Skip to main content

Subject Access Requests

The following is provided by way of general guidance. For more detailed explanation and guidance please refer directly to the Information Commissioner's Office (ICO) website.

When a person requests a copy of their personal data from either The Scouts UK headquarters or a Scout Group, District, County / Area / Region (Scotland), then they are in effect making a Subject Access Request (SAR) under the UK Data Protection Law, which provides rules as to how an SAR must be complied with. 

Sometimes SARs will be submitted to multiple levels of Scouting. Each Scout Group, District, County / Area / Region (Scotland) is created and operates as an independent charity in its own right and is an independent data controller for much of its data processing. This means that each Unit that receives a SAR must respond to it independently.

We refer to the person whose data is being requested as the data subject.

A request for a SAR can be made in writing or any other means the data subject chooses as their preferred communication channel, (verbally for example), within reason. The deadline for compliance is one calendar month commencing from receipt of the SAR request. This deadline can be extended if the SAR is complex or numerous to three months but the explanation for why needs to be communicated to the data subject within the first month.

When your Scout Group, District, County / Area / Region (Scotland) receives a SAR the following process can be followed:

  • Application: Data subject to provide request scope or complete SAR Request Form.
  • Identity Evidence: You must be certain you are giving the data to the correct person. The best way to do this is to ask for identification such as current passport or driving licence.
  • Request Logged: The date by which the identification checks, and the specification of the data sought should be recorded in a SAR Register.
  • Discovery: The Trustee Board discovers all instances where the data subjects' personal data is present (within the scope of the request). Having a Data Inventory will help guide this.
  • Response: Trustee Board to respond to data subject in electronic format and response logged.

A SAR only applies to 'personal data'. This is any information held about the data subject whereby the subject can be identified from the information. Names, addresses or specific roles are obvious ways of identifying individuals, but they can also be identified in photos or CCTV images.

A mere passing reference to an individual is not necessarily classed as personal data e.g. the Minutes of a meeting will not be considered personal data about those attending in general. However, if an individual was specifically discussed and is identifiable from the Minutes, then the Minutes will be 'personal data' about that individual.

It's important to note that the SARs do not cover individuals collecting information solely for their own domestic and household affairs e.g. a personal address book or images taken for family purposes. 

The rules apply particularly to computer or automated records (including email) but can also apply to manual records which enable information about a particular individual to be easily retrieved e.g. filed by the name or role. Due to the nature of Scouting, deciding what information is relevant can be tricky, however, we would suggest that the rules will apply to data regarding the data subject held by the Scout Group, District, County / Area / Region itself and also shared by the Trustee Board members either between themselves or with others.

Examples of automated records include:

  • Computer files - files stored on removable storage devices, cloud storage, CD-ROMs, DVDs, hard disks, back-up files, emails
  • Audio/Video - CCTV, webcam images
  • Digitalised images - scanned photos, digital cameras

Examples of manual records include:

  • Paper files - on volunteers, young people, employees
  • Index systems - names, addresses, other details
  • Microfiche records - containing personal data

The rules only apply to information actually held. It may be that certain information has been destroyed/deleted locally as should be normal practice when it is no longer required. However, data must not be deliberately deleted once a SAR has been received, to avoid disclose. 

You need to consider all the places that you may hold information about the individual within the scope of the request. If you have a data inventory this will be a useful place to start as it will contain details of the main places where personal data is held. Likely places to start are:

  • Email inboxes
  • Electronic folders (either locally stored or in the cloud)
  • Filing cabinets

One topic that can come up is whether there is a need to seek information that is held on personal devices. The key thing is to determine whether the data was processed for Scouting purposes. The ICO say the following:

We do not expect you to instruct staff to search their private emails, personal devices or private instant messaging applications in response to a SAR, unless you have a good reason to believe they are holding relevant personal data. 

With regards to the depth your searches should go, the ICO state:

You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.

There are exemptions to disclosure but, in the main, these are very specific and tend to apply to particular cases e.g. confidentiality of police investigation or certain HR records. It's quite rare for exemptions to apply more generally and decisions must be made on a carefully considered discretionary basis, which can be justified. Also, when they do apply this may not necessarily mean that a whole document is exempt e.g. the exemption could apply to a part or parts of a document. Please see the ICO website for further explanation and to see whether any exemptions may apply, which can be accessed here, A guide to the data protection exemptions.

The main reason that data will be redacted from documents / records is because that information could directly or indirectly identify another individual, and they have not given their permission for this to be disclosed.

In your response you should also provide the following information to the data subject:

  • what you are using their information for;
  • who you are sharing their information with;
  • how long you store their information for and why;
  • details on how they can ask if the information is correct, ask to have it amended or deleted, object to or restrict your use of it;
  • details on their right to complain to the ICO;
  • details about where you got their information from;
  • whether you use their information for profiling or automated decision-making and how you are doing this; and
  • what security measures you use if you have or will transfer their information to a country outside the UK or an international organisation.

Following the receipt of the information, a data subject may raise concerns or a formal complaint. This can include dissatisfaction with the accuracy of the information held, or concerns about the practice it highlights. In these instances, you will need to determine which process to refer them to, such exercising another data subject right (i.e. right to rectification) or the complaints process.

On some occasions data subjects will come back and express dissatisfaction with the response, for example if they believe that the information provided was incomplete or was excessively redacted. If they have not specified what data they believe has been omitted, you should ask them to confirm this and provide details.. You should then undertake further checks, including liaising with those who provided the information for the initial disclosure. This may also widen the scope of the request, meaning different search parameters.

When responding to the data subject you should remind them of their right to complain to the Information Commissioner’s Office. 


Redactions

It is really important that you do not disclose information about third parties in the course of responding to a SAR. In many cases documents will contain information about multiple people. To avoid this you need to carefully consider removing or redacting this information. 

The following is provided by way of general advice. Please also see guidance on Subject Access Requests on this page and in Step 4: Understanding data subjects.

Under the rules, an individual is entitled only to their own personal data and not to information relating to other people. Therefore, when disclosing personal data to data subjects it is important not to inadvertently disclose personal data about third parties in the process. You have be careful not to breach the data protection rights of those third parties, unless those third parties have expressly consented to their information being disclosed. You should also remember to redact your own personal data.

Once they received the data the data subject may share it, store it unsecurely or misplace it. Therefore, the documents you send to the subjects will need to be checked very carefully and any personal data relating to third parties 'redacted' i.e. deleted/crossed out - to the extent that it is not visible to the requester.

Redactions can be done electronically, using tools such as Adobe Acrobat Pro or Microsoft Word, or on paper using a pen or tape. The key thing about both methods is to ensure that it is not possible for the data subject to see any trace of what you are removing. Using electronic tools this will mean removing meta data. For paper methods this will mean not being able to see the data beneath the tape or red pen. Photocopying the redacted documents can sometimes help with this. 

Remember, to keep a copy of the original documents too, as well as records of the decision taken relating to what to remove or redact.

It's important to note that you should not generally withhold whole documents just because they contain the details of third parties. It is usually preferable to redact just the details of those third parties so as to ensure that they cannot be identified, or any information is not revealed about them. However, where even after redaction, the identification of third parties is still possible then you may be able to withhold the whole document but you will need to assess this very carefully. 

Some basic rules to apply when redacting

  1. The information disclosed should relate to the data subject making the request - do not include irrelevant information.
  2. Particular care should be taken when redacting to ensure that the personal data of other individuals is not released - that is any data which would allow you to identify the people from the data combined with other information held.
  3. The following general rules should be applied – although there may be specific incidents when they would not:
    • redact names other than that of the person making the request
    • redact job/role titles
    • redact e-mail addresses
    • redact addresses
    • redact phone numbers
    • redact references to an individual's gender if that would lead to them being identified
    • redact personal descriptions which may lead to a person being identified, for example ‘a red haired man with a beard’
    • redact any other narrative data that would lead to an individual being identified
    • think about the combination of information sets that taken together would lead to an individual being identified.
  4. Take extra care when considering young persons data, or data relating to safeguarding cases
  5. When taking out personal details from email headers, leave in the date and title line unless the title line conflicts with the above.
  6. In many cases if you find things that the data subject has already been sent or sent themselves (for examples, emails) you can often leave them unredacted. However this will not be the case for things they received or sent in their Scouting role, particularly if it involved young people, and this information may need to be redacted.