Step 5: Gathering data
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 5: Gathering data
In Scouting, there will be occasions where information from young people and their parents/guardians and adult volunteers will be required. Usually these will be ahead of events, camps or day trips or when a new member joins the Scouts. This page aims to provide you with some good practice guidance if you need to gather information.
Why do we need additional information?
Before collecting any data on an individual, we need to remember the principles of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA):
- Lawful – the data processing is aligned to a lawful basis, such as legitimate interest, consent, performance of a contract etc.
- Fairness – would the data subject consider this processing activity fair?
- Transparency – is it clear to the data subject what is happening with their personal data?
- Purpose – can you explain the processing activity and is it justified?
- Minimisation – the data being processed is kept to the minimum required for the purpose
- Storage limitation - how long is the personal data required and can you justify this?
- Accurate - is the data accurate and up to date? Can it be updated going forward?
- Secure - is the data secure in use, storage and transfer?
- Accountability – the organisation that is subject to the GDPR needs to have systems in place to ensure compliance and be able to evidence it.
As part of the principles of purpose and minimisation, it’s good to think about the information you may have already collected before asking for more. It’s likely that you’ll already hold a lot of information from when the young person or adult volunteer joined Scouting and therefore there is no requirement to gather it again. You’ll then only be asking for limited information for each event.
That said, you have a valid reason for asking for some information again as it is an obligation of your Trustee Board that the data held is accurate and it may have changed, or be very specific for that event, for example an emergency contact may be a grandparent rather than the parent because the parents may be going away at the same time as your week-long summer camp.
Keep things to a minimum
When designing your form, try to avoid collecting unnecessary data. For example you do not need to know if the young person can swim, if your event will not include any water activities in its programme. This can usually be a symptom of reusing forms and each form should be considered against its own purpose.
Layout of the form
Often forms will be designed based on the need of the event or as you think of things to include on the form. It’s worth taking a moment to think about the information you are collecting so that you can order it and maybe batch different kinds of information together.
For example, keeping names and contact details together. Keeping sensitive (special category) data together, such as medical details, will help the individual competing the form to follow its logic and for you to provide them with further description on the sections, if required. Where sensitive data is being gathered it is good practice to include a brief section explainer text so it’s clear on the specific purpose for gathering it.
Where a form is capturing personal and/or sensitive personal data, you should include a Privacy Statement to assist in providing transparency for the individual completing the form. This should ideally be positioned at the top or bottom or top of a form so it’s visible and read.
Privacy Statement
A Privacy Statement is required to provide the necessary transparency to the data subject and must include some basic detail, such as;
- The type of data being collected
- Why the information is being collected
- Where the information will be stored
- Details of who will have access to the information
- A time period for when you will destroy the information
You should also include a link to the Scout Unit's agreed and published Data Protection/Privacy Policy.
The statement must be written in clear and simple language so that it is easy to understand by the individual completing your form.
Check out our tool to help you create your privacy statement.
Consent
Consent is a lawful basis for processing data and can only be presented as a choice, yes or no. This means that consent should only be used where necessary and where another lawful basis for processing does not exist.
There will be certain information, or conditions which require specific consent to be given. This will include, but is not limited to:
- Sensitive personal data where it is to be passed to a third party, such as when capturing registrations for an event and passing this data to an organisation assisting with that event
- Asking to use an image or video of someone
- Using data for a different reason than the initial purpose it was collected
The data subject will need to tick a box or sign their name to provide their consent. Implied or pre-filled boxes are not allowed, you need to be able to evidence that the data subject affirmatively gave their consent. Asking for consent for other information does come with the risk that consent can be retracted at any point, possibly making the organisation of an event harder.
Take a look at an example of seeking consent:
Adult and young people data – is there any difference?
Fundamentally, there is no difference between adult and young people data. The processing of young people data should come with an extra layer of due diligence to ensure its processing is absolutely necessary and that the security of that data is appropriate.
While a data breach or loss of any data is serious, a breach or loss of young people’s data comes with a potential for greater reputational damage which could jeopardise the future of scouting not just locally, but nationally as well.
The ICO have produced specific guidance on Young Person’s data.
What you do with the information when collected?
When your completed form is returned you need to think about where the information is stored and who will have access to it.
If your form is on paper, you will usually need to transfer the information to a spreadsheet or other digital system. Make sure you transfer the data accurately. Think where this electronic record is then saved and if you need to password protect it. You may be required to print off the spreadsheet to take with you on an event. You’ll need to consider how many copies you print off and who will have access to them – keep this to a minimum where possible. If you’re sharing the sheets with other Leaders, ensure you know how many copies you have made and that you are able to collect these back in at the end of the event.
If you’re using an electronic collection method, where will the data actually be stored? Is this within the UK or within Europe? If not, you may wish to think about the provider you are using, as data stored outside of Europe will require an appropriate safeguard for that data transfer. You can check out a list of countries currently considered adequate for data transfer, without additional safeguards, on the ICO website. Most service providers will publish this information on their websites, such as Google and Microsoft, however you may need to look or actually contact the company to ask them before using their service.
Like the paper copies, you’ll also need to ensure there’s a privacy statement on the form and that you are able to delete the data when it’s no longer required. Paper forms will need to be securely destroyed when not needed any more. One way would be to shred the paper forms.
Retention Period
The period of time that you will need to keep the information following an event will vary depending on the type of data you have collected, and the possible reasons for keeping it. You will also need to refer back to any retention policy set by your Trustee Board.
It's good practice to delete data when not required any further, even if this falls inside your retention period set. In some cases, data may need to be kept longer than the retention period for analytical or statistical purposes, in most cases this won’t require the personal data to be present and should be anonymised as soon as possible.
We've created a Template Data Retention Policy, which contains real Scouting examples. This has been created using a combination of the UK HQ Data Retention Policy and examples from local Scouting. This template can be used by a local Scout Unit but may need tailoring to suit local processing activities.
Useful resources for Step 5