General Data Protection Regulation (GDPR) is a new EU law that will come into effect on 25 May 2018, replacing the current Data Protection Act and introducing new requirements for how organisations process personal data.
This new regulation affects how Scout Units – Groups, Districts and Regions – collect and process personal data on youth members, adult volunteers and staff but data protection is not a new requirement – many of the GDPR’s main concepts and principles are based on those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR.
The Regional Executive’s Risk and Audit Committee has been reviewing the effect of the new legislation and at February’s meeting the Regional Executive agreed to the Committee’s recommendations which include updating the training provided to leaders and executive members and providing practical support to all adult members, starting with a fuller article on GDPR in next month’s newsletter.
In the meantime we would encourage all leaders and executive member to review their existing data protection practices and, to help, the committee has prepared some best practice for data protection.
Tell members what you are doing with their data
People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
Make sure your executive are aware and adequately trained
As Data Controllers, Scout Units are directly responsible for any personal data they process and must therefore ensure that they are aware of their responsibilities under the updated law.
Password protect computerised data
Particularly important if sending data to others but good practice to do anyway. All passwords should contain upper and lower case letters, a number and ideally a symbol to make them harder to crack.
Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
The DPA already requires data controllers to obtain consent for processing sensitive personal information but this is extended under GDPR. It is good practice to obtain consent when obtaining personal information either using a tick box or signed declaration.
Take Care Using Cloud Storage
When using cloud storage e.g. DropBox, iCloud, OneDrive to store documents containing personal data extreme care should be taken to ensure access is restricted to only those who need it.
Use Blind Carbon Copy (bcc) for e-mail distribution
If sending e-mails to multiple members, it is good practice to use the bcc function so that recipients cannot see other e-mail addresses.
Ensure that Data is only kept for the time it is required
Once a child or adult member leaves Scouting their record should be removed and/or destroyed.