Step 6: Data discovery
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 6: Data discovery
When it comes to the protection of data you first need to understand what data you have and where it is.
As part of local Scouting, sensitive personal data (also known as special category data) is gathered, processed and transferred frequently. For example:
- New joiner details for either an adult volunteer or a young person
- Processing of this data for the purposes of events, awards, moving on
- Annual reviews of this data through Census (even though this is provided to UK HQ anonymously) or further data gathering to update medical records
- Management of safeguarding incidents where data needs to be transferred to UK HQ for assistance
Consideration needs to be made when collecting, managing and transferring the data required to operate Scouting locally.
This can be broken down into simple questions to ask yourself:
What?
What data am I collecting on the adult volunteers and youth members? Do I know the details I am asking the individuals to give me? This could be details such as:
- Name
- Address
- Email address
- Date of birth
These data types are known as personal data, this becomes sensitive personal data when you add information such as:
- Race
- Ethnic origin
- Religion
- Health conditions
The data being gathered and processed should only be the data necessary and be as minimal as possible. Asking for something you don’t need is not justified.
Why?
Why am I collecting the data? Can I determine a reason for this data collection and use, and does that align with the lawful purposes as defined by the GDPR? For example:
- The collection of young people’s medical records is necessary for the protection of that young person whilst in the care of the Scout Group giving a legitimate reason to do so, but medical records are sensitive personal data (special category) and if they are required to be passed to a third party then they should only be gathered using consent, or if someone’s life is at risk.
- The collection of young people’s religion may be necessary to respect their beliefs in regard to activities, food and holidays, but ethnicity and religious records are sensitive personal data (special category).
- The collection of adult volunteers’ personal data is necessary for the purposes of disclosure checks and safeguarding.
If you can’t justify the reason behind the gathering or use of a certain type of personal or sensitive personal data (special category), then you shouldn’t. This guidance will come from your Trustee Board.
How?
There are many means by which you can gather and use data, this is explored further in Step 7: Keep a record. However the key question is; how am I collecting the data and how am I using it?
The consideration needs to be whether you can demonstrate that you have thought the process through and used all means available to collect, process and store data in the most appropriate way.
When?
When should I delete the data I hold? Whilst the use of the data is required for the provision of local Scouting operations, the longer-term retention needs to be justified. For example:
- The young person’s awards records are retained for a defined period when they leave in case they wanted to return and continue.
- Adult volunteer data is retained for a defined period post leaving for the purposes of ongoing handover of the appointment.
- Gift Aid data needs to be retained for seven years to meet audit requirements by HMRC.
If justification cannot be made for the retention of data, then it should be securely deleted at the point it is no longer required. More information on this can be found in Step 11: Delete and destroy, which provides further guidance on retention periods and the secure destruction of data.
Who?
Who can access the data? This access could be via memberships systems, paper records or via email. In all cases the access to this data needs to be minimised to only who needs it and, if possible, only the subset of data they need, for example:
- The Group Scout Leader and Section Leader will require access to data for the young people and adult volunteers in their Group.
- Adult volunteers may require access to the data of the young people but potentially not to the other adult volunteers in their Scout Group.
If any of the above are in doubt, then please refer to your Trustee Board for guidance. The questions above should be asked to assist in the protection of personal and sensitive personal data, in the case of local Scouting, this is young people’s data and duty of care should be considered.
Where?
There are many places this data can be stored, and these will normally be chosen based on ease of use or what you are used to using. Where do you store the data you have for local Scouting? Consideration needs to be made as to where the data is stored such as:
- Is the storage system secure and safe?
- Who needs access to the system and can we easily collaborate?
- Can I trace access to the storage location and minimise where necessary?
- Is there a reputable system available today that I can use, such as secure cloud storage or an online membership system?
All of the above questions help in constructing an appropriate Privacy Notice where you are capturing data. Step 10: Publish your privacy stance explores this further.