ approval date and Windsor attendance status (where relevant). For KSA and Explorer Belt data: Other data is deleted three years after the award completion date. For SOWA data: Other data is deleted one year after the award completion date. |
Historic record of award completions. |
| Youth MC/G/CSB/CSPA award nominations |
Personal and Sensitive data (special category including citation) |
Successful awards: Permanent. Unsuccessful awards: One year after decision by HQ. |
To retain their award nominations/locally made decisions for the purpose of processing awards. Successful awards: Historic record of awards. |
| Adult GS/MC/G/CSB/CSPA award nominations made locally |
Personal and Sensitive data (special category including citation) |
Successful awards: Permanent. Unsuccessful awards: One year after decision by HQ. |
To retain their award nominations/locally made decisions for the purpose of processing awards. Successful awards: Historic record of awards. |
| Department for Digital, Culture, Media & Sport (DCMS) Award nomination at local Scout Group | Personal data and Sensitive data (special category including citation) |
Where TSA are approached by a local group in relation to a possible national honour nomination, TSA will retain the information for two years from the initial contact. Where TSA are informed that the local group have made a submission to DCMS, TSA will retain the information for three years from the date of submission. |
To assist with progressing award nominations. |
| Department for Digital, Culture, Media & Sport (DCMS) Award nomination direct to TSA | Personal data and Sensitive data (special category including citation) |
Where TSA are approached by DCMS in relation to a possible national honour nomination, TSA will retain the information for two years from the initial contact. |
To retain their award registrations for the duration of the eligibility period. |
| Research - surveys and other methodologies | Personal and Sensitive data (special category) |
18 months (This is a guide only and may differ for specific research. Retention periods will be stated at the point of collection). |
To allow sufficient time for data analysis and challenge. Anonymised data may be retained for longer. |
|
Scouts Experience Survey |
Personal and Sensitive data (special category) |
15 Years |
To keep a collation of completing members and compare answers from the previous years. |
|
Vetting |
Personal Data – Disclosure Certificate |
6 months after issue. Details of any offences and alleged offences may be retained in order to support ongoing suitability risk assessments. |
6 months after issue. Details of any offences and alleged offences may be retained in order to support ongoing suitability risk assessments. |
|
Safeguarding – Adult volunteer ’person of concern’ |
Personal and Sensitive data (special category) |
Adult – 100 years after case closure. Will include all case notes, including those of witnesses and young person along with any litigation correspondence until it is appropriate to reduce this to a detailed summary of the case. In the event that the allegation is actually disproved or is found to have been mis-recorded in the first place, the record will include a statement that the data subject has been exonerated and the data will be subject to the joining data process retention period. |
Required for evidence requests from statutory agencies or internal safeguarding investigations. |
| Safeguarding – Young person -Welfare |
Personal and Sensitive data (special category) |
Young Person – 7 years after last communication with the Young Person or Family. |
Required for evidence requests from statutory agencies or internal safeguarding investigations. |
|
Safeguarding – Young person ’person of concern’ |
Personal and Sensitive data (special category) |
Young Person – 100 years after case closure. Will include all case notes, including those of witnesses and adult volunteers along with any litigation correspondence, until it is appropriate to reduce this to a detailed summary of the case. In the event that the allegation is actually disproved or is found to have been mis-recorded in the first place, the record will include a statement that the data subject has been exonerated and the data will be subject to the joining data process retention period. |
Required for evidence requests from statutory agencies or internal safeguarding investigations. |
|
Safety Incident (Adult) –including personal injury details (covering sexual abuse/psychological damage) and cases with no personal injury identified |
Personal and Sensitive data (special category) |
20 Years after the incident. |
To address a legal claim, offer support and identify trends. |
|
Safety Incident (Young Person) – including personal injury details (covering sexual abuse/psychological damage) and cases with no personal injury identified |
Personal and Sensitive data (special category) |
20 Years after the young person turns 18. |
To address a legal claim, offer support and identify trends. |
|
Scout Stories |
Personal data |
5 years after submission |
Required for the Media team to ascertain if a story is newsworthy during this period. |
Donors' data
|
Data Process |
Data Type |
Retention |
Justification |
|
Individual Givers |
Personal Data |
5 years post last donation or last positive interaction with Scouts Fundraising Team, whichever is longer. |
To keep an individual informed of their donation and other fundraising campaigns. |
|
Direct debit mandate |
6 years after the end of the year or accounting period that includes the last Direct Debit. |
As proof of Direct Debit Instruction (DDI) and to assist in claims against that DDI. |
|
|
Partnerships |
Personal Data |
3 Years |
To answer queries on the donations and maintain a record of partner donors. |
|
Legacy Donors |
Personal Data |
In perpetuity. |
To maintain record of the donation. |
|
Major Donors |
Personal Data |
5 years post last donation or last positive interaction with Scouts Fundraising Team, whichever is longer. |
To keep an individual informed of their donation and other fundraising campaigns. |
|
All donations – transaction information (including Gift aid declaration) |
Personal Data |
6 years after the end of the year or accounting period. |
For audit purposes (including HMRC Tax Audit). |
Event registrants’ and participants data
|
Data Process |
Data Type |
Retention |
Justification |
|
Ad-hoc events |
Personal and Sensitive data (special category) |
2 months after event. Scouting Young People and adult volunteer attendance records will be retained for 100 years. |
Required for enquiries on the event and responding to incidents. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations. |
|
Annual events |
Personal and Sensitive data (special category) |
18 months after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People and adult volunteer attendance records will be retained for 100 years. |
To re-invite the guests to the same event in the following year. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations. |
|
International events |
Personal and Sensitive data (special category) |
5 years after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People and adult volunteer attendance records will be retained for 100 years. |
To re-invite the guests to the same event at the next cycle, which are approximately every 4 years. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations. |
Insurance customers’ data
|
Data Process |
Data Type |
Retention |
Justification |
|
Non-liability cover |
Personal and Sensitive data (special category) |
7 Years after case closure. |
Advisory stipulations of the regulator(s), currently the Financial Conduct Authority. |
|
Liability cover |
Personal and Sensitive data (special category) |
10 Years after case closure. |
Advisory stipulations of the regulator(s), currently the Financial Conduct Authority. |
|
Prospect customers - enquiries |
Personal data |
18 months after enquiry. |
To keep in communication with the enquirer. |
Scout Store customers’ data
|
Data Process |
Data Type |
Retention |
Justification |
|
Scout Store purchase |
Personal data |
1 Year after account closure. |
Required for enquiries on purchases and account. |
|
Transaction data |
6 Years after the end of the tax year for that purchase or duration of warranty period, whichever is longest. |
HMRC Tax Audit or warranty period. |
|
|
Prospect customers - enquiries |
Personal data |
18 months after enquiry. |
To keep in communication with the enquirer. |
Scout Adventure and Scout Venues’ customer data
|
Data Process |
Data Type |
Retention |
Justification |
|
Scout Adventure attendee |
Personal data |
18 months after last booking. |
Required for enquiries on purchases. |
|
Transaction data |
6 Years after the end of the tax year for that purchase. |
HMRC Tax Audit. |
|
|
Scout Venue event attendee |
Personal data |
3 years after last booking or interaction with the Scout Venue team. |
Required for communication with active attendees. |
|
Transaction data |
6 Years after the end of the tax year for that purchase. |
HMRC Tax Audit. |
|
|
Prospect customers - enquiries |
Personal data |
18 months after enquiry. |
To keep in communication with the enquirer. |
Heritage archives
|
Data Process |
Data Type |
Retention |
Justification |
|
Heritage Collection (includes business archive) |
Personal data |
Permanent |
Required for historical, research and statistical purposes. |
|
Donor (entry and accession) records/registers |
Personal data |
Permanent |
Required for historical, research and statistical purposes. |
| Information gathered as a result of an enquiry |
Personal data |
2 years after enquiry is complete |
Required to check for repeat enquiries. |
| Object Exit Files and register |
Personal data |
Permanent |
Required for historical, research and statistical purposes. |
| Day books/Index Cards |
Personal data |
Permanent |
Required for historical, research and statistical purposes. |
| Loan In and Out files |
Personal data |
Permanent |
Required for historical, research and statistical purposes. |
Legal services
|
Data Process |
Data Type |
Retention |
Justification |
|
|
Estate deeds and associated information, including communications |
Personal data |
Permanent |
Required for proof of ownership. |
|
|
Estate claims against deeds |
Personal data |
12 years from the breach of obligation |
Fight a case – Limitation Act 1980. |
|
|
Various pre action and litigated actions, to include: Simple claims in contract, tort, fraud or negligence |
Personal and Sensitive data (special category) |
6 years from the closure of the case For pre action personal injury claims relating to a minor for 3 years beyond the date upon which the minor attains the age of 21
|
Fight a case – Limitation Act 1980. |
|
|
Litigation action: defamation |
Personal and Sensitive data (special category) |
1 year from the publication of defamatory act |
Fight a case – Limitation Act 1980. |
|
|
Legacies |
Personal and sensitive data (special category) |
12 years from the administration of the estate |
Fight a case – Limitation Act 1980. |
|
|
Subject Access Request (SAR) |
Personal data |
7 years after the SAR has been closed, or 7 years after the data subject turns 18 if later |
Fight a case – Limitation Act 1980. |
|
|
Contracts |
Personal data |
6 years beyond the end of the contract or if externally funded the time period specified in the funding agreement which can be 10 or 12 years for some government funding. |
Required as part of the Limitation Act 1980. |
|
|
General advice |
Personal data |
3 years unless required longer for TSA to defend a position where general advice has been given |
Fight a case – Limitation Act 1980. |
|
TSA staff data
|
Data Process |
Data Type |
Retention |
Justification |
|
Income tax and NI records |
Personal data |
3 years from the end of financial year to which they relate. |
The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631). |
|
Payroll wage/salary records (also overtime, bonuses, expenses) |
Personal data |
6 years from the end of the tax year to which they relate. |
Taxes Management Act 1970. |
|
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity |
Personal data |
6 years from the end of the scheme year in which the event took place. |
The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103). |
|
MATB1 and associated Family Leave Pay Records |
Personal data |
3 years after the employee has had their baby. |
The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended Maternity & Parental Leave Regulations 1999. |
|
Working time records |
Personal data |
2 years from date on which they were made. |
The Working Time Regulations 1998 (SI 1998/1833). |
|
Personnel records (full record including training) |
Personal and Sensitive data (special category) |
6 years after the employee has left. After this period only the name, role history and contact details are retained on our HR system for 25 years. |
The full record is retained in order to defend against tribunals or county or high court claim. The reduced record is retained for the purpose of responding to reference requests. |
|
Recruitment records |
Personal data |
6 months after the candidate has not been successful unless they opt in to join the talent pool. Data will be held on the talent pool for two years, and will be used to contact people about future vacancies that may be of interest to them. |
To defend against tribunals or county or high court claim. The data is retained on the Talent Pool to contact people about future vacancies that may be of interest to them. |
|
Emails and personal data volumes |
Personal and Sensitive data (special category) |
6 months after the employee has left. |
To answer queries that are contained in these data sources. |
|
Swipe Card Data |
Personal data |
Photographs will be deleted when employee has left. The data around movement around buildings will be retained for three years following the employee leaving. |
To address any potential legal claims or enquiries. |
Complaints, communication & customer service
|
Data Process |
Data Type |
Retention |
Justification |
|
Complaints Process |
Personal and Sensitive data (special category) |
6 years from the final recorded communication from the complainant about the complaint. |
Required as part of the Limitation Act 1980. |
|
Whistleblowing Process |
Personal and Sensitive data (special category) |
6 years from the final recorded communication from the person raising the issue about the case. Where a case is raised anonymously, 6 years from the date the case is concluded. |
Required as part of the Limitation Act 1980. |
|
Records of outbound bulk emails (including membership emails) and relevant metadata |
Personal data |
10 years after the sent date. |
For the purpose of evidencing communication and successful delivery. |
|
Customer Contact Information (Support Centre) |
Personal and Sensitive data (special category) |
Records of contacts are retained for 5 years. |
To retain accurate business records and assist with further enquiries. |
Policy owner: Data Protection Officer / Information Governance Manager
Policy approver(s): Information Governance Group
Effective date: November 24
Next review date: November 25
Version: 3.4