November 2022
This is the Data Retention Policy of The Scout Association, by which we mean, the Association is the national charity (306101) and its subsidiary companies. This includes all operations (e.g. Scout Shops, Scout Adventure Centres etc.) for which the Board is directly responsible. For clarity, this policy does not include the movement data retention provision.
The purpose of this policy is to specify The Scout Association's (“TSA”) guidelines for retaining different types of data and for how long. TSA includes the subsidiaries of Scout Store, Scout Adventures, World Scout Shop, Scout Insurance Guernsey and Unity Insurance Services.
This policy covers all data in the possession or control of TSA regardless of the medium in or on which those data are held. Where statute or regulation departs from the requirements of this policy, TSA will comply with the relevant statute or regulation. This policy may be updated from time to time.
Personal data retention is governed by current Data Protection legislation. These data must be kept accurate, up to date and retained for no longer than is necessary for the purpose for which they were obtained. Detail of retention periods can be found in Annex A – Retention periods.
Where personal data is processed using the lawful basis of legitimate interest or consent, the data subject has a number of rights that they can exercise over this data, such as delete or rectify. Communications with these data subjects will need to clearly sign post them to their ability to withdraw this consent or challenge the legitimate interest that has been assessed, this is commonly known as ‘opt out’. Where appropriate the data subject should be informed every 2 years of the consent or legitimate interest being used to process their data with an option to update this preference. A formal retention period for data processing based on consent has not been defined in this policy and is assumed as permanent until the data subject exercises their rights to cease the processing activity.
Examples of processing covered by this statement are subscribers to newsletters, photograph consents and marketing communications.
The following retention periods are analysed into the categories of data held within TSA,
these are as follows:
|
Data Process |
Data Type |
Retention |
Justification |
| Want to Join | Personal data | 1 year after enquiry or until member joins, whichever is shorter | To keep them informed of their joining status |
|
Joining – |
Personal and Sensitive data (special category) | 10 years after leaving the data will be reduced to only include name, date of birth, awards, training records, events attended, roles and permits held and any complaints in summary format. This remaining data will be retained for 100 years. | The 10-year retention of all data is required to provide tenure and service records in the event an individual wants to rejoin. The 100 years retention of data is required for evidence requests from statutory agencies |
| Youth award registrations | Personal and Sensitive data (special category including citation) |
6 months after the member turns 25 | To retain their award registrations for the duration of the eligibility period |
| Youth award completions |
Personal data and Sensitive data (special category including citation) |
Permanent for basic data; name, county, award, membership number,completion date | Historic record of award completions |
| Adult award registrations |
Personal and Sensitive data (special category including citation) |
12 months after the registration unless successful | To retain their award registrations for the duration of the eligibility period |
| Adult award completions | Personal data and Sensitive data (special category including citation) | Permanent for basic data; name, county, award, membership number, completion date |
Historic record of award completions |
| Department for Digital, Culture, Media & Sport (DCMS) Award nomination at local Scout Group | Personal data and Sensitive data (special category including citation) |
Where TSA are approached by a local group in relation to a possible national honour nomination, TSA will retain the information for two years from the initial contact Where TSA are informed that the local group have made a submission to DCMS, TSA will retain the information for three years from the date of submission |
To retain their award registrations for the duration of the eligibility period |
| Department for Digital, Culture, Media & Sport (DCMS) Award nomination direct to TSA | Personal data and Sensitive data (special category including citation) |
Where TSA are approached by DCMS in relation to a possible national honour nomination, TSA will retain the information for two years from the initial contact |
To retain their award registrations for the duration of the eligibility period |
|
Research surveys |
Personal and Sensitive data (special category) |
18 months |
To keep a collation of completing members and compare answers from the previous year |
|
Scouts Experience Survey |
Personal and Sensitive data (special category) |
15 Years |
To keep a collation of completing members and compare answers from the previous years |
|
Vetting |
Personal Data – Disclosure Certificate |
6 months after issue |
In line with DBS, Access NI and Disclosure Scotland Code of Practice |
|
Safeguarding – Adult volunteer perpetrator |
Personal and Sensitive data (special category) |
Adult – 100 years after case closure. Will include all case notes, including those of witnesses and young person along with any litigation correspondence until it is appropriate to reduce this to a detailed summary of the case. In the event that the allegation is actually disproved or is found to have been mis-recorded in the first place, the record will include a statement that the data subject has been exonerated and the data will be subject to the joining data process retention period. |
Required for required for evidence requests from statutory agencies |
|
Safeguarding – Young person -Welfare |
Personal and Sensitive data (special category) |
Young Person – 7 years after last communication with the Young Person or Family.
|
Required for evidence requests from statutory agencies |
|
Safeguarding – Young person perpetrator |
Personal and Sensitive data (special category) |
Young Person – 100 years after case closure. Will include all case notes, including those of witnesses and adult volunteers along with any litigation correspondence, until it is appropriate to reduce this to a detailed summary of the case. In the event that the allegation is actually disproved or is found to have been mis-recorded in the first place, the record will include a statement that the data subject has been exonerated and the data will be subject to the joining data process retention period. |
Required for evidence requests from statutory agencies |
|
Incident – personal injury (including sexual abuse/psychological damage) |
Personal and Sensitive data (special category) |
4 years after incident, or 4 years after alleged victim turns 18 if later |
Fight a case – Limitation act 1980 |
|
Incident – not involving personal injury |
Personal and Sensitive data (special category) |
7 years after incident, or 7 years after alleged victim turns 18 if later |
Fight a case – Limitation act 1980 |
|
Permit Assessments |
Personal data |
6 months after the permit expires |
Required for permit renewals and queries |
|
Scout Stories |
Personal data |
5 years after submission |
Required for the Media team to ascertain if a story is news worthy during this period |
|
Data Process |
Data Type |
Retention |
Justification |
|
Individual Givers |
Personal Data |
5 years post last donation or last positive interaction with Scouts Fundraising Team, whichever is longer |
To keep an individual informed of their donation and other fundraising campaigns |
|
Gift aid declaration |
6 years after the end of the year or accounting period that includes the last donation |
HMRC Tax Audit |
|
|
Direct debit mandate |
6 years after the end of the year or accounting period that includes the last Direct Debit |
As proof of Direct Debit Instruction (DDI) and to assist in claims against that DDI |
|
|
Partnerships |
Personal Data |
3 Years |
To answer queries on the donations and maintain a record of partner donors |
|
Legacy Donors |
Personal Data |
In perpetuity |
To maintain record of the donation |
|
Major Donors |
Personal Data |
5 years post last donation or last positive interaction with Scouts Fundraising Team, whichever is longer |
To keep an individual informed of their donation and other fundraising campaigns |
|
Data Process |
Data Type |
Retention |
Justification |
|
Ad-hoc events |
Personal and Sensitive data (special category) |
2 months after event. Scouting Young People attendance records will be retained for 100 years |
Required for enquiries on the event and responding to incidents. The 100 years retention of data is required for evidence requests from statutory agencies |
|
Annual events |
Personal and Sensitive data (special category) |
18 months after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People attendance records will be retained for 100 years |
To re-invite the guests to the same event in the following year. The 100 years retention of data is required for evidence requests from statutory agencies |
|
International events |
Personal and Sensitive data (special category) |
5 years after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People attendance records will be retained for 100 years |
To re-invite the guests to the same event at the next cycle, which are every 4 years. The 100 years retention of data is required for evidence requests from statutory agencies |
|
Event Permits and licenses |
Personal data |
6 months after the permit expires |
To retain a record of permits and licenses held |
|
Data Process |
Data Type |
Retention |
Justification |
|
Non-liability cover |
Personal and Sensitive data (special category) |
7 Years after case closure |
Advisory stipulations of the regulator(s), currently the Financial Conduct Authority |
|
Liability cover |
Personal and Sensitive data (special category) |
10 Years after case closure |
Advisory stipulations of the regulator(s), currently the Financial Conduct Authority |
|
Prospect customers - enquiries |
Personal data |
18 months after enquiry |
To keep in communication with the enquirer |
|
Data Process |
Data Type |
Retention |
Justification |
|
Scout Store purchase |
Personal data |
1 Year after account closure |
Required for enquiries on purchases and account |
|
Transaction data |
6 Years after the end of the tax year for that purchase or duration of warranty period, whichever is longest |
HMRC Tax Audit or warranty period |
|
|
Prospect customers - enquiries |
Personal data |
18 months after enquiry |
To keep in communication with the enquirer |
|
Data Process |
Data Type |
Retention |
Justification |
|
Scout Adventure attendee |
Personal data |
18 months after last booking |
Required for enquiries on purchases |
|
Transaction data |
6 Years after the end of the tax year for that purchase |
HMRC Tax Audit |
|
|
Scout Venue event attendee |
Personal data |
3 years after last booking or interaction with the Scout Venue team |
Required for communication with active attendees |
|
Transaction data |
6 Years after the end of the tax year for that purchase |
HMRC Tax Audit |
|
|
Prospect customers - enquiries |
Personal data |
18 months after enquiry |
To keep in communication with the enquirer |
|
Data Process |
Data Type |
Retention |
Justification |
|
Heritage Collection (includes business archive) |
Personal data |
Permanent |
Required for historical, research and statistical purposes |
|
Donor (entry and accession) records/registers |
Personal data |
Permanent |
Required for historical, research and statistical purposes |
| Information gathered as a result of an enquiry |
Personal data |
2 years after enquiry is complete |
Required to check for repeat enquiries |
| Object Exit Files and register |
Personal data |
Permanent |
Required for historical, research and statistical purposes |
| Day books/Index Cards |
Personal data |
Permanent |
Required for historical, research and statistical purposes |
| Loan In and Out files |
Personal data |
Permanent |
Required for historical, research and statistical purposes |
|
Data Process |
Data Type |
Retention |
Justification |
|
|
Estate deeds and associated information, including communications |
Personal data |
Permanent |
Required for proof of ownership |
|
|
Estate claims against deeds |
Personal data |
12 years from the breach of obligation |
Fight a case – Limitation Act 1980 |
|
|
Various pre action and litigated actions, to include: Simple claims in contract, tort, fraud or negligence |
Personal and Sensitive data (special category) |
6 years from the closure of the case
For pre action personal injury claims relating to a minor for 3 years beyond the date upon which the minor attains the age of 21 |
Fight a case – Limitation Act 1980 |
|
|
Litigation action: defamation |
Personal and Sensitive data (special category) |
1 year from the publication of defamatory act |
Fight a case – Limitation Act 1980 |
|
|
Legacies |
Personal and sensitive data (special category) |
1 year from the administration of the estate |
Fight a case – Limitation Act 1980 |
|
|
Subject Access Request (SAR) |
Personal data |
7 years after the SAR has been closed, or 7 years after the data subject turns 18 if later |
Fight a case – Limitation Act 1980 |
|
|
Contracts |
Personal data |
6 years beyond the end of the contract or if externally funded the time period specified in the funding agreement which can be 10 or 12 years for some government funding. |
Required as part of the Limitation Act 1980 |
|
|
General advice |
Personal data |
3 years unless required longer for TSA to defend a position where general advice has been given |
Fight a case – Limitation Act 1980 |
|
|
Data Process |
Data Type |
Retention |
Justification |
|
Income tax and NI records |
Personal data |
3 years from the end of financial year to which they relate |
The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631) |
|
Payroll wage/salary records (also overtime, bonuses, expenses) |
Personal data |
6 years from the end of the tax year to which they relate |
Taxes Management Act 1970 |
|
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity |
Personal data |
6 years from the end of the scheme year in which the event took place |
The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103) |
|
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence |
Personal data |
3 years after the end of the tax year in which the maternity period ends |
The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended |
|
Working time records |
Personal data |
2 years from date on which they were made |
The Working Time Regulations 1998 (SI 1998/1833) |
|
Personnel records, including training |
Personal and Sensitive data (special category) |
6 years after the employee has left |
To defend against tribunals or county or high court claim |
|
Recruitment records |
Personal data |
6 months after the candidate has not been successful |
To defend against tribunals or county or high court claim |
|
Emails and personal data volumes |
Personal and Sensitive data (special category) |
6 months after the employee has left |
To answer queries that are contained in these data sources |
The retention period is applicable at the point where the relationship has finished, for example where a member has left the organisation.