Skip to main content

Compass is offline while we prepare our new tools

Compass is offline while we prepare our new tools

Compass is now offline. Read more

Discover what this means

Step 1: What do I need to know about data protection?

Step 1: What do I need to know about data protection?

Thirty years ago, the world was a very different place. The reach of technology was limited, and the way organisations used and processed your personal data was very different to how they use it today.

The changes that have happened over the last two decades forced the European Union (EU) to review the old data legislation and bring it up to speed with the modern era. The EU’s General Data Protection Regulation (GDPR) raised the standards for processing personal data, to strengthen and unify protection for individuals across the EU. The new legislation came into force in the UK on 25 May 2018.

Since this date the UK has left the European Union as a Member State but has effectively adopted the GDPR as part of UK law. This has meant that the UK was subject to an adequacy review with the European Union to ensure that the residual Data Protection Act 2018 met the requirements of the GDPR. This was completed and the UK was granted Adequacy, meaning that the Data Protection Act 2018 was seen as an adequate legislation for EU data protection and the principles of the GDPR.

Scout Groups, Districts, Counties/Areas/Regions (Scotland), Countries (each known as ‘Scout Units’) and the Scouts UK Headquarters (‘UK HQ’) collect and process lots of personal data on the young people, adult volunteers and staff. This could be anything from names, addresses, telephone numbers right through to more sensitive data such as religion, ethnicity and disabilities. As a result, it’s important that all Scout Units and UK HQ are aware of the legislation and comply with it.

The Scout Unit Trustee Boards have responsibility for making sure that they comply with legal requirements, including data protection legislation.

Local Scout Units are generally exempt from having to register and pay for the ICO Data Protection Fee, this is due to each being a not-for-profit. However, if the local Scout Unit are using CCTV for crime prevention purposes, or is involved with personal data from outside the Scout Unit the registration and fee are applicable. Check out the assessment for measuring these criteria.

There are many key terms that are in the GDPR and used throughout this guidance:

Personal data – Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities.

Data subject – This is an individual. For Scout Units this could be young people, adult volunteers, parents and guardians and any staff employed locally.

Data controller – This is the entity that determines the means and purpose of processing personal data. This is an organisation gathering, processing and retaining personal data, such as the local Scout Unit.

Data processor – This is an organisation who processes the information on behalf of the data controller. This could be the provider of a membership platform, cloud service provider or event organiser.

Lawful basis – The legally justified reason for processing personal data, such as it being necessary to contact members about Scout affairs.

Processing activity – Anything that you do with personal data, which may include the capture, storage, access, use, sharing and destruction.

Subject Rights Request (SRR) – This is a request from an individual to the Scout Unit or UK HQ to find out what information you hold on them. They also have the right to request that you change or permanently remove any details that you hold on them.

Breach – This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This could come from a hacker or physically losing files/folders.

Data Lead – Accredited representative within a Scout Unit for data protection duties.

An eLearning module is also available to support members.

In addition to the terms above the GDPR has a series of guiding principles at its core, these are as follows:

  • Lawful – the data processing is aligned to a lawful basis, such as legitimate interest, consent, performance of a contract etc.
  • Fairness – would the data subject consider this processing activity fair?
  • Transparency – is it clear to the data subject what is happening with their personal data?
  • Purpose – can you explain the processing activity and is it justified?
  • Minimisation – the data being processed is kept to the minimum required for the purpose
  • Storage limitation - how long is the personal data required and can you justify this?
  • Accuracy – is the data accurate and up to date? Can it be updated going forward?
  • Secure – is the data secure in use, storage and transfer?
  • Accountability – the organisation that is subject to the GDPR needs to have systems in place to ensure compliance and be able to evidence it.

The below examples are scenarios that may exist at local Scouting level, these scenarios have been used to demonstrate some of the key terms in action:

Advertising for new members could include: events, email campaigns, canvassing.

What does this mean for GDPR?

It needs to be clear who you are marketing to and the lawful basis you are using as grounds to contact them. This needs to be evidenced as either:

  • Consent – they opted-in
  • Non-digital – physical event/canvassing
  • Legitimate interest – your use of the data is necessary and is not overridden by their interests or fundamental rights. On balance, it’s more positive for them than 
    negative.
  • It is important that the individual being contacted has an ability to opt out of the communication

Potential new members and/or their parents or guardians communicate with you via:

  • Email or other electronic means
  • Face-to-face

What does this mean for GDPR?

When communicating with a potential member, parent or guardian, they have usually enquired with you already giving you legitimate interest for the communications. Care needs to be taken to keep these communications private, especially when personal data is shared amongst groups.

The Young Person/Adult Information Form is used to capture information about a young person or adult volunteer in order to begin the joining/appointment process, this could be via:

  • Email
  • Web form
  • Paper form

What does this mean for GDPR?

The Young Person/Adult Information Form may be the first data capture exercise for a new member.

The form must state:

  • The purpose - What you are going to do with the form and the data.
  • Timeframe - How long you will hold onto the data (delete or securely destroy when 
    no longer required).

The data collected must be:

  • Minimised - It only includes what you need.
  • Kept secure - Special care taken in storing.

The young person, parent/guardian or adult volunteer are now active within the Scout Unit.

What does this mean for GDPR?

The young person, parent/guardian or volunteer’s data will be stored in a filing system such as Excel sheets on local laptops, online record keeping systems and/or paper based records.

During this period you need to consider:

  • Third parties that are holding data on your behalf, such as online record keeping systems or cloud storage systems.
  • Accuracy of date. Is it kept up-to-date?
  • Data flows i.e. where is the data stored, how is it accessed and by who, and is the data 
    shared?

Scouting events are held frequently involving young people and adult volunteers.

These can be:

  • Sectional activities in a meeting place
  • Events or nights away

These events can require further data gathering, such as activity or nights away information and health forms completed by parents/guardians and adult volunteers.

What does this mean for GDPR?

When further data gathering is being completed you need to consider:

  • Purpose – what are you going to do with it
  • Minimisation – it only includes what you need
  • Retention – delete when no longer required
  • Secure – special care taken in storing, and access only given to those who need it

This activity should consider what data you already have on file and only capture what is necessary.

Young person and adult volunteer information may be collected as part of the joiners process. This may include:

  • Religion
  • Ethnicity
  • Disabilities

What does this mean for GDPR?

Capturing and processing of personal data of any kind needs to be handled with care, especially with details considered sensitive, such as ethnicity, religion and disabilities. 

In all cases the purpose of the processing should be well understood and documented. The lawful basis required for processing special category data are different. Please view our guide to Lawful Basis.

At every meeting or event, the leader in charge is obliged, for safety reasons to take a register of those attending the session.

What does this mean for GDPR?

Registration of those attending each meeting is good practice from a safety perspective.

What this highlights is the importance of the following:

  • Accurate data on members
  • Maintaining a log of attendees but retaining a high level of data protection, such as the use of digital data as opposed to paper records and minimised data purely for attendance.

A requirement of being an adult volunteer in Scouting is to keep young people, parents/guardians and other adult volunteers updated.

These are updates about weekly meetings, upcoming events and general Scout Unit news.

What does this mean for GDPR?

Communication to the young people, parents/guardians or adult volunteers is essential for the effective operation of a Scout Unit. The GDPR recognises these types of communications and categorises them as necessary to fulfil your role.

However, this communication should only be for the purposes of the Scout Unit and not for further advertising, unless the person receiving the communication has specifically opted-in.

When a young person gets to a certain age, they go through the Moving On process to the next section. In most situations, they will have a new section leader. The young person can also leave Scouting at any point.

What does this mean for GDPR?

When data is being transferred from one person (a Section Leader) to another, care needs to be taken in the transfer and receipt. In addition, the data being transferred needs to be accurate and minimised.

If at any time a young person wishes to leave Scouting, their data may need to be deleted fully if not required for further purposes.

All personal data should have a defined and appropriate retention period.

It may occur that personal data is disclosed externally accidently or removed from the Scout Unit via malicious means.

What does this mean for GDPR?

In the event of a breach, via malicious means or through accidental disclosure/loss etc, the data controller (the Scout Unit) is obligated to do the following:

  • Remediate the breach
  • Report the breach to the data subject if deemed severe enough
  • Report the breach to the ICO if deemed serious enough and within 72 hours of becoming aware of the breach

For more information see Step 12: Responding to a breach.

In the event that a member or parent/guardian asks for their data to be deleted, updated or provided to them as a copy, the data controller has 30 days to respond to the request unless there are justified grounds to extend by a further 30 days or an exemption applies.

This is covered further in Step 4: Understanding data subjects’ rights