Complaints and handling personal data
The purpose of this document is to give guidance to Managers and Supporters who are required to deal with complaints which have been received about The Scouts.
The Scouts recognises its responsibility to deal fairly, constructively and consistently with the expressions of concern or dissatisfaction from members and non members including parents and carers on behalf of themselves or their children in line with its values.
As Scouts we are guided by the values of Integrity, Respect, Care, Belief and Co-operation. When applying this policy these values should be at the forefront of every interaction and decision that is made, and all involved should be regularly reminded of them.
Focusing on the values of Respect and Care, the wellbeing and mental health of all involved in the complaints process should be considered throughout. 'The Supporting the Wellbeing and Mental Health during a Complaint', webpage.
Data Protection Act 2018 (DPA) and the General Data Protection Regulations GDPR
The DPA and GDPR set out the UK data protection regime. Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
Under the GDPR and the DPA, individuals have a right to access information about themselves. This is commonly known as subject access. It does not give an individual the right of access to information about another person – unless they are acting on behalf of someone else, for example a parent acting on behalf of a child. The GDPR and the DPA apply to all organisations that process personal data including The Scout Association (TSA). Personal data is anything that identifies an individual such as name, contact details or details of their complaint where applicable. Under our current federated model, individual charities have a responsibility to ensure adherence to the DPA and the GDPR. You should have appropriate local data protection policies in place for your charity.
Creating and compiling accurate complaint records
Complaint files act as an important record of the issues raised, the actions taken and other background issues. Principle D of the GDPR requires that personal data must be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)’.
It is important to ensure that full and accurate records are created and stored securely, to ensure that all the information is easily accessible in the event it is required for responding to a Subject Access Request (SAR). It also acts as an audit trail for reference should any further challenges be received upon conclusion of a complaint.
Storage of complaints files
Once a complaint is concluded and the outcomes communicated to the relevant parties, all written documentation should be gathered together and stored in a central location in accordance with local data retention policies. This should be on shared drive with limited access to only individuals who may need to have access in case of any future enquiries. Local policies may require that this type of record is stored at your local Executive Committee level with shared access being granted to the relevant Commissioner. Complaints that involve aspects of Safeguarding should always be sent to the Safeguarding Team at headquarters in line with Yellow Card guidance.
Dealing with a Subject Access Request (SAR)
When Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) receive a SAR, they should follow the guidance in the GDPR toolkit. Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) are separate charities and therefore Data Controllers in their own right. Guidance on responding to a SAR. The Executive Committee is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either omitting or redacting identifying third party information from the documentation and ensuring lawful processing of data.
The Information Commissioners Office (ICO) have also developed guidance specifically related to complaint files: Access to information held in complaint files. If a SAR is submitted by a relevant party to a complaint, this may slow the progress of a complaint or appeal as it may provide more evidence or use resources to process the SAR, if this is the case it should be clearly communicated with those involved with the complaint. In some cases, it may be necessary to pause the complaint/appeal investigation until the outcome of the SAR is provided to the requestor and any reasonable time given so they can decide on how to proceed with the complaint/appeal.