Safeguarding Update

Safeguarding Update

Policy:

It is the policy of the Scouts to safeguard the welfare of all young people by protecting them from neglect and from physical, sexual and emotional harm. All members have a duty to report concerns or suspicions and a right to do so in confidence and free from harassment.

South East Scotland Scouts are committed to:

  • Taking the interests and well-being of young people into account, in all our considerations and activities
  • Respecting the rights, wishes and feelings of the young people with whom we work.
  • Taking all reasonable, practicable steps to protect them from neglect, physical, sexual and emotional abuse.
  • Promoting the welfare of young people and their protection within a position of trust.
  • An adult in Scouting also has a responsibility to ensure that they do not put themselves in a position where they could have an allegation made against themselves.

All adult members in Scouting who wish to work with young people, are responsible for putting the above policy into practice at all times.

Courses:

During 2019 the safeguarding team delivered 21 courses throughout the region and trained 376 adult members. The team wishes to thank all those that attended and hope that they are putting what they have learnt into practice.

One of the main topics that delegates raise during courses was related to travelling with young people. The following guidance from Gilwell that is consistent with the Yellow Card Version 7 November 2019 is as follows:

  • An adult in Scouting cannot be alone in a vehicle with any young person who they are not the parent of
  • However, any adult involved in Scouting can transport their own child to a meeting or to a Scout camp.
  • An adult involved in Scouting can also collect a friend or another Scout on the way to a meeting/camp and drop them off on the way home, as long as they won’t be alone in the vehicle at any time with the young person who isn’t their child.
  • If an adult leader needs to transport a group of young people (i.e. more than one) to a Scouting event in their own vehicle, this is also acceptable, as long their insurance allows for this. But in these circumstances, they must ensure that they are not alone in the vehicle with any one of the young people. Therefore, make sure they pick up the group together and drop them off together.
  • In relation to activities outside of Scouting, if the child is involved in Scouting, the Yellow Card rules still apply. However, if the child is not involved in Scouting, this is a private matter.

Requesting a Safeguarding Course

It is the responsibility of the District Commissioners or ADCs Adult training to request courses via the Safeguarding Awareness Coordinator as and when they are required for their districts. Please provide a couple of alternative dates and venue. The courses normally run from 7.00pm to 9.30pm, weekdays and 2.00pm to 4.30pm weekends. Once the date and venue has been agreed the course will be available on the SES Scouts website for delegates to register. It would be appreciated if a screen (or wall suitable to project onto) is available along with tea / coffee and biscuits. The Safeguarding team require access to the facility 30 minutes before the start of the course to allow for set-up time. Note, if an adult member is unable to attend a local course they may attend a course in any of the other Regions in Scotland.

Russell Shoulder
Safeguarding Awareness Coordinator
South East Scotland Scouts

GDPR advice

GDPR advice

GDPR – What should I be doing?

Advice from Martin Elliot, Deputy Regional Commissioner

In last month’s newsletter, I introduced the new General Data Protection Regulation (GDPR), a new EU law that will come into effect on 25 May 2018, and will govern how organisations, including Scout Groups, Districts and Regions, process personal data.

Since then the Scout Association has released its GDPR Toolkit, a step-by-step collection of tools that includes ‘how to’ videos and support materials prepared by Black Penny Consultancy to help local Scouting, and specifically local Executive Committees, to work towards alignment to the GDPR.

This article provides some initial guidance on how groups and districts within the Region can start working towards compliance with the GDPR requirements but for a fuller guide I would encourage all groups to make use of the Toolkit as it prepares for this new legislation.

Does GDPR apply to us?

GDPR will apply to all groups and districts within the Region, regardless of size and charitable status. This is because each group and district is a “Data Controller” and as such processes sensitive personal data.
It is important to note that groups and districts already have this Data Controller responsibility under the existing Data Protection Act, so any processes that you already have in place to meet this responsibility will provide a strong basis for your requirements under GDPR.

The owner and user of the gathered personal data. This is anybody gathering and retaining personal data.

Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities. May also be referred to as Personally Identifiable Information (PII).

Personal data revealing religion, ethnicity, political opinions, sexual orientation or data concerning health.

The Information Commissioner’s Office

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

What data do we process?

Groups and Districts store a large amount of information:

  • Personal Details such as names, addresses, email addresses, phone numbers, membership numbers
  • Sensitive personal details such as religion, ethnicity, sexuality and medical/health information
  • Participation, event, activity, badge and training records
  • Complaints, disputes, suspensions
  • Safeguarding information

Thus, they have to be aware of their responsibilities under GDPR.

What should we do?

It is important that trustees of groups and districts recognise that they are collectively responsible for compliance with the GDPR regulation and take time to invest time understanding the responsibilities that it places upon them.

The Information Commissioner’s Office, which regulates Data Protection in the UK, has produced a 12-step checklist for preparing for GDPR which provides a useful guide for Executive committees looking to identify what actions they need to take.

The rest of this article is based on a subset of these 12 steps and provides some more information about what each mean for your group or district.

1 Awareness

Make sure that trustees in your group and district are aware that the law is changing to the GDPR and that they need to appreciate the impact this is likely to have. This article is designed to help increase awareness among groups and district and The Scout Association has produced a What is the GDPR document as an introduction for members.

2 Identify information you hold

As highlighted above, each group and district holds an large amount of data so it is important that all personal data and sensitive personal data held relating to individuals (youth members and adults) is identified. For all data held you should also identify:

  1. How and where the data is processed. If this is delegated to a Data Processor such as Online Scout Manager, their data protection policies should be checked.

    Data Processor

    This is a company or individual who processes the information on behalf of the data controller.
  2. Why is the data processed? If you cannot answer this question then it probably means you shouldn’t be holding the data!
  3. How long the data should be held for. Data on young people or adults should not be held for longer than is required i.e. any data relating to a young person should be removed when they leave the group.

The GDPR Toolkit released by the Scout Association includes a Data Inventory which will serve as a useful starting point for any executive committees looking to carry out a Data Identification exercise.

3 Communication Privacy Information

When collecting information, we need to ensure that we are transparent about why we are collecting the data and what we are going to do with it. Any information forms that you use for collecting personal data – e.g. joining forms, event forms – should include information on the following:
a. your identity and how you intend to use their information.
b. your lawful basis for processing the data (see step 6 below)
c. your data retention periods
d. individuals right to complain to the ICO if they think there is a problem with the way you are handling their data.
GDPR requires the information to be provided in concise, easy to understand and clear language. This can be provided on the form or by referring to a published Privacy Notice.

4 Individual's Rights

GDPR provides individuals with greater rights. It recognises that using data for communication to young people, parents/guardians or adult volunteers is essential for the effective operation of groups and Districts and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the group and district and not for further advertising e.g. fundraising events unless the person receiving the communication has specifically opted-in.

5 Subject Access Requests

These are not new as individuals have always had the right to make a Subject Access Request but GDPR reduces the time data controllers have to comply to one month and removes the £10 charge data controllers could previously levy to those making a request.

Subject Access Request

A request from an individual to the group or district to find out what information you hold on them

A process for executive committees to use when responding to Subject Access Requests can be found in The Scout Association’s  Guide to GDPR Subject Access Request process .

6 Lawful Basis

Many executive committees will have never thought about their lawful basis for processing personal data but under GDPR individuals’ rights depend on the lawful basis for processing their personal data so it is important that the lawful basis for processing data is identified. There are a number of lawful bases under which data can be used but the most relevant for Scouting are:

  1. Consent – The individual has given consent for their data to be used.
  2. Compliance with Legal Obligations – Legal obligations e.g. Disclosure Checks supersede GDPR
  3. Legitimate Interest – the use of personal data by a data controller is deemed necessary (e.g. to provide the product or service) or would reasonably be expected by a data subject

A Lawful Processing Records tool is included in The Scout Association’s GDPR Toolkit and provides a starting point for Executive Committee’s looking to establish the lawful basis for processing personal data.

7 Consent

For any data for which the Consent legal basis is used, a positive opt-in is required i.e. pre-ticked boxes, presumed consent by silence, opt-outs or any other method of default consent cannot be used.

8 Children

For the first time, the GDPR will bring in special protection for children’s personal data. GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

9 Data Breaches

Executive committees need to put procedures in place to effectively detect, report and investigate a Personal Data Breach. GDPR brings a duty to notify the ICO when they suffer a personal data breach within 72 hours or risk a significant fine.

Personal Data Breach

A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

Where a breach is likely to result in a high risk to the rights and freedoms of individuals – e.g. leaves them open to identity theft – groups and districts are required to notify those concerned directly.

10 Data Protection Officers

Under GDPR, it will be mandatory for organisations processing personal data on a large scale as a ‘core’ activity for systematic monitoring purpose or involving sensitive personal data to appoint a Data Protection Officer (DPO). Scout Units as smaller organisations operating locally will not be required to appoint a DPO. However, Executive Committees must ensure that they can fulfil their obligations under the GDPR and therefore it is advisable to allocate an executive member to oversee GDPR compliance wherever possible.

Working through these steps will provide Executive Committees with a clearer idea of what is required to ensure that they are compliant with GDPR.
The Risk and Audit Committee of the Regional Executive will continue to review the implementation of GDPR and provide updates where necessary. If you have any questions about GDPR you can speak to Brian Muir, Chair of the Risk and Audit Committee, or Martin Elliot, Deputy Regional Commissioner, or e-mail communication@sesscouts.org.uk .

Useful links

GDPR advice on processing data

GDPR advice on processing data

General Data Protection Regulation (GDPR) is a new EU law that will come into effect on 25 May 2018, replacing the current Data Protection Act and introducing new requirements for how organisations process personal data.

This new regulation affects how Scout Units – Groups, Districts and Regions – collect and process personal data on youth members, adult volunteers and staff but data protection is not a new requirement – many of the GDPR’s main concepts and principles are based on those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR.

The Regional Executive’s Risk and Audit Committee has been reviewing the effect of the new legislation and at February’s meeting the Regional Executive agreed to the Committee’s recommendations which include updating the training provided to leaders and executive members and providing practical support to all adult members, starting with a fuller article on GDPR in next month’s newsletter.

In the meantime we would encourage all leaders and executive member to review their existing data protection practices and, to help, the committee has prepared some best practice for data protection.

Tell members what you are doing with their data
People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.

Make sure your executive are aware and adequately trained
As Data Controllers, Scout Units are directly responsible for any personal data they process and must therefore ensure that they are aware of their responsibilities under the updated law.

Password protect computerised data
Particularly important if sending data to others but good practice to do anyway. All passwords should contain upper and lower case letters, a number and ideally a symbol to make them harder to crack.

Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

Obtain Consent
The DPA already requires data controllers to obtain consent for processing sensitive personal information but this is extended under GDPR. It is good practice to obtain consent when obtaining personal information either using a tick box or signed declaration.

Take Care Using Cloud Storage
When using cloud storage e.g. DropBox, iCloud, OneDrive to store documents containing personal data extreme care should be taken to ensure access is restricted to only those who need it.

Use Blind Carbon Copy (bcc) for e-mail distribution
If sending e-mails to multiple members, it is good practice to use the bcc function so that recipients cannot see other e-mail addresses.

Ensure that Data is only kept for the time it is required
Once a child or adult member leaves Scouting their record should be removed and/or destroyed.