Following the introduction of the General Data Protection Regulation (GDPR), introduced in the UK through the Data Protection Act 2018 earlier this year, the Regional Executive tasked its Risk and Audit Committee to establish an updated Data Protection Policy to ensure that the Region was compliant with the updated regulation and to set good practice for how the Region should handle the personal data that it holds. This policy had a number of aims including:
To document what personal data the Region holds
To document the processes in place to ensure that the Region handles the personal data it holds in a safe and secure manner
To document the procedures to be followed in the event that individuals make use of their expanded rights under GDPR such as their Right to Be Forgotten or their Right to Access through a Subject Access Request
At its September meeting the Regional Executive agreed to adopt the Data Protection Policy and also agreed that this should be made available through the Regional Website.
The Regional Executive would encourage all members to review the policy at https://sesscouts.org.uk/privacy/. In addition, for those districts and groups which don’t currently have their own policy, the Regional Executive would encourage the relevant executive committees to use this as a template to adapt for your own policy documents.
If you have any questions about the policy or GDPR you can speak to Martin Elliot, Deputy Regional Commissioner, or e-mail firstname.lastname@example.org .
By the time that you read this, the new General Data Protection Regulation (GDPR) will have come into effect and now governs how all Scout Groups, Districts and Regions process personal data.
Hopefully this will not come as a surprise to you and you will have read the GDPR Advice we previously produced in preparation for the new regulation as well as made use of the GDPR Toolkit and your Group and/or District is ready or at least taking steps to ensure readiness for the new rules. If not, then now is a great time to review these resources to identify what steps, if any, your Group/District need to take to adhere to the regulations.
In this article, we cover a few GDPR topics which have arisen since we published our previous articles.
GDPR Training Module
You may have noticed from other communications that a new eLearning module has been released focusing on GDPR. This is mandatory learning for all adult members, including members of Executive Committees. The eLearning takes about 25 minutes to complete and can be found on the Scouts UK website.
Being able to demonstrate that adult volunteers within Scout Groups, Districts or Regions have been made aware of their responsibilities through this training is an important part of being able to demonstrate GDPR alignment. A record that this training has been completed should be kept and it can now be added as a module on Compass.
Like other modules, the LOVE (Learning Optional, Validation Essential) principle applies so as well as completing the eLearning, you should meet with your Training Advisor (TA) to review the validation criteria to ensure that you meet them. If you do not have a Training Advisor, then any current TA can validate it so please check with your line manager who in your group or district may be able to validate the module. If appropriate, the module can be validated for small groups of adults together, providing the TA is satisfied that they all meet the validation criteria.
Do I need to ask for Consent?
There is a common misperception amongst some leaders that under GDPR we now have to ask for member’s consent every time that we store or use their personal data and as a result I have seen personal details forms which state that we require the member’s consent to retain the data.
Under GDPR there are a number of justifications that can be used for holding someone’s data – consent is one of them but if you are using consent as the justification then it means that if the data subject (in this case the member) chooses not to give their consent or later withdraws it then we are no longer able to hold their data. To avoid this issue, in most cases Legitimate Interest can be used as the justification for storing the data and remove these requests for consent.
Communications about the member’s involvement in Scouting are a legitimate interest for all members of Scouting. They count as legitimate interest because, in some way, they support the individual in their Scouting role.
However, for marketing communications e.g. providing offers, discounts, partnerships or promoted competitions we do require the member’s consent.
One of the common questions being asked about GDPR is whether different Data Processors meet the GDPR requirements. Particular Data Processors which Leaders have asked about include:
Online Scout Manager
At present, it appears that all of the above meet the GDPR requirements. Further information on each of them can be found at the relevant links below:
Another common misperception is that under GDPR all data must be stored within the EU, which would cause a problem for the latter two Data Processors referred to above as they can store the data in the United States. However the GDPR permits the transfer of personal data to non-EU countries in line with a number of recognised methods. Under GDPR data can be hosted and processed in non-EU countries as long as the data processor can demonstrate that they have one of the necessary transfer mechanisms in place, which both Google and Dropbox do.
If you have any questions about GDPR you can speak to Brian Muir, Chair of the Risk and Audit Committee, or Martin Elliot, Deputy Regional Commissioner, or e-mail email@example.com.
Since then the Scout Association has released its GDPR Toolkit, a step-by-step collection of tools that includes ‘how to’ videos and support materials prepared by Black Penny Consultancy to help local Scouting, and specifically local Executive Committees, to work towards alignment to the GDPR.
This article provides some initial guidance on how groups and districts within the Region can start working towards compliance with the GDPR requirements but for a fuller guide I would encourage all groups to make use of the Toolkit as it prepares for this new legislation.
Does GDPR apply to us?
GDPR will apply to all groups and districts within the Region, regardless of size and charitable status. This is because each group and district is a “Data Controller” and as such processes sensitive personal data.
It is important to note that groups and districts already have this Data Controller responsibility under the existing Data Protection Act, so any processes that you already have in place to meet this responsibility will provide a strong basis for your requirements under GDPR.
The owner and user of the gathered personal data. This is anybody gathering and retaining personal data.
Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities. May also be referred to as Personally Identifiable Information (PII).
Personal data revealing religion, ethnicity, political opinions, sexual orientation or data concerning health.
The Information Commissioner’s Office
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
What data do we process?
Groups and Districts store a large amount of information:
Personal Details such as names, addresses, email addresses, phone numbers, membership numbers
Sensitive personal details such as religion, ethnicity, sexuality and medical/health information
Participation, event, activity, badge and training records
Complaints, disputes, suspensions
Thus, they have to be aware of their responsibilities under GDPR.
What should we do?
It is important that trustees of groups and districts recognise that they are collectively responsible for compliance with the GDPR regulation and take time to invest time understanding the responsibilities that it places upon them.
The Information Commissioner’s Office, which regulates Data Protection in the UK, has produced a 12-step checklist for preparing for GDPR which provides a useful guide for Executive committees looking to identify what actions they need to take.
The rest of this article is based on a subset of these 12 steps and provides some more information about what each mean for your group or district.
Make sure that trustees in your group and district are aware that the law is changing to the GDPR and that they need to appreciate the impact this is likely to have. This article is designed to help increase awareness among groups and district and The Scout Association has produced a What is the GDPR document as an introduction for members.
2 Identify information you hold
As highlighted above, each group and district holds an large amount of data so it is important that all personal data and sensitive personal data held relating to individuals (youth members and adults) is identified. For all data held you should also identify:
How and where the data is processed. If this is delegated to a Data Processor such as Online Scout Manager, their data protection policies should be checked.
This is a company or individual who processes the information on behalf of the data controller.
Why is the data processed? If you cannot answer this question then it probably means you shouldn’t be holding the data!
How long the data should be held for. Data on young people or adults should not be held for longer than is required i.e. any data relating to a young person should be removed when they leave the group.
The GDPR Toolkit released by the Scout Association includes a Data Inventory which will serve as a useful starting point for any executive committees looking to carry out a Data Identification exercise.
3 Communication Privacy Information
When collecting information, we need to ensure that we are transparent about why we are collecting the data and what we are going to do with it. Any information forms that you use for collecting personal data – e.g. joining forms, event forms – should include information on the following:
a. your identity and how you intend to use their information.
b. your lawful basis for processing the data (see step 6 below)
c. your data retention periods
d. individuals right to complain to the ICO if they think there is a problem with the way you are handling their data.
GDPR requires the information to be provided in concise, easy to understand and clear language. This can be provided on the form or by referring to a published Privacy Notice.
4 Individual's Rights
GDPR provides individuals with greater rights. It recognises that using data for communication to young people, parents/guardians or adult volunteers is essential for the effective operation of groups and Districts and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the group and district and not for further advertising e.g. fundraising events unless the person receiving the communication has specifically opted-in.
5 Subject Access Requests
These are not new as individuals have always had the right to make a Subject Access Request but GDPR reduces the time data controllers have to comply to one month and removes the £10 charge data controllers could previously levy to those making a request.
Subject Access Request
A request from an individual to the group or district to find out what information you hold on them
Many executive committees will have never thought about their lawful basis for processing personal data but under GDPR individuals’ rights depend on the lawful basis for processing their personal data so it is important that the lawful basis for processing data is identified. There are a number of lawful bases under which data can be used but the most relevant for Scouting are:
Consent – The individual has given consent for their data to be used.
Compliance with Legal Obligations – Legal obligations e.g. Disclosure Checks supersede GDPR
Legitimate Interest – the use of personal data by a data controller is deemed necessary (e.g. to provide the product or service) or would reasonably be expected by a data subject
A Lawful Processing Records tool is included in The Scout Association’s GDPR Toolkit and provides a starting point for Executive Committee’s looking to establish the lawful basis for processing personal data.
For any data for which the Consent legal basis is used, a positive opt-in is required i.e. pre-ticked boxes, presumed consent by silence, opt-outs or any other method of default consent cannot be used.
For the first time, the GDPR will bring in special protection for children’s personal data. GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
9 Data Breaches
Executive committees need to put procedures in place to effectively detect, report and investigate a Personal Data Breach. GDPR brings a duty to notify the ICO when they suffer a personal data breach within 72 hours or risk a significant fine.
Personal Data Breach
A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
Where a breach is likely to result in a high risk to the rights and freedoms of individuals – e.g. leaves them open to identity theft – groups and districts are required to notify those concerned directly.
10 Data Protection Officers
Under GDPR, it will be mandatory for organisations processing personal data on a large scale as a ‘core’ activity for systematic monitoring purpose or involving sensitive personal data to appoint a Data Protection Officer (DPO). Scout Units as smaller organisations operating locally will not be required to appoint a DPO. However, Executive Committees must ensure that they can fulfil their obligations under the GDPR and therefore it is advisable to allocate an executive member to oversee GDPR compliance wherever possible.
Working through these steps will provide Executive Committees with a clearer idea of what is required to ensure that they are compliant with GDPR.
The Risk and Audit Committee of the Regional Executive will continue to review the implementation of GDPR and provide updates where necessary. If you have any questions about GDPR you can speak to Brian Muir, Chair of the Risk and Audit Committee, or Martin Elliot, Deputy Regional Commissioner, or e-mail firstname.lastname@example.org .
General Data Protection Regulation (GDPR) is a new EU law that will come into effect on 25 May 2018, replacing the current Data Protection Act and introducing new requirements for how organisations process personal data.
This new regulation affects how Scout Units – Groups, Districts and Regions – collect and process personal data on youth members, adult volunteers and staff but data protection is not a new requirement – many of the GDPR’s main concepts and principles are based on those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR.
The Regional Executive’s Risk and Audit Committee has been reviewing the effect of the new legislation and at February’s meeting the Regional Executive agreed to the Committee’s recommendations which include updating the training provided to leaders and executive members and providing practical support to all adult members, starting with a fuller article on GDPR in next month’s newsletter.
In the meantime we would encourage all leaders and executive member to review their existing data protection practices and, to help, the committee has prepared some best practice for data protection.
Tell members what you are doing with their data People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
Make sure your executive are aware and adequately trained
As Data Controllers, Scout Units are directly responsible for any personal data they process and must therefore ensure that they are aware of their responsibilities under the updated law.
Password protect computerised data Particularly important if sending data to others but good practice to do anyway. All passwords should contain upper and lower case letters, a number and ideally a symbol to make them harder to crack.
Only keep people’s information for as long as necessary Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Obtain Consent The DPA already requires data controllers to obtain consent for processing sensitive personal information but this is extended under GDPR. It is good practice to obtain consent when obtaining personal information either using a tick box or signed declaration.
Take Care Using Cloud Storage When using cloud storage e.g. DropBox, iCloud, OneDrive to store documents containing personal data extreme care should be taken to ensure access is restricted to only those who need it.
Use Blind Carbon Copy (bcc) for e-mail distribution If sending e-mails to multiple members, it is good practice to use the bcc function so that recipients cannot see other e-mail addresses.
Ensure that Data is only kept for the time it is required Once a child or adult member leaves Scouting their record should be removed and/or destroyed.
The views expressed in this website are not necessarily those of The South East Scotland Regional Scout Council or The Scouts. This website provides links to other websites that may be of interest to our visitors but South East Scotland Regional Scout Council is not responsible for any information contained on these websites. We make every effort to ensure that information is accurate but we can accept no responsibility for errors or omissions. We have made every effort to ensure that we have permission to use all photos and other material included on our website. Please contact us if you think there is a problem.
It is our policy to make the material on this website accessible to as many people as possible. To that end we have installed a plugin allowing users to adjust the screen for contrast, greyscale and larger print. Individuals should be aware that they can also adjust the settings of their own browser to assist them. All images should have alternative text that can be read by screen readers.