Skip to main content

Data protection policy for membership data processing

August 2020

The Scout Association (TSA) is incorporated by Royal Charter under registration no RC000547 and charity registered in England and Wales under registration no 306101 and in Scotland under registration no SC038437 registered at Gilwell Park, Chingford, London, E7 7QW (TSA) whose aims are to engage and support young people in their personal development and empowering them to make a positive contribution

Purpose

This data protection policy has been provided to define the purpose and lawful basis for the processing of Scout Members (adult and youth members) data, the obligations of both TSA and the local Scout Groups (collectively known as The Scouts) for this processing and the data processed between them. TSA and the local Scout Groups operate as joint data controllers for the data held on our membership databases (Online Scout Manager and Compass). . Both TSA and the local Scout Groups have legal obligation to process personal data in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR)(Data Privacy Legislation) independently and jointly as part of this Policy. This document is to describe the processing activities that are carried out by each party with Scout Members data on the common membership databases.

Personal data to be processed

The Scouts process Scout Members data (including special category data) about adult and youth members and volunteers on our membership databases. This data is processed between the local Scout Groups and TSA. Information the Scouts hold about Scout Members may include the following:

  • name and contact details
  • length and periods of membership and volunteer service (and absence from membership and service)
  • details of training you receive
  • details of any youth badges and awards
  • details of your experience, qualifications, occupation, skills and any awards you have received
  • details of Scouting events and activities you have taken part in
  • details of next of kin or parents details (in the case of youth members)
  • age/date of birth
  • details of any health conditions
  • details of disclosure checks
  • any complaints we have received about the member
  • details about your role(s) in Scouting
  • details about your membership status
  • race or ethnic background and native languages
  • religion
  • nationality

Processing Activities

The following is a list of common data processing activities for Scout Member data on The Scouts membership systems. This includes an indication of which entity carries out this activity.

Processing Activity

Description

Processing entity

Scout Member capture

Initial data load of a new Scout Member onto the membership database

Local Scout Group

Scout Member disclosure check

Disclosure checks for any adult Scout Members that require them

Local Scout Group initiate

TSA complete the check

Scout Member operational administration

This may include:

Scout Member data updates

Maintaining training record

Events attended

Permits approved

Badges awarded

 

Local Scout Group and TSA

Scout Member disciplinary

Scout Member disciplinary detail capturing where a Scout Member has breached POR or any other Scout policy

Local Scout Group initiate

TSA involved if severity meets a policy threshold

Scout Member leaving

The updating of an individual’s membership status post leaving the association.

Local Scout Group

Scout Member data reporting

Reporting on trends and monitoring data to be able to demonstrate The Scouts impact and to attract funding (this may include optional special category data of the Scout Members)

TSA

 

Local Scout Group may access special category data for Census and local Scouting delivery

Scout Member Training

 

The addition of mandatory training for Scout Members, where applicable

TSA

Scout Member roles definition

The definition of Scout Member roles on the membership databases

TSA

 

Where the personal data of Scout Members is to be copied from the membership database to other data systems, it will be completed in line with TSA and/or the local Scout Groups data protection policies. All data processing by TSA will be in accordance with its own Data Protection Policy which can be found here www.scouts.org.uk/DPPolicy, this Data Protection Policy for Membership Data Processing and the applicable Data Privacy Legislation.

 

Basis for processing

The local Scout Group and TSA are joint data controllers for the personal data within the membership databases for the defined processing activities above. The requirements to process data between them include:

  • To complete full disclosure checks on adult Scout Members
  • To provide evidence of training, permits and awards
  • To monitor the membership
  • To safeguard youth members
  • To maintain full records of current and past members

In most cases the lawful basis for processing will be through the performance of a contract for personal data of our adult volunteers and legitimate interest for personal data of our youth members. Sensitive (special category) data for both adult volunteers and our youth members will mostly align to the lawful basis of legitimate activities of an association.

 

Third parties

In compliance with statutory or regulatory responsibilities TSA or the Local Scout Groups may be required to share personal data with other third parties including but not limited to the Police, Local Authorities, and other statutory or regulatory bodies.

Where special category data is to be shared outside of The Scouts for its own purposes, this will be done with the explicit consent of the data subject or the parent. Examples may be the use of third party Evaluation Partners to assist with the analysis of Scout Members Data

 

Obligations

TSA and the local Scout Groups shall be responsible for ensuring that the relevant data subjects have been provided with all necessary information in respect of this Data Protection Policy for Membership Data Processing between the Scout Group and TSA for Scout Members data.

In processing the personal data TSA and the local Scout Groups shall:

  • take appropriate steps to ensure the reliability of TSA staff, volunteers and any third parties who have access to the personal data and use all reasonable endeavours to ensure that such persons have sufficient skills and training in the handling of personal data and comply with the Data Protection Legislation;
  • implement appropriate technical and organisational security measures for the personal data volume and sensitivity;
  • comply with all applicable laws including the Data Protection Legislation in relation to all processing of the personal data;
  • not process the personal data for any purposes other than defined in this Policy, TSA Data Protection Policy and local Scout Group privacy policy unless it has any other legal basis do so;
  • not disclose the personal data to any third parties other than as specified above and where they are subject to obligations equivalent to those of TSA and the local Scout Group under this agreement; and

TSA and the Local Scout Group warrants and undertakes that in carrying out its obligations under this agreement it will not breach the Data Protection Legislation or do or omit to do anything that might cause the other party to be in breach of the Data Protection Legislation.

 

Duration and destruction

TSA and the local Scout Groups shall only retain the personal data for as long as is necessary for the defined purposes in accordance with their data retention policies. TSA Data Retention Policy can be found here: 

All local Scout Groups must have and maintain data in line with their own data retention policy.

All data that is no longer needed or meets the defined retention period will be securely destroyed

 

Data security

TSA and the Local Scout Groups undertakes to implement the appropriate organisational and technological measures in such a manner that meets the requirements of applicable Data Privacy Legislation, in order to protect the Scout Members data in their possession against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and to ensure the protection of the rights of the data subjects

 

Data breaches

TSA and the Local Scout Groups are under a strict obligation to notify any potential or actual losses of the Scout Member data to the other party as soon as reasonably practical and, in any event, within 1 business day of identification of any potential or actual loss to enable the party to consider what action is required in order to resolve the issue in accordance with the Data Privacy Legislation.