Skip to main content

Volunteering at Scouts is changing to help us reach more young people

Volunteering is changing to help us reach more young people

Volunteering is changing at Scouts. Read more

Discover what this means

Data Retention Policy

December 2023

Purpose

This is the Data Retention Policy of The Scout Association, by which we mean, the Association as the national charity (306101) and all its subsidiaries and business units for which its board is responsible for. This includes Scout Stores, Scout Adventures and World Scout Shop). 

The purpose of this policy is to specify The Scout Association's (“TSA”) guidelines for retaining different types of personal data and for how long. 

For clarity, this policy does not include the movement data retention provision. This is because each Local Scout Group, District and County are their own distinct data controllers, separate to TSA.

This policy covers all data in the possession or control of TSA regardless of the medium in or on which those data are held. Where statute or regulation departs from the requirements of this policy, TSA will comply with the relevant statute or regulation. This policy may be updated from time to time.

Policy

Personal data retention is governed by current Data Protection legislation. These data must be kept accurate, up to date and retained for no longer than is necessary for the purpose for which they were obtained. Detail of retention periods can be found in Annex A – Retention periods.

Where a person has requested that we delete all data we hold about them, we may need to retain basic personal data to evidence that we have completed the request.

Personal Data can only be processed (including how it is retained) where there is a lawful basis. 

TSA relies on different lawful bases depending on what the Personal Data is being used for. In some cases, TSA has a legal need or right to keep the data, but in other cases TSA’s relies on Data subjects consenting or TSA’s legitimate interests, where this needs to be actively managed. 

Data subjects also have a number of rights that they can exercise over their Personal Data, such as to delete or rectify it.

TSA needs to communicate with these data subjects to clearly sign post them to their ability to withdraw their consent or challenge the legitimate interest that has been assessed, this is commonly known as ‘opt out’. Where appropriate the data subject should be informed every 2 years of the consent or legitimate interest being used to process their data with an option to update this preference. 

A formal retention period for data processing based on consent has not been defined in this policy and is assumed as permanent until the data subject exercises their rights to cease the processing activity.

Examples of processing covered by this statement are subscribers to newsletters, photograph consents and marketing communications.

Annex A - Retention periods

The following retention periods are analysed into the categories of data held within TSA, these are as follows:

  • Members’ and volunteers’ data
  • Donors’ data
  • Event registrants’ and participants data
  • Insurance customers’ data
  • Scout Store customers’ data
  • Scout Adventure and Scout Venues’ customer data
  • Heritage archives
  • Legal services
  • TSA staff data    
  • Complaints & Whistleblowing

The retention period is applicable at the point where the relationship has finished, for example where a member has left the organisation.

The same piece of data may be held by different teams and for different purposes. It will therefore be covered by the retention policy for each purpose, and so retained by the organisation for the longer of the stated periods.

Data Process

Data Type

Retention

Justification

Want to Join Personal data 1 year after enquiry or until member joins, whichever is shorter To keep them informed of their joining status

Joining – including the role, dates of joining and permits

Personal and Sensitive data (special category) 10 years after leaving the data will be reduced to only include name, membership number, date of birth, awards, training records, events attended, roles, permits held and any complaints in summary format. This remaining data will be retained for 100 years.  The 10-year retention of all data is required to provide tenure and service records in the event an individual wants to re-join. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations
Youth award registrations Personal and Sensitive data (special category including citation) 6 months after the member turns 25 To retain their award registrations for the duration of the eligibility period
Youth award completions

Personal data and Sensitive data (special category including citation)

Permanent for basic data; name, county, award, membership number and completion date Historic record of award completions
Adult award registrations

Personal and Sensitive data (special category including citation)

6 months after the registration To retain their award registrations for the duration of the eligibility period
Adult award completions Personal data and Sensitive data (special category including citation) Permanent for basic data; name, county, award, membership number, completion date

Historic record of award completions

Department for Digital, Culture, Media & Sport (DCMS) Award nomination at local Scout Group Personal data and Sensitive data (special category including citation)

 

Where TSA are approached by a local group in relation to a possible national honour nomination, TSA will retain the information for two years from the initial contact

Where TSA are informed that the local group have made a submission to DCMS, TSA will retain the information for three years from the date of submission

 

To retain their award registrations for the duration of the eligibility period

Department for Digital, Culture, Media & Sport (DCMS) Award nomination direct to TSA Personal data and Sensitive data (special category including citation)

Where TSA are approached by DCMS in relation to a possible national honour nomination, TSA will retain the information for two years from the initial contact

To retain their award registrations for the duration of the eligibility period

Research surveys

Personal and Sensitive data (special category)

18 months

To keep a collation of completing members and compare answers from the previous year

Scouts Experience Survey

Personal and Sensitive data (special category)

15 Years

To keep a collation of completing members and compare answers from the previous years

Vetting

Personal Data – Disclosure Certificate

6 months after issue

In line with DBS, Access NI and Disclosure Scotland Code of Practice

Safeguarding – Adult volunteer ’person of concern’

Personal and Sensitive data (special category)

Adult – 100 years after case closure. Will include all case notes, including those of witnesses and young person along with any litigation correspondence until it is appropriate to reduce this to a detailed summary of the case. In the event that the allegation is actually disproved or is found to have been mis-recorded in the first place, the record will include a statement that the data subject has been exonerated and the data will be subject to the joining data process retention period.

Required for evidence requests from statutory agencies or internal safeguarding investigations

Safeguarding – Young person -Welfare

Personal and Sensitive data (special category)

Young Person – 7 years after last communication with the Young Person or Family. 

 

Required for evidence requests from statutory agencies or internal safeguarding investigations

Safeguarding – Young person ’person of concern’

Personal and Sensitive data (special category)

Young Person – 100 years after case closure. Will include all case notes, including those of witnesses and adult volunteers along with any litigation correspondence, until it is appropriate to reduce this to a detailed summary of the case. In the event that the allegation is actually disproved or is found to have been mis-recorded in the first place, the record will include a statement that the data subject has been exonerated and the data will be subject to the joining data process retention period.

Required for evidence requests from statutory agencies or internal safeguarding investigations

Incident – personal injury details (including sexual abuse/psychological damage)

Personal and Sensitive data (special category)

4 years after incident, or 4 years after alleged victim turns 18 if later

Fight a case – Limitation act 1980

Incident – not involving personal injury

Personal and Sensitive data (special category)

7 years after incident, or 7 years after alleged victim turns 18 if later

Fight a case – Limitation act 1980

Scout Stories

Personal data

5 years after submission

Required for the Media team to ascertain if a story is newsworthy during this period.

Data Process

Data Type

Retention

Justification

Individual Givers

Personal Data

5 years post last donation or last positive interaction with Scouts Fundraising Team, whichever is longer

To keep an individual informed of their donation and other fundraising campaigns

Gift aid declaration

6 years after the end of the year or accounting period that includes the last donation

HMRC Tax Audit

Direct debit mandate

6 years after the end of the year or accounting period that includes the last Direct Debit

As proof of Direct Debit Instruction (DDI) and to assist in claims against that DDI

Partnerships

Personal Data

3 Years

To answer queries on the donations and maintain a record of partner donors

Legacy Donors

Personal Data

In perpetuity

To maintain record of the donation

Major Donors

Personal Data

5 years post last donation or last positive interaction with Scouts Fundraising Team, whichever is longer

To keep an individual informed of their donation and other fundraising campaigns

 

Data Process

Data Type

Retention

Justification

Ad-hoc events

Personal and Sensitive data (special category)

2 months after event. Scouting Young People and adult volunteer attendance records will be retained for 100 years

Required for enquiries on the event and responding to incidents. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations

Annual events

Personal and Sensitive data (special category)

18 months after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People and adult volunteer attendance records will be retained for 100 years

To re-invite the guests to the same event in the following year. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations

International events

Personal and Sensitive data (special category)

5 years after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People and adult volunteer attendance records will be retained for 100 years 

To re-invite the guests to the same event at the next cycle, which are approximately every 4 years. The 100 years retention of data is required for evidence requests from statutory agencies or internal safeguarding investigations

Data Process

Data Type

Retention

Justification

Non-liability cover

Personal and Sensitive data (special category)

7 Years after case closure

Advisory stipulations of the regulator(s), currently the Financial Conduct Authority

Liability cover

Personal and Sensitive data (special category)

10 Years after case closure

Advisory stipulations of the regulator(s), currently the Financial Conduct Authority

Prospect customers - enquiries

Personal data

18 months after enquiry

To keep in communication with the enquirer

Data Process

Data Type

Retention

Justification

Scout Store purchase

Personal data

1 Year after account closure

Required for enquiries on purchases and account

Transaction data

6 Years after the end of the tax year for that purchase or duration of warranty period, whichever is longest

HMRC Tax Audit or warranty period

Prospect customers - enquiries

Personal data

18 months after enquiry

To keep in communication with the enquirer

Data Process

Data Type

Retention

Justification

Scout Adventure attendee

Personal data

18 months after last booking

Required for enquiries on purchases

Transaction data

6 Years after the end of the tax year for that purchase

HMRC Tax Audit

Scout Venue event attendee

Personal data

3 years after last booking or interaction with the Scout Venue team

Required for communication with active attendees

Transaction data

6 Years after the end of the tax year for that purchase

HMRC Tax Audit

Prospect customers - enquiries

Personal data

18 months after enquiry

To keep in communication with the enquirer

Data Process

Data Type

Retention

Justification

Heritage Collection (includes business archive)

Personal data

Permanent

Required for historical, research and statistical purposes

Donor (entry and accession) records/registers

Personal data

Permanent

Required for historical, research and statistical purposes

Information gathered as a result of an enquiry 

Personal data

2 years after enquiry is complete

Required to check for repeat enquiries

Object Exit Files and register

Personal data

Permanent

Required for historical, research and statistical purposes

Day books/Index Cards

Personal data

Permanent

Required for historical, research and statistical purposes

Loan In and Out files

Personal data

Permanent

Required for historical, research and statistical purposes

Data Process

Data Type

Retention

Justification

Estate deeds and associated information, including communications

Personal data

Permanent

Required for proof of ownership

Estate claims against deeds

Personal data

12 years from the breach of obligation

Fight a case – Limitation Act 1980

Various pre action and litigated actions, to include: Simple claims in contract, tort, fraud or negligence

Personal and Sensitive data (special category)

 

6 years from the closure of the case 

For pre action personal injury claims relating to a minor for 3 years beyond the date upon which the minor attains the age of 21

 

Fight a case – Limitation Act 1980

Litigation action: defamation

Personal and Sensitive data (special category)

1 year from the publication of defamatory act

Fight a case – Limitation Act 1980

Legacies

Personal and sensitive data (special category)

12 years from the administration of the estate

Fight a case – Limitation Act 1980

Subject Access Request (SAR)

Personal data

7 years after the SAR has been closed, or 7 years after the data subject turns 18 if later

Fight a case – Limitation Act 1980

Contracts

Personal data

6 years beyond the end of the contract or if externally funded the time period specified in the funding agreement which can be 10 or 12 years for some government funding.

Required as part of the Limitation Act 1980

General advice

Personal data

3 years unless required longer for TSA to defend a position where general advice has been given

Fight a case – Limitation Act 1980

Data Process

Data Type

Retention

Justification

Income tax and NI records

Personal data

3 years from the end of financial year to which they relate

The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631)

Payroll wage/salary records (also overtime, bonuses, expenses)

Personal data

6 years from the end of the tax year to which they relate

Taxes Management Act 1970

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity

Personal data

6 years from the end of the scheme year in which the event took place

The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

MATB1 and associated Family Leave Pay Records

Personal data

3 years after the employee has had their baby

The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended Maternity & Parental Leave Regulations 1999.

Working time records

Personal data

2 years from date on which they were made

The Working Time Regulations 1998 (SI 1998/1833)

Personnel records (full record including training)

Personal and Sensitive data (special category)

6 years after the employee has left. After this period only the name, role history and contact details are retained on our HR system for 25 years. 

The full record is retained in order to defend against tribunals or county or high court claim. The reduced record is retained for the purpose of responding to reference requests. 

Recruitment records

Personal data

6 months after the candidate has not been successful unless they opt in to join the talent pool. Data will be held on the talent pool for two years, and will be used to contact people about future vacancies that may be of interest to them.

To defend against tribunals or county or high court claim. The data is retained on the Talent Pool to contact people about future vacancies that may be of interest to them

Emails and personal data volumes

Personal and Sensitive data (special category)

6 months after the employee has left

To answer queries that are contained in these data sources

Swipe Card Data

Personal data 

Photographs will be deleted when employee has left. The data around movement around buildings will be retained for three years following the employee leaving

To address any potential legal claims or enquiries 

 

Data Process

Data Type

Retention

Justification

Complaints Process

Personal data / special category data

6 years from the final recorded communication from the complainant about the complaint.

Required as part of the Limitation Act 1980

Whistleblowing Process

Personal data / special category data

6 years from the final recorded communication from the person raising the issue about the case. Where a case is raised anonymously, 6 years from the date the case is concluded. 

Required as part of the Limitation Act 1980