Accountability and governance
Accountability and governance
Check the measures local Scout Groups, Districts and Counties need to take to effectively align with GDPR. (5 min)
Accountability and governance have always been implicit requirements of data protection law and GDPR has increased their significance even further. In this section, you’ll find out about the measures local Scout Groups, Districts and Counties need to take to be effectively aligned with GDPR.
What do you think your local Scout Group, District or County needs to do to show accountability for their data processing activities? At an Executive Committee level, it means having clear documentation and recording procedures, which prove that required standards are being met. It also involves implementing measures to prepare and maintain records of your Group’s, District’s or County’s processing activities.
GDPR refers to this as the ‘accountability principle’, which means the expectation that organisations – in this case all local Scout Groups, Districts and Counties – will put comprehensive measures in place to minimise the risk of breaches and uphold the protection of personal data.
Before processing anyone’s data, you will need to think about protecting it. One way of doing this is by completing a Privacy Impact Assessment (PIA).
Some scenarios where PIAs should be undertaken immediately include:
- changing from paper records to an online processing system
- building new or developing existing IT systems for storing or accessing personal data
- developing policies, processes or strategies that have privacy implications
- before passing information to other members within or outside your Scout Group, District or County
- using personal data for new purposes to those that the data was originally collected for
PIAs are often mandatory when introducing new technologies or dealing with large volumes of personal data. This particularly applies when an organisation is processing sensitive information, such as personal data revealing racial or ethnic origin, religious or philosophical beliefs, health or sexual orientation.
GDPR has put some new measures in place to help organisations ensure the protection of personal data.
Under GDPR, it is mandatory for certain controllers to designate a Data Protection Officer. This will be the case for all public authorities and bodies. It will also apply to organisations that monitor individuals systematically or process special categories of personal data on a large scale.
While Groups, Districts or Counties will not need a designated Data Protection Officer, the same duties will need to be covered. For example, the Executive Committee needs to make decisions about Data Subject Access Requests and breaches, and pass information on to leaders or managers as appropriate.
Under GDPR, personal data breaches should be reported to the Information Commissioner’s Office, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals.
Breaches that will usually require reporting to the ICO include those that may result in discrimination, identity theft or GDPR Training text #SkillsForLife 11 fraud, financial loss, breach of disguised identity, damage to reputation, loss of confidentiality or any other significant economic or social disadvantage. For example, names and addresses of parents/carers or adult volunteers or any credit card or bank account collected for making payments, (e.g. activity/membership fees).
The local Executive Committee must, where required, notify the Information Commissioner’s Office within 72 hours of the breach. If they cannot do this, they need to explain the reasons for the delay.