Subject Access Requests
The following is provided by way of general advice. For more detailed explanation and guidance please refer directly to the Information Commissioner's Office (ICO) website.
When a person requests a copy of all their personal data from either The Scouts UK headquarters or a Scout Group, District, County/Area/Region (Scotland), then they are in effect making a Subject Access Request (SAR) under the GDPR, which provides rules as to how an SAR must be complied with. As the GDPR applies to both the Scouts UK headquarters as well as local Scouting (as each Scout Group, District, County/Area/Region (Scotland) is created and operates as an independent charity in its own right) both must comply with SAR's.
The following is provided as guidance on how to respond and comply with a SAR and for more detailed explanation, please refer to the ICO website. The GDPR reverses the ability to charge a £10 Subject Access fee as a default unless the SAR is manifestly unfounded, excessive or repetitive. A request for a SAR can be made in writing or any other means the Data Subject chooses as their preferred communication channel, (verbally for example), within reason. The deadline for compliance is one month commencing from receipt of the SAR request. This deadline can be extended if the SAR is complex or numerous to three months but the explanation for why needs to be communicated within the first month.
(It's important to note that the GDPR rules do not apply to individuals collecting information solely for their own domestic and household affairs e.g. an address book or solely for research, journalistic, artistic or literary purposes and also that the subject will not be requesting information under the Freedom of Information Act (FOI) (which they may sometimes believe): the FOI applies to Public Authorities and does not apply to the Scouts UK headquarters or local Scouting).
When your Scout Group, District, County/Area/Region (Scotland) receives a SAR the GDPR subject access request process for Executive Committees should be followed. This is part of Step 4: Understanding data subjects in the GDPR toolkit.
Compliance with SAR
For more detailed information and advice please visit the ICO website.
The ICO also operate a helpline which you can use to ask about general information/questions (you do not have to identify yourself or the organisation you are calling from). Please also let us know if you have any queries. The following is a brief guide only.
A SAR only applies to 'personal data'. This is any information held about the subject whereby the subject can be identified from the information. Names, addresses or specific roles are obvious ways of identifying individuals, but they can also be identified in photos or CCTV images.
A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from the Minutes, then the Minutes will be 'personal data' about that individual.
The rules apply particularly to computer or automated records (including email) but can also apply to manual records which enable information about a particular individual to be easily retrieved e.g. filed by the name or role. Due to the nature of Scouting, deciding what information is relevant can be tricky, however, we would advise that the rules will apply to data regarding the subject held by the Scout Group, District, County/Area/Region itself and also shared by the Executive Committee members either between themselves or with others.
Please note, the rules only apply to information actually held: it may be that certain information has been destroyed/deleted locally as should be normal practice when it is no longer required. Examples of automated records include:
- Computer files - files stored on removable storage devises, CD-Roms, DVDs, hard disks, back-up files, emails
- Audio/Video - CCTV, webcam images,
- Digitalised images - scanned photos, digital camera
Examples of manual records include:
- Files - on volunteers, young people, employees
- Index systems - names, addresses, other details
- Microfiche records - containing personal data
There are exemptions to disclosure but, in the main, these are very specific and tend to apply to particular cases e.g. confidentiality of police investigation or certain HR records. It's quite rare for exemptions to apply more generally and decisions must be made on a carefully considered discretionary basis, which can be justified. Also, when they do apply this does not necessarily mean that a whole document is exempt e.g. the exemption could apply to a part or parts of a document too. Please see the ICO website for further explanation and to see whether any exemptions may apply.
Redactions
Redactions/deletions of exempt or third party data should be deleted using a black pen or white corrector tape and the subject should be sent photocopies of the redacted documents (not the originals) so that any redaction data cannot be deciphered by close inspection or by removing the corrector tape.
Where to make a Subject Access Request to
All Subject Access Request’s (SAR) made directly to the Scouts UK headquarters for personal data held as the Data Controller should be sent to the Legal Services Department. Please note that the Scouts UK headquarters do not process SAR's made directly to Local Scout Groups, Districts, Counties/Areas/Regions (Scotland). Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) are separate charities and therefore Data Controllers in their own right. When Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) receive a SAR they should follow the guidance in the GDPR toolkit. If required Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) can contact the Legal Services Department for further guidance.