Skip to main content

Step 2: Who is responsible for what?

Step 2: Who is responsible for what?

Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries are separate charities and The Scouts, as a national charity, is not accountable for the respective alignment of the GDPR of each individual charity.
Responsibility to be aligned with the GDPR rests with the respective Executive Committee, and it’s the Scouts’ intention to sign-post appropriate resources to support local Scout Groups, Districts, Counties/Area/Regions (Scotland) in fulfilling this important responsibility.
Each adult Member and Associate Member must also ensure that they comply with data protection law when handling any personal data.

Data Controllers

The data controller within the Movement is the Executive Committee. The data controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

This means if you decide what personal data it is you require to carry out local Scouting and determine how this data is used and protected, you are the data controller.

With regard to personal data stored on Compass, The Scout Association is a Data Controller in Common with Groups, Districts, Counties/Areas/Regions (Scotland) and Countries. Data Controllers in Common may each use and access a shared database but each remains responsible for the personal data within its own control and capacity. Accordingly, Scout Groups, Districts, Counties/Areas/Regions (Scotland) or Countries remain responsible for ensuring that their handling of personal data locally is in compliance with the GDPR and Policy, Organisation & Rules (POR) (which includes uploading and maintaining such data onto Compass) and the Scouts remains responsible for ensuring that its handling of personal data nationally is also in compliance with the GDPR and POR (including its particular responsibilities for data held on Compass).

Data Processors

It's likely that Sections Leaders and Group Scout Leaders will be the main data processor within local Scout Groups. A data processor is defined as a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. This means if you have access to the personal data and you do something with it, such as host it in your system, or provide services to the data subject from this data set, you are the data processor. This data processor could also be a third-party system used for data storage, such as Online Scout Manager.

In summary a Data Processor is responsible for processing personal data on behalf of a controller.