General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

1st Washington Scouts

Data Policy (revised in light of GDPR regulations) – May 2018

From 25th May 2018 new legislation is in place regarding management of personal data. 1st Washington Scouts are committed to working within this legislation and managing and using the data of all those within the Group correctly.

This relates to the data held for Group purposes, specifically:

  • Enrolment forms (paper)
  • Activity permissions forms (paper)
  • Electronic registers (principally the Group management googledoc and any googledoc or similar document produced for specific events).

This also includes the Online Scout Manager system. While this principally only contains badge records it also holds names, emergency telephone numbers and dates of birth which are be deemed to fall under the legislation. As a matter of policy as from May 2018 no further items of personal information will be held on this system.

This does not explicitly cover the Compass system used to manage Leaders records. Responsibility for managing Compass is deemed to rest with the Scout Association, and management of it locally is deemed to rest with Houghton-le-Spring Scout District. The Compass system is not used for data for those under the age of 18 and is for Leaders records only.

Increased rights under the legislation and how to exercise them

  • Individuals have the right to access their data and request a copy of their personal data via a “Data Subject Access Request”.
  • Individuals have a right to be forgotten and personal data corrected or deleted.
  • Individuals must give consent to an organisation to process personal data. This is given by the parent in the case of those Group members under the age of 13, and by the Group member in conjunction with the parent in the case of those aged between 13 and 18.

Nominated individuals

Information set out under the terms of the legislation:

Every member of the Group is deemed to be a “data subject”, irrespective of age.

The data subject is determined to be the member of the Group rather than the parent/guardian of that Group member but since we will be holding some measure of personal data for the parent (name and telephone number) we undertake to hold that data in the same secure manner and us this data only in the same manner as outlined within this document.

The “data controller” for the Group is deemed to be the Group Scout Leader, Paul Hillman.

The “data processor” for each section is as set out below. Under the legislation, the data processors are responsible for the use, retention and disposal of data.

  • Beavers: Benn Wearmouth-Stephenson
  • Cubs: Thomas Harrison
  • Scouts: Andy Gray
  • Explorers: Robin Kennedy
  • Adults: Paul Hillman

Data Subject Access Requests

Requests to review the personal data held by the Group within the records described within this document must be made to the Data Controller: Paul Hillman, Group Scout Leader.

These will be dealt with as quickly as possible and within a target of 1 week. Nominated Data Processors will not normally be able to deal with such requests.

Those wishing to exercise their right to have their data corrected should follow the same procedures. It should be noted that the only data held by the Group has been provided by data subjects, or by their parents on their behalf. We do not hold any personal data from any other source.

Those wishing to exercise their right to be forgotten and have their data deleted should contact the Data Processor as above and requests will be dealt with in the same manner.

Data Breaches

All data breaches, or suspected data breaches, must be reported immediately to the Data Controller (Paul Hillman) for investigation.

Under 18’s data

  • Under the legislation, only those over the age of 13 are deemed to be data subjects.
  • However, we treat the personal data of all young people (under the age of 18) in the same manner within the Group.
  • Parental permissions are always sought at the point of joining the Group.
  • For those who join the Group before the age of 13, permissions given by the parent is deemed to continue as from their 13th birthday but the data subject (young person) then acquires the same rights as all other data subjects set out above.
  • For those who join the Group aged 13 or over, a signature box is now included on the enrolment form for signature giving the Group to use your data in the specified manner.

Adult data

The Group only holds personal data for adults within the Group electronically within the main Group googledoc or for specific events. The same data rights, retention and use policies and security measures apply to this data as for under 18 members of the Group.

What data do we hold?

Personal information provided via the Group enrolment form, completed on first entry to the Group and when moving sections:

  • Name
  • Address
  • Contact information (both standard and emergency)
  • Date of birth
  • Medical information
  • Permissions & signatures

From May 2018 a new standardised enrolment form will be used across the Group.

From time to time activity permissions forms will be used with reference to specific events. These may be paper forms or electronic googledoc forms designed to capture and manage specific items of data ahead of events. These capture the same information as outlined above.

With relation to events organised by Houghton-le-Spring Scout District or Durham Scout County, a standard format paper form is used to gather the same information outlined above. This form is provided by and managed by the District or County. These forms remains in the possession of a group Leader during the event and only used in the case of emergency.

We do not hold banking information as subs payments to us are made by standing order and are dealt with by your bank. Our bank statement does not detail account information for those making payments to us.

What do we use this data for?

Standard enrolment information is transferred into a Group googledoc which is used as a register of all those within the Group. This is then used as a reference guide for Leaders, and in case of emergency. Key information such as name, date of birth, date of enrolment and emergency telephone numbers are also entered into the Online Scout Manager (OSM) system.

This is information is not shared with any 3rd party and is used for reference and in case of emergency only.

The original paper forms are retained for reference by those Leaders responsible for records keeping in each section and are kept secure in a locked section cupboard.

Activity forms are taken to the event and used for registration and in case of emergency only.

As a Group we never pass data onto any 3rd parties and have no reason to do so. Data will never be sold.

Access to systems

Access to the Group googledoc has been reviewed and is restricted to members of the Leadership team with a need to access personal data, primarily those set out below as data processors.

Access to OSM is restricted to members of the Leadership team only. This is used a quick reference point for emergency telephone numbers so access is granted to a wider set of individual Leaders but the breadth information held within the system is restricted.

Googledocs created by Leaders for individual events are managed by those Leaders and access restricted to those Leaders who require this information for the event.

As a volunteer organisation it must be recognised that electronic records are accessed via machines not owned or controlled by the Group and which are the personal property of adults within the Group. All adults within the Group who have been granted access to these electronic records are regularly reminded about the need for system security, the use of strong and secure passwords, and ensuring that access is not possible by anyone else using their machine.

Data retention and disposal policy

Data held electronically within OSM and the Group googledoc will be maintained only for the period during which the young person is an active member of the Scout Group. Once they leave the Group this will be deleted.

On moving between sections, this data will be transferred electronically between sections records. This is a secure movement within a single googledoc or across sections within OSM.

On transferring to other Groups this data will be deleted and new records will be need to be created by the receiving Scout Group. The exception to this are badge records which can be printed out of OSM and taken as a paper copy to the new Group. The only personal information held on this print out will be the young person’s name.

On receiving transfers from other Groups a new electronic record will be created and no electronic data will be received by our systems.

Paper enrolment forms will be kept securely for 6 months following the last active involvement in Scouting. They will then be destroyed in a secure manner.

This also applies to those young people moving between sections where a new enrolment form is created. The form held by the previous section will be destroyed after 6 months.

Activity permissions forms will be retained for 1 month following the event and then destroyed in a secure manner.

Registers for events created electronically through googleforms or in any other electronic format will be retained for 1 month following the event and then deleted.

Communications

Communication with parents is on an information basis governed by permissions granted via the enrolment form with no marketing or sales implications. Therefore standard marketing preferences and permissions governed by GDPR regulations in the commercial world do not apply.

Historic records

All current adult members of the Group have been instructed to identify any records containing personal data which they may hold electronically or in paper format and report these to the Group Scout Leader as part of a pre-GDPR audit. These records will then be deleted and destroyed if they fall outside of those systems or constraints outlined above.