Skip to main content

Data Protection

2a.3.1 Data Protection Policy Statement

2a.3.1.1 Policy statement
To deliver programmes for young people and manage Scouts effectively, Scouts collect and store a significant amount of data, including personal data. This applies to both members and non-members, and data may be stored digitally or on paper.

All personal data must be handled and stored in compliance with data protection laws, including the UK General Data Protection Regulation (UK GDPR).  The responsibility for ensuring this compliance falls to each member within the Federation.

These are the seven core principles of the UK GDPR – they form the foundation for UK GDPR compliance and influence how Scout units manage and protect personal data:

  1. Lawfulness, Fairness, and Transparency 
    Data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. 
  2. Purpose Limitation 
    Data must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. 
  3. Data Minimisation 
    Only the data that is necessary for the intended purpose should be collected and processed. 
  4. Accuracy 
    Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be erased or corrected without delay. 
  5. Storage Limitation 
    Data should not be kept longer than necessary for the purposes for which it is processed. 
  6. Integrity and Confidentiality (Security) 
    Data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. 
  7. Accountability 
    Records should be kept in order to demonstrate compliance. The Data Lead is the responsible person within a Scout Unit for managing data protection duties and will support the Trustee Board. 

Further guidance is available in step 1 of the Scout Unit Data Protection Toolkit

2a.3.2 Responsibilities within Data Protection

2a.3.2.1 Responsibilities for Trustee Boards
As part of the management of personal data collected and used by their charity, the Trustee Board of each Scout unit within the Federation (whether or not a charity in law) must ensure that their Group, District, County, Country Headquarters or UK Headquarters:

  1. has a Data Lead – either the Lead Volunteer, or another volunteer with the Data Lead accreditation
  2. publishes and maintains a data protection policy. For Groups, Districts and Counties, details can be seen in step 10 of the Scout Unit Data Protection Toolkit which includes a guidance template. For the Nation and UK charities, they must develop, publish and maintain a data protection policy. 
  3. publishes and maintains a data retention policy. For Groups, Districts and Counties, details can be seen in step 11 of the Scout Unit Data Protection Toolkit which includes a guidance template.
  4. ensures that appropriate records are kept to demonstrate compliance.
  5. is able to demonstrate data protection compliance when requested. 

2a.3.2.2 Responsibilities for Leadership Teams
With leadership by the Scout Unit’s Data Lead, each Group, District, County, Country Headquarters or UK Headquarters Leadership Team must ensure that the members of their charity are compliant with:

  1. UK Data Protection Law  
  2. their published data protection policy and data retention policy  

The Leadership Team must ensure that  

  1. Data protection documentation such as polices and records are maintained and kept up-to-date 
  2. They know how any subject rights requests, data breaches and data Protection complaints will be managed. Guidance for subject rights request registers, together with a subject access request form, is included in step 4 of the Scout Unit Data Protection Toolkit 

2a.3.2.3 Responsibilities for all adults
All members aged 18 or over must ensure that they are compliant with their Group, District or County data protection and data retention policies. This means that each adult operating within Scouts, whether as staff or as a volunteer, is also responsible for ensuring that they handle all personal data in compliance with those policies and the law. 

Use of the membership system must be in line with our Acceptable Usage Policy.  

All members and non-members have rights listed in step 4 of the Scout Unit Data Protection Toolkit