What is GDPR and why do we need it?
As technology develops and our private data is being used and shared in countless new ways, people are understandably becoming increasingly worried about security.
There are two key reasons why GDPR is being introduced: to bring all EU member states under one common regulation and to update regulations to reflect our new digital age.
In the UK, charities such as the 11th/9th Cambridge Scout Group are still following Scout policy: our organisation's rules ensure the safety of people’s data. Technology and data sharing have developed a lot since 1998, when the Data Protection Act was introduced: those rules may not be entirely suitable for the needs of scouting and the types of technology we’re seeing today. GDPR has replaced the Data Protection Act to better protect our data from breaches and hacks.
However, GDPR also gives a number of ‘rights’ to people regarding their own data, including:
- The right to be informed – you have a right to know how your data will be used by our group.
- The right to access your personal data – you can ask any scout group to share with you the data they have about you and your young person/s!
- The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.
- The right to erasure – this means that you have the right to request that a scout group deletes any personal data they have about you or your young person. There are some exceptions, for example, some information can be held by a group after an incident requiring first-aid treatment.
- The right to restrict processing – if you think there’s something wrong with the data being held or you aren’t sure we are complying to rules, you can restrict any further use of data until the problem is resolved.
How we gather personal information
The majority of the personal information we hold on our members is provided to us directly by parents / guardians in either paper form or via our online membership systems. In the case of an adult member or helper, data may also be provided by third party reference agencies, such as the Disclosure and Barring Service (DBS).
Where a member is under the age of 13, this information will be obtained from a parent / guardian but we may accept (and potentially record) pertinent personal information, such as about any ongoing medical treatment, from any member no matter their age.
How we use personal information
We collect personal and medical information for the protection and identification of that person whilst in the care of the Scout Group.
We aim to respect the beliefs (religious or otherwise) of all our members. We will only hold information about a person's religion in order to accommodate those beliefs in activities, food and holidays.
We use contact information to inform the young person, parents and guardians of meetings and events that the group itself may be running or attending. We use medical information where that is in the interest of the person concerned (e.g. notes on allergies or medications).
Sharing and transferring personal information
We will only normally share personal information within the 11th/9th Scout Group leaders and administrative supporters.
We may also share a member’s personal details with The Scout Association and its insurance subsidiary “Unity”, local authority services and law enforcement: we will only share personal information to the extent needed for those purposes.
If a youth member of the group moves to another scout group (or explorer section), we will transfer their personal information that new section if requested by the parents/guardians of the young person.
We will never sell your personal information to any third party for the purposes of marketing.
Sometimes we may nominate a member for a county or national award, such as a Duke of Edinburgh award. Such nominations would require we provide contact details to that organisation.
Third Party Data Processors
The 11th/9th Cambridge Scout Group employs the services of the following third-party data processors: –
- The Scout Association via its membership system “Compass” which is used to record the personal information of leaders, adults and parents who have undergone a Disclosure and Barring Service (DBS) check.
- Unity Insurance (The Scout Association Insurance company)
- Online Youth Manager Ltd (Online Scout Manager) which is used to record the personal information, badge records, event and attendance records etc. We have a data processing agreement in place with Online Youth Manager Ltd, more information is available at https://www.onlinescoutmanager.co.uk/security.php.
- Google occasionally used for secure transfer of limited personal information for events.
How long we keep personal information for
We will retain personal information of a young person throughout the time that person is a member of the Scout Group. We will retain personal information of the parents / guardians of a young person throughout the time that the young person is a member of the group.
We will retain full personal information of a youth member for a period of six months after the member has left the group, and in a much more limited form (name, date of birth, badge and attendance records, and any first aid incidents) for a period of up to 15 years (until age 21) to fulfil our legal obligations for insurance and legal claims. Personal records of parents/guardians who have no further connection with the group will be destroyed six months after a youth member has left the group.
We will also keep any Gift Aid Claim information for the statutory 7 years as required by HMRC (which may be beyond age 21).
Automated decision making
The 11th/9th Cambridge Scout Group does not have any automated decision-making systems.
Transfers outside the UK
The 11th/9th Cambridge Scout Group will not transfer your personal information outside of the UK. Events taking place outside the UK (such as the World Jamboree) will have their own data collection form which will be securely held and disposed as appropriate.
The 11th/9th Cambridge Scout Group is committed to the protection of your personal information.
We generally store personal information in one of two digital online database systems, where access to that data is restricted and controlled.
Compass is the online membership system of The Scout Association, this system is used for the collection and storage of Adult personal data.
Online Scout Manager is an online membership system run by Online Youth Manager Ltd, this is a secure membership database where we store the personal information of Adults and Youth members for the day to day running of the group.
Printed records and Event data
Paper is still used within the group to capture and retain some data, for example, Gift Aid Collection forms.
Any forms providing information which is transferred to digital systems (personal details for youth members and their parents, for example) are securely held by the leader and transferred to the digital systems as soon as possible; the paper form is subsequently destroyed.
Gift Aid collection forms will be securely held by the Group's Treasurer to aid in the collection of Gift Aid: we have a legal obligation to retain this information for seven years after our last claim.
It is not always possible to guarantee access to digital storage while on events such as camps and trips. To ensure that necessary details are available, some personal details (e.g. emergency contact details, food allergies) may be printed for use on the event.
We will ensure
- Transfer of printed documents is secure, such as physical hand-to-hand transfer.
- Paper forms are securely destroyed by burning or shredding after use.
- Paper documents will be kept secure at the event and in transit.
Sometimes we may nominate a member for the national award, (such as Queens Scout or Duke of Edinburgh award) such nominations would require we provide contact details to the awarding organisation, this is most often done on paper via registered post.
The law on image use and GDPR needs further clarification, the position of the 11th/9th Cambridge Scout Group is:
Photographs/images (which can be classed as personal information) of yourself or your son/daughter may be taken during activities and be used within a Scouting context and in particular publicity material, for example, Scouting publications and the media. Images may be published to official Scout websites and scouting affiliated social media and our public display boards in the centre (but will never identify individuals in line with Scout Association guidelines). We ask for consent to take such photographs and are diligent in avoiding taking photographs of any individual where the consent of a parent/guardian has not been given.
Under GDPR, storing data by consent is only permitted if people can easily and effectively withdraw consent. If we publish a photograph or image in any public forum (such as a website) we no longer have control over that photograph in so far as it can be downloaded and reproduced elsewhere, so a withdrawal of consent once a picture has been published cannot be effective.
In the event that consent for photographs to be taken is withdrawn, the Group will undertake to publish further no photographs of the youth members concerned and will delete any images already taken from any sites over which it has control. It may not be possible to remove all images and photographs from the historical record online or elsewhere.
Please note that as many Scouting events happen in the open air and in publicly accessible spaces, it is not possible to guarantee that photographs are not taken by people unconnected with the group.
The 11th/9th Cambridge Scout Group may store an image of youth members and/or their parents/guardians on the Online Scout Manager (OSM) membership database as part of the personal information stored there.