Data Protection Policy
Issue 1 – September 2018
About this procedure
This Data Protection policy applies to all operations of South East Scotland Regional Scout Council, including those at Bonaly Scout Centre and Longcraig Water Sports Centre. It does not cover the operations of Districts and Groups, who should have their own policies.
This policy is designed to ensure that South East Scotland Regional Scout Council complies with its obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”) and conforms to the following eight data protection principles:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
- at least one of the conditions in Schedule 2 of GDPR is met, and
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This policy has been approved by the Regional Executive Committee. The Chair of the Risk and Audit Committee is the owner of this policy and responsible for its regular review (at least yearly) and update as necessary. The Chair of the Risk and Audit Committee acts as our Data Protection Officer.
The personal data we hold
|Data description||Personal data included||Stored using||Retention policy||Responsible officer|
|Information about our members||Contact information, appointments, training records, activity permits and awards.||For adult members – Compass membership management system, provided
by UK Scout Association
|Retained whilst a current member. A subset of data is retained
when a membership ceases in order to support the vetting policy should the person reapply for membership
|Chair of the Risk and Audit Committee|
|Details of criminal convictions||Paper copy in secure cabinet||10 years from date of background check||Regional Appointments Secretary|
|Information about Safeguarding incidents||Contact information and information regarding the nature of any allegation, the status and outcome of the investigation||Paper, email and electronic Files||Indefinitely||Regional Commissioner|
|Information about our employees||Applications of jobs where candidate is unsuccessful||6 months after notifying candidate||Regional Chair|
|Start dates, annual leave, contract, references, copy of other relevant documentation (e.g. disciplinary letters)||Electronic files||5 years following the employee leaving employment||Regional Chair|
|Contact details, salary and pension contribution information||Electronic files||Indefinitely||Regional Chair|
|Payroll information, including salary and other allowances, P60, P45, P11D and P6 notices.||Payroll system||7 years||Regional Chair|
|Information about accidents and near misses||Contact details and nature of accident||Paper form stored in Regional Office||3 years after end of investigation||Regional Operations Manager|
|Information about general enquirers||Contact information and nature of enquiry, which may contain personal data||Regional email system||1 year after enquiry||Regional Operations Manager|
|Information about our customers||Contact information||Paper forms stored in filing cabinet, Electronic Files||1 year after booking occurs||Regional Operations Manager|
|Information about people registered to our mailing lists||Contact information||Mailchimp (3rd party system)||Indefinitely, unless the individual
|Assistant Regional Commissioner (Communications)|
|Credit card and bank details of customers and suppliers||PAN number, expiry date, CCV number, sort-code and account number||Not stored, other than by 3rd party merchant||As per merchant’s policy||Regional Operations Manager|
For completeness, we also hold the following information which is not categorised as Personal Data but has the following retention policies applied:
|Data description||Retention policy||Responsible officer|
|Finance – purchase ledgers, record of payments made, invoices, bank paying in counterfoils, bank statements, remittance advices, correspondence regarding donations, bank reconciliation.||7 years||Regional Treasurer|
|Finance – Receipt cash book and sales ledger||10 years||Regional Treasurer|
|Finance – Fixed assets register||Indefinitely||Regional Treasurer|
|Finance – Deed of covenant/Gift aid declaration and legacies||6 years after last payment made||Regional Treasurer|
|Buildings – Deeds of title||Indefinitely||Regional Secretary|
|Buildings – records of major refurbishments, warranties, planning consent, health & safety files.||13 years after completion of project||Chair of Estates Committee|
|Trustee’s minutes||Indefinitely||Regional Secretary|
|Annual accounts and annual reports||Indefinitely||Regional Secretary|
|Investment and insurance policy records||7 years after disposal||Regional Secretary|
|Insurance policies||Indefinitely||Regional Treasurer|
|Employer’s Liability insurance certificate||40 years||Regional Operations Manager|
|Health and safety records||3 years||Regional Operations Manager|
Our Security Policies
The following security policies will apply to the storing of personal data as outlined in this policy. These security policies are mandatory.
- Need to know – We only give people access to the data that they need to carry out their role. If people change roles, we review access accordingly.
- Passwords – We use systems that force complex passwords. Changed regularly or set once and keep until you think the password has been compromised.
- Employment – We ensure our employees are made aware of their data protection obligations through clauses in their contracts and details contained in the staff handbook.
- Transporting data – We only transport data using physical media if absolutely necessary and then using encrypted media only.
- Education – Training will be made available for all staff and Regional volunteers about their obligations under this policy.
- We keep people informed – We tell people why we are collecting their data and how we use it, at the point in time we collect it.
- Limiting storage – We limit the amount of personal data we physical store to the absolute minimum. Only those with a need to know will have access to the data.
- Locked – Physical documents with personal data will be store in a locked cabinet.
Corporate email (for employees)
- Restriction – Our employees should only use the Regional email system for receiving, storing and sending of emails.
- Virus, Malware and Phishing protection – All emails will be scanned for virus, malware and phishing.
- Acceptable use – Our staff handbook outlines how employees should use the corporate email system.
Credit card information
- PCI regulations – We do not store payment card information on any of our systems or paper forms. If customers call to pay using a payment card, the details are directly entered into the PDQ machine and not written down.
- Third party processing – Other than the Scout Association, we limit the use of third parties to process personal data collected by South East Scotland Regional Scout Council and only do so where we have the express permission of the Regional Chair.
- Third party compliance – We ensure third parties we contract with to store personal data comply with the principles of this policy, have an information security policy in place and ideally hold an information security standard (such as ISO 27001).
- Limiting exports – When exporting data from third party systems (e.g. Compass), we only export the data we need for the purpose we need it for.
Where we do not have a lawful basis to hold or process data, we will seek the express consent of individuals to hold data about them. This will be by specific and unambiguous statements that must be opted-into on any forms (electronic or otherwise) and systems. In some circumstances due to the organisation of the Scouts, we ask our members to ensure they have express consent for the data they are submitting to us.
Data Subject Access Requests
Should a member of South East Scotland Scouts or a member of the public request a copy of any personal information which South East Scotland Regional Scout Council holds, then the following process should be followed:
- The individual should write to the Regional Secretary (firstname.lastname@example.org) outlining the personal data they are seeking to obtain.
- The Regional Secretary shall acknowledge the request by email.
- The Regional Secretary shall seek to verify the identity of the individual and that they are lawfully entitled to request a copy of the personal data. This may involve asking for information such as a membership number, date of birth, address, or documentary evidence.
- The Regional Secretary will collate the data requested, noting that we cannot provide data held by other organisations such as the Scout Association, Districts or Groups. The data should be carefully analysed to ensure it does not refer to any other individuals, in which case it should be redacted.
- Within 30 days of the receiving the request, the Regional Secretary will provide the data to the individual. This will normally be by email.
- There will be no charge.
For more information about our legal obligations, refer to the ICO website.
Right to erasure (Right to be forgotten)
Should a member of South East Scotland Scouts or a member of the public wish for their personal information to be erased, then the following process should be followed:
- The individual should write to the Regional Secretary (email@example.com) outlining the personal data they are seeking to erase.
- The Regional Secretary shall consult the Regional Chair and Regional Commissioner to make a decision as to whether the request should be processed. Guidance from the ICO should be followed. Whilst South East Scouts will not seek to refuse the request unreasonably, it has a number of statutory obligations to comply with and uses personal data as part of its vetting and safeguarding procedures.
- If it is deemed that the data shall be deleted, then the Regional Secretary will confirm to the individual the timescales involved and instruct the necessary responsible officer to delete it.
Correcting inaccurate personal data
Should a member of South East Scotland Scouts or a member of the public believe that information that we hold about them is inaccurate, they should write to the Regional Secretary (firstname.lastname@example.org) outlining the inaccuracy. The Regional Secretary will then seek to correct the data and confirm back to the individual.
Reporting a breach
A breach is defined as any event which “leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. If a breach occurs, the Regional Secretary should be immediately informed (email@example.com).
The Regional Secretary (in consultation with the Regional Chair and Regional Commissioner) will need to consider if the breach is likely to “result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage”. If it does, the ICO should be informed within 72 hours of the breach occurring.
If the breach results in a high risk to the rights of the individuals involved, they should also be informed directly.
The Region shares a summary about the data it holds and how it processes it on its Regional website at https://sesscouts.org.uk/privacy/. The website also provides information on how to submit a data subject access request and right to be forgotten request.
Our site use some cookies and we have links to other sites which do. Cookies are small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at About Cookies website which offers guidance.