GDPR FAQs

The General Data Protection Regulation is a new, European-wide regulation that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018. It has been confirmed that the GDPR will still be in force after Brexit.

Local Trustee Boards, as Charity Trustees, have overall responsibility for ensuring their Scout Group, Scout District or Scout County/Area/Region (Scotland) is meeting the GDPR requirement. However, all adult members will also have a responsibility to safeguard personal data and follow the processes that are agreed by their relevant Trustee Board.

The GDPR is an EU-wide legislation that will be in effect before and after Brexit as a result of the UK continuing to do business with EU member states. In addition, the UK government has used the GDPR legislation to draft the UK national laws, which is the UK Data Protection Act 2018*.

* In Jersey the laws that encompasses the GDPR are the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018.  In Guernsey the law is the Data Protection (Bailiwick of Guernsey) Law, 2017. In the Isle of Man the law is the Data Protection Act 2018.

The GDPR applies to personal data, which means any information relating to an identifiable person (data subject) who can be directly or indirectly identified. This includes name, address, email, and date of birth.

In addition, personal data can be classified as sensitive personal data if it contains further data, such as religion, ethnicity or health data.

1. The data controller within the Movement is the Trustee Board. The data controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This means if you decide what personal data it is you require to carry out local Scouting and determine how this data is used and protected, you are the data controller.

The Scout Association is a data controller in common with the Trustee Boards for adult volunteer data which is collected on the Compass membership system.

2. There could be a number of data processors (also known as third party processors) that assist you in operating local scouting, see the question "What is a Third Party Processor?" below for further details.

A third party processor an entity that processes personal data on behalf of a data controller. It's the Trustee Board's responsibility to measure whether third party processors are compliant with the GDPR.

Online event registration services, survey tools and office based tools such as Microsoft Office 365 act as third party processors as they are systems operated by organisations for the purposes of holding and processing personal data. There are obligations that third party processors need to adhere to, to demonstrate their compliance with the GDPR, such as being able to delete all of a young person's personal data if requested to do so by their parent.

A third party processor register and checklist has been provided as part of the GDPR toolkit which has been distributed to all Trustee Boards.

The Scouts UK headquarters have had Compass assessed against the GDPR for its alignment to the controls appropriate for the data it holds. The result is that the controls in place are well aligned to the GDPR for the personal and sensitive data it holds, these controls include:

• Data encryption at rest
• Data encryption in transit
• UK hosted
• GDPR aligned service provider
• Data privacy impact assessment for any Compass changes

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal data. Examples could be an email sent to the wrong recipient or the loss of a paper folder, both with personal data contained within them.

The first step is to make sure that the breach has been isolated. Then you should make sure that you document the breach. The document you need to complete is in the GDPR toolkit and is called the Breach Notification Form. This should be completed and passed to the relevant Trustee Board.

In the case of a serious breach the Information Commissioner's Office (ICO), the UKs governing body, must be informed within 72 hours so this process must be completed expediently. The Trustee Board will manage any form of data breach.

• concise, transparent, intelligible and easily accessible,
• written in clear and plain language, particularly if addressed to a child, and
• free of charge.

Guidance to help create a privacy statement for locally produced forms can be found in Step 5: Gathering data.

• Limitation - reduced the question base to only what is required
• Transparency - added further statements on the data processing and links to appropriate policies
• Consent - updated consent options to be granular and to require an affirmative action.

Information about what a privacy statement needs to include can be found on the Information Commissioner’s Office (ICO) website. The Scouts UK headquarters are not able to produce a standard statement for all local Scouting to copy and paste as privacy statements need to be specific to the data being gathered at that time; however The Scouts have produced detailed guidance to help with the creation of a privacy statement for locally made forms.

An example of a retention policy can be found on Step 11: Delete and destroy.

Data subject access requests (DSARs) are when a data subject requests you as the data controller to do something with the data you hold on them. This could be a request to identify:

• the reason why you have the data and what you are doing with it
• the type of data you hold on them,
• the third parties you have disclosed the data to,
• the period you will be keeping the data for and why.

In addition, they can ask you to:

• delete or modify the data you have on them,
• transfer this data to a third party of their choice,
• gain a copy of the data you hold on them.

In all cases the action they are requesting should not have a material impact on you fulfilling your obligations to the data subject. For example, if a parent requests that you delete all personal data held on their child, whilst they are still a member of the Scouts, you would not be able to fulfil your duties to that member, such as maintenance of their badges and awards or even length of service.

The GDPR toolkit, which has been distributed to all Scout Group, District and County/Area/Region (Scotland) Trustee Boards, contains a step-by-step guide on how to deal with individuals requesting, deletion, modifications, and information you hold on them.
 

The ICO website is the best place to find out more information about the GDPR.

Take a look at our GDPR training.

The Data Protection Officer is a nominated individual(s) who are the channel between the organisation they work for and the ICO. The Trustee Board is the responsible authority albeit not named Data Protection Officer.

The role of the DPO is to:

• inform and advise the organisation and its volunteers about their obligations to comply with the GDPR and other data protection laws,
• monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train volunteers and staff and conduct internal audits,
• be the first point of contact for supervisory authorities and for individuals whose data is processed (members, customers etc) these include:
• Breach Impact Assessments,
• Data Subject Access Requests, and
• Breach Responses, internally, externally (data subjects) and the ICO.

Under the current law, each local Scout Group, District, County/Area/Region (Scotland) and Country will still be a Data Controller in its own right and overall responsibility for compliance with data protection will continue to lie with the relevant Trustee Board as Charity Trustees.

At present, under the GDPR, it will be mandatory for public authorities or those organisations processing personal data on a large scale as a core activity for systematic monitoring purpose or involving sensitive (special category) personal data, to appoint a DPO. Therefore, under the GDPR, local Scouting as smaller organisations operating will not be required to appoint a DPO.

However, Trustee Boards must nevertheless still make sure that they can fulfil their obligations under the GDPR and it is advisable to allocate an equivalent/appropriate senior individual locally to oversee GDPR alignment wherever possible.

Following feedback an additional paid for service is now available from Black Penny Consulting, creators of our Scout GDPR support materials. Groups can additionally pay for the Data Protection Support Service if you wish, but there is no obligation for you to do so. This service includes a Data Protection Officer backed service desk, online GDPR Framework and tooling and 24-hour breach response assistance.

Please view more information on Black Penny’s support services website.

The Scouts supports members by providing general advice and guidance about data protection on its website.

The Scouts will continue to update this information with regard to GDPR. Together with Black Penny Consulting The Scouts have issued a GDPR toolkit that will give Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries an easy-to-follow guide on how to document processes and the best practices to follow. This GDPR toolkit will help guide adult volunteers through how to handle the data of the young people and the adult volunteers they are responsible for in their Scout Group, District, County/Area/Region (Scotland) or Country.

The GDPR toolkit was delivered to all members in March 2018 and includes:

• a step-by-step guide on how to fill out the documentation
• a GDPR framework register documenting the data types and lawful processes for collection, storage and use of data
• guides on how to handle subjects access requests and breaches
• a guide on how to maintain compliance
  
  However, it is important to note that as Data Controllers, local Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries are directly responsible for any personal data they process and must make sure they are aware of their responsibilities under the law. Each adult member must also make sure that they comply with data protection law when handling any personal data. Data protection is a wide-ranging subject and is regulated by the ICO which produces a large amount of relevant guidance. Therefore for queries generally or if in any doubt, members should check the guidance provided by the ICO on its website as this is the best and most direct source of relevant information on data protection.

The Scouts and Black Penny Consulting have been reviewing the feedback provided by local Scouting. Together, the toolkit has been updated and made into 12 steps which will help step members through their GDPR alignment work. These FAQs have also been updated based on questions received by the Scout Support Centre.

Online Scout Manager, along with any other online membership or data systems, are third party organisations/companies. The use of any online system other than Compass will have been initiated by local volunteers and/or local Scout Groups, Districts, Counties/Areas/Regions (Scotland) as individual charities. The use and checking of third party systems used by local Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries is the responsibility of the local Data Controller (i.e. the person using the system and the relevant local Trustee Board).

Atlantic Data are a third party who manage the process for the Disclosure and Barring Service in the UK on behalf of The Scout Association. This relationship exists between UK headquarters and Atlantic Data directly where UK headquarters act as a data controller and Atlantic Data also as a data controller. This relationship and the process for data transfers has been assessed against the criteria stipulated in the GDPR/DPA 2018 and is aligned. This means that the requirement to assess Atlantic Data at local level does not exist.

There are potential costs to consider when using the best practice approaches to data privacy. For example, when using services such as Office 365 you may have a subscription to pay. But these expenses should be reviewed against the risk of not using them in conjunction with any efficiencies you may gain by using this technology. This is also applicable for any member database systems that are available.

Yes, we have made the how-to videos downloadable via the links below as well as available on YouTube. These can be viewed on each of the framework pages.

Download: Video 1 | Video 2 | Video 3 | Video 4 | Video 5 | Video 6

We have had a number of queries on the toolkit framework and the use of consent as a catch-all for various examples, such as Young Members joining, to assess the use of consent here we need to consider the following:

• What type of data is it, personal data (name, DOB etc.) or sensitive data (special category personal data – health, disability records etc.) in some cases this may be a mix of the two if the form captures both types of data.
• If the form is a mixture of data types (personal and sensitive) then the process should be aligned to two different lawful purposes and separated onto two lines in the toolkit framework.
• Is consent appropriate? Consent is a good mechanism for providing evidence for the processing you are doing, however, it can be revoked at anytime and there may be a better lawful purpose.
• In the example of the Young Persons joining process, the following could be used as an example:
• Personal data gathered as part of the process is necessary for the new member joining, as such, it is required and aligns to the lawful purpose as show under 6(1)(f) of the GDPR framework – legitimate interest of the group. This means that the group's requirement for this data does not override the rights and freedoms of the Young Person.
• Sensitive data (special category personal data – health, disability) may also be required to deliver local scouting safely, however, as it is sensitive it will need to align to another lawful purpose, such as 9(2)(d) of the GDPR framework - processing carried out by a not-for-profit.
• When using 9(2)(d) for sensitive (special category) data it must only be done so if the data is not passed to a third party and the collecting form should state clearly what it is for.
• If passing sensitive (special category) data to a third party, such as an event organiser, it can only be done so with explicit consent.

Black Penny Consulting have reviewed the toolkit framework and have delivered a revision of the GDPR toolkit framework to demonstrate how this process should be split across the two types of data.

While registering with the Information Commissioner’s Office (ICO) is not mandatory for local Scouting generally, there may be circumstances where registration with the ICO is required if CCTV is used in a certain way.  Please use the ICO Registration self-assessment tool to check if you do need to register when CCTV is used.

Yes, Compass has undergone a Data Privacy Impact Assessment to ascertain its alignment to the controls appropriate for such a system as specified by the GDPR/DPA 2018.  Further detail on the alignment can be found on the Compass Support Site.

Please take a look at the Frequently Asked Questions on the Compass Support Site.

Any aggregated source of personal data needs to be assessed against necessity for the data and the security of the data when held. In addition the access to this data needs to be limited to only who needs it.

Incidents resulting in the need to report to UKHQ (as per POR 7.4).

If the incident has been reported to UKHQ as part of the incident reporting process (POR Rule 7.4 Accident Reporting) then UKHQ will be sent the relevant details through the reporting procedure.

Incidents not resulting in the need to report to UKHQ.

If the incident has not required UKHQ notification then details of the incident and treatment given should be recorded locally. Local first aid books and records need to be kept for an appropriate period. The completed incident form should be kept secure by the local Trustee Board.

For the purposes of a claim against an accident the Group/District/County should retain the accident book details for a maximum of 3 years after the young person’s 18th birthday.

The details of the incident can be kept, without the details of the casualty and first aider after this period as long as no personal data remains. This will allow the Trustee Board to identify trends in incidents or locations which may identify where remedial work or changes in methods can be considered. For example, if a particular game keeps causing injuries, or people are hurting themselves on the stairs; should the game be played or changed and are the stairs poorly lit or defective?

• Maintain a record of what personal/sensitive (special category) data is in the artefacts.
• What lawful process are you relying on for the storage of the artefacts, make sure this is documented.
• Maintain an up-to-date asset register of all artefacts in the collection.
• If the data subject is deceased, maintain a record of this.
• Maintain proof of title.
• Always be aware that duty of care for the personal data in these items is you responsibility, this means:
  • Store them securely.
  • Maintain robust records for any artefacts that are loaned or transferred to any others.
  • If the assets are digital, secure access to them to only who needs to see them.
  • If the artefacts are no longer required then securely destroy them.

Scout Groups/Districts/Counties are generally exempt from having to register and pay for the ICO Data Protection Fee, this is due to each being a not-for-profit. However if the Scout Group, District, County are using CCTV for crime prevention purposes this supersedes the exemption and the registration and fee are applicable. The assessment for measuring these criteria can be found here.