Know the law
You should make sure that the members of your Group Executive Committee and section leadership teams are aware of the changes in data protection law. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.
What is General Data Protection Regulations (GDPR)?
The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It raises the standards for processing personal data, to strengthen and unify protection for individuals across the EU and places greater obligations on how organisations handle personal data. It comes into effect in the UK on 25 May 2018 and will exist post-Brexit.
Does data protection apply to local Scouting (Groups, Districts and Counties, Regions)?
Data protection law applies in full to all local scouting as it does to any form of organisation including public authorities, companies, businesses and other charities. Your scout group operates as independent charities and are likely to collect and store personal data about members and, in many cases, other individuals involved with local Scouting. Local Scouting must adhere to the GDPR.
What are the key concepts in the GDPR?
The GDPR is structured around six principles:
- Requiring transparency on the handling and use of personal data.
- Limiting personal data processing to specified, legitimate purposes.
- Limiting personal data collection and storage to intended purposes.
- Enabling individuals to correct or request deletion of their personal data.
- Limiting the storage of personally identifiable data for only as long as necessary for its intended purpose.
- Ensuring personal data is protected using appropriate security practices.
What information does the GDPR apply to?
The GDPR applies to all ‘personal and sensitive personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); and includes:
- email address
- phone numbers
- banking details
Sensitive personal data (also referred to as ‘special category data’)
The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include:
- ethnic origin
- politics (political opinion)
- religious or philosophical beliefs
- trade union membership
- biometrics (where used for ID purposes)
- health data
- sex life
- sexual orientation.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
The principles of GDPR
The new GDPR data protection principles set out the main responsibilities for your Scout Group and requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date
- is kept for no longer than is necessary for the purposes for which the personal data collected
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
There are many key terms that are in the GDPR and are used throughout this guide. These are:
- Personally Identifiable Information (PII) or personal data– This is any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities.
- Data subject– This is an individual. For your Scout Group this could be young people, adult volunteers, supporters, parents/guardians or members of the public that make an enquiry.
- Data controller– This is the owner and user of the gathered personal data.
- Data processor – This is a company, organisation or individual who processes the information on behalf of the controller. This could be The Scout Association UK Headquarters, your choice of online third party system (such as Online Scout Manager – OSM) and includes the sections of your Scout Group, your District, our County (South London, our Region (London).
- Lawful processing/Legitimate interest– The legitimate reason for holding and processing PII data, such as it being necessary to protect the vital interests of the young person.
- Subject Access Request (SAR)– This is a request from an individual to your Scout Group to find out what information you hold on them. They also have the right to request that you change or permanently remove any details that you hold on them.
- Breach – This is the loss of information. This could come from a hacker or physically losing files/folders.
- Data Protection Lead (DPL)– Your Scout Groups representative for data protection duties.