Individual's Rights

One of the biggest changes brought about by GDPR is how individuals’ rights regarding their personal data will be increased. In this section, you’ll see what local Scout Groups, Districts and Counties need to do to make sure they’re aligning with the new legislation.

GDPR aims to give people more control over the ways in which organisations process their personal data. This will be achieved by granting new rights for individuals as well as enhancing and improving existing rights.

Bearing in mind the quantity and complexity of personal data that exists in the digital age, GDPR legislation covers a comprehensive range of individual rights and ensures that they’re fully addressed.

As we saw in Topic 1, all organisations including local Scout Groups, Districts and Counties should provide a clearly worded Privacy Notice, which informs individuals about how their personal data will be used.

GDPR alignment tip: Review all the forms you use to collect information to ensure they provide the necessary information or signpost individuals to where it can be found.

GDPR gives people the right to receive a copy of any information that an organisation holds on them by making a Data Subject Access Request.

GDPR alignment tip: Check to see if the information you hold can be easily provided if requested.

GDPR gives people the right to have their personal data rectified if it is inaccurate or incomplete.

GDPR alignment tip: Ask yourself if it is easy for someone to contact you and get incorrect information amended or whether you need to set up an email, telephone or other contact point to make it simpler

Subject to certain conditions, GDPR gives people the right to have their personal data erased without unnecessary delay; for example, if the processing of the data was unlawful in the first place or if it is no longer needed.

GDPR alignment tip: If you wanted to remove an individual’s details from the information you hold, could you? This may not be easily done if a number of copies of the same information are shared with a number of members in a Scout District, for example.

GDPR gives people the right to ‘block’ or suppress the processing of their personal data if, for example, they are disputing its accuracy.

This differs from the right to erasure because although the processing of the data is restricted and organisations cannot process it any further, they are still permitted to store it.

GDPR alignment tip: Make sure you have a process in place to record, consider and reach a decision for occasions when someone objects to their data being processed.

Where data is held electronically, GDPR gives people the right to obtain their personal data in a format that will enable them to move, copy or transfer this information from one IT system to another.

However, this is subject to restrictions and the right only applies where the processing is based on the individual’s consent or the performance of a contract and when processing is carried out by automated means.

GDPR alignment tip: Make sure that you can provide personal data in a structured, commonly-used and machine-readable format.

GDPR gives people the right to object to the processing of their personal data for direct marketing purposes. This means that if someone receives material via email, post or text, they can contact the organisation that sends out the material and ask them to stop, which the organisation must do immediately and free of charge.

GDPR alignment tip: If you send marketing emails, you must stop using personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds for refusal. An example could be where a local District Scout Shop sends out regular marketing communications or a Campsite sends emails advertising discounted rates.

Automated decision-making is unlikely to be used within Scouting, but may be relevant in some rare cases. If it is used, GDPR gives individuals the right not to be subject to an automated decision-making process where those decisions have ‘legal effect’ or ‘similar significant effect’ on them.

When a young person gets to a certain age, they go through the Moving On process to the next section within Scouting. In most situations, they will have a new Section Leader. The young person can also leave Scouting at any point.

This means that when data is being transferred from one person to another, care needs to be taken to protect that information. The data being transferred needs to be accurate and minimised. If at any point an individual wishes to leave Scouting, their data should be deleted fully unless required for further purposes. All personal data should only be kept for a defined time period.

GDPR has identified eight specific rights for individuals that organisations, including local Scout Groups, Districts and Counties, must align to. These give people the right to:

• be informed about how their personal data will be used.
• receive a copy of any personal data an organisation holds on them
  GDPR Training text #SkillsForLife 7.
• have their personal data rectified if it is inaccurate or incomplete.
• have their personal data erased without unnecessary delay.
•  ‘block’ or suppress the processing of their personal data.
• obtain their personal data, if held electronically, in a format that will enable them to move, copy or transfer this information from one IT system to another.
• object to certain types of processing, such as for direct marketing purposes.
• not be subject to an automated decision-making process where those decisions have ‘a legal effect’ or ‘a similar, significant effect’ on them.