Complaints and handling personal data
The purpose of this document is to give guidance to Managers and Supporters who are required to deal with complaints which have been received about The Scouts.
The Scouts recognises its responsibility to deal fairly, constructively and consistently with the expressions of concern or dissatisfaction from members and non members including parents and carers on behalf of themselves or their children in line with its values.
As Scouts we are guided by the values of Integrity, Respect, Care, Belief and Co-operation. When applying this policy these values should be at the forefront of every interaction and decision that is made, and all involved should be regularly reminded of them.
Focusing on the values of Respect and Care, the wellbeing and mental health of all involved in the complaints process should be considered throughout. 'The Supporting the Wellbeing and Mental Health during a Complaint', webpage.
Data Protection Act 2018 (DPA) and the General Data Protection Regulations GDPR
The DPA and GDPR set out the UK data protection regime. Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
Under the GDPR and the DPA, individuals have a right to access information about themselves. This is commonly known as subject access. It does not give an individual the right of access to information about another person – unless they are acting on behalf of someone else, for example a parent acting on behalf of a child. The GDPR and the DPA apply to all organisations that process personal data including The Scout Association (TSA). Personal data is anything that identifies an individual such as name, contact details or details of their complaint where applicable. Under our current federated model, individual charities have a responsibility to ensure adherence to the DPA and the GDPR. You should have appropriate local data protection policies in place for your charity.
Creating and compiling accurate complaint records
Complaint files act as an important record of the issues raised, the actions taken and other background issues. Principle D of the GDPR requires that personal data must be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)’.
It is important to ensure that full and accurate records are created and stored securely, to ensure that all the information is easily accessible in the event it is required for responding to a Subject Access Request (SAR). It also acts as an audit trail for reference should any further challenges be received upon conclusion of a complaint.
Complaint files can be complex, often consisting of various elements:
- the complainant’s personal data;
- third party personal data;
- a mix of the complainant’s data and the third-party data which is inextricably linked and cannot be separated; and
- information that is not personal data at all.
As a member or volunteer in Scouting, it is always important to remember to conduct ourselves in a manner which represents our brand and values. All communication from our members and volunteers represents TSA and as such we should be respectful and mindful of reputational impact when communicating both internally with other members and volunteers, and externally with stakeholders. It is recognised that dealing with complaints is not always a positive experience for those involved. Nevertheless, we must be aware that we represent a professional organisation with the purpose to actively engage and support young people in their personal development, empowering them to make a positive contribution to society. To do this we must lead by example and this is especially true when things go wrong.
It is important to note that when an individual connected to a complaint makes a SAR for their personal data, all written records relating to the individual will need to be provided to the person responsible for handling the SAR. This person will then decide on what constitutes personal information of the requestor. As such it vital that all communication should be objective and where applicable, opinions should not be based on emotional responses when handling complaints. Decision making and other records that are generated thorough the life of a complaint should all be stored in one central place in accordance with the local data retention policies and/or for six years in line with the Limitations Act. Personal information will be contained within these records and as such the records should all be stored in accordance with DPA requirements and treated with sensitivity.
Verbal conversations with parties to a complaint, for example a witness, should be followed up in writing to ensure there is an accurate record of the information gathered. This also acts as an opportunity for the person the data is about, in this example a witness, to correct any misunderstandings or errors.
The complaints process emphasises informal resolution in the first instance to resolve as many complaints as possible. Even where informal resolution is utilised to address a complaint, written records should be kept of the interactions to ensure there is an audit trail for this should the matter formalise later down the line.
Openness and transparency are key to effective complaints handling but this must be balanced with respecting an individual’s personal data. When a complaint is concluded, a written report detailing the complaint(s) raised, how the complaint was investigated, the outcomes reached, and next steps will be communicated to relevant parties to a complaint. Relevant parties will differ from case to case. For example, if a Group Scout Leader raises a complaint about another Group Scout Leader, the relevant parties to the complaint may be both Group Scout Leaders. It is therefore important to write the outcome report in a manner which addresses all relevant parties to the complaint, where they will be shared the full outcome report. There are templates available for use in both a complaint investigation and an appeal investigation.
Careful consideration should be given to the contents of any outcome reports communicated and shared with relevant parties to a complaint. Any personal data which is unknown to other relevant parties to a complaint, shared within the outcome report must only be shared where the individual concerned is aware that this information will be contained within the outcome report. It is advisable to ensure that anyone providing information which assists an investigation and forms part of the outcome report, is asked for their permission to use the information they provide for the purposes of the complaint’s investigation and outcome report. It is advisable to ask witnesses and other relevant parties that provide information which will be contained within an outcome report to complete this form. All parties to a complaint should be made aware that the legitimate purpose of a complaint investigation is to raise the matter with the appropriate individuals to sufficiently look into the issue, providing a right of response with the end goal of producing an outcome report which will be shared with the relevant parties.
It will not always be possible in some instances to anonymise complaints, such as a complainant wanting a complaint to be investigated and reported back on, without disclosing any personal information such as their name and contact details. Whilst action can often be taken to investigate the complaint, it will not be possible to report back to a person anonymously raising a complaint.
When considering anonymising personal data within outcome reports that will be shared with relevant parties to a complaint, you should think about whether anonymising for example, a person’s name, will be an effective measure to take. There may be instances where the relevant parties to a complaint may be able to work out who the anonymised information relates to or who it is from based on the context and their knowledge of the matter. Where there are concerns around anonymising personal data within complaints reports, the data subject (the individual the personal data is about) should be advised of the concerns and consideration given to excluding the personal data within the outcome report. The data subject may be willing to accept that their personal data is needed within the outcome report to provide sufficient context and details to any matters being raised.
Storage of complaints files
Once a complaint is concluded and the outcomes communicated to the relevant parties, all written documentation should be gathered together and stored in a central location in accordance with local data retention policies. This should be on shared drive with limited access to only individuals who may need to have access in case of any future enquiries. Local policies may require that this type of record is stored at your local Executive Committee level with shared access being granted to the relevant Commissioner. Complaints that involve aspects of Safeguarding should always be sent to the Safeguarding Team at headquarters in line with Yellow Card guidance.
Dealing with a Subject Access Request (SAR)
When Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) receive a SAR, they should follow the guidance in the GDPR toolkit. Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) are separate charities and therefore Data Controllers in their own right. Guidance on responding to a SAR. The Executive Committee is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either omitting or redacting identifying third party information from the documentation and ensuring lawful processing of data.
The Information Commissioners Office (ICO) have also developed guidance specifically related to complaint files: Access to information held in complaint files. If a SAR is submitted by a relevant party to a complaint, this may slow the progress of a complaint or appeal as it may provide more evidence or use resources to process the SAR, if this is the case it should be clearly communicated with those involved with the complaint. In some cases, it may be necessary to pause the complaint/appeal investigation until the outcome of the SAR is provided to the requestor and any reasonable time given so they can decide on how to proceed with the complaint/appeal.