On 25th May 2018 the Data Protection Act is being replaced by the General Data Protection Regulation (GDPR). This places restrictions on organisations in the way they manage and process personal data.
The term which is generally used in relation to this is Personally Identifiable Information (PII) rather than Personal Data. (Note: the terms are interchange-able and intended to mean the same thing). For PII you require two things:
- the Personal Identifier, and
- some (any) Information.
For example, take the individual "Mrs Miggins". Mrs Miggins taken in isolation is not PII. It tells us nothing about "Mrs Miggins". But "Mrs Miggins" of 24 Acacia Avenue tells us where she lives - so this is PII.
Personal data falls into two categories:
- any data held about a living individual who can be identified from the information itself or other information also held
- data which falls into the following categories is regarded as sensitive personal data and requires additional protection: Racial or ethnic origin; Political opinions; Religious beliefs; Trade union membership; Physical or mental health; Sexual life; Commission of offences or alleged offences.
Personal data is allowed to be stored by organisation for legitimate processing purposes. For instance the Scout Groups requires names, addresses, dates of birth for operational and safety reasons. In addition, medical and religious information, which falls into the sensitive personal data category, has special rules where extra care must be taken when handling or disclosing it to third parties.
The Scout Association itself has published guidance information on GDPR here
As a Scout Group we need to be careful with the way we store and process personal data. The following categories consider the data we store, how we should store it and when it should be deleted.
Contact information Contact information (e.g. names, addresses, phone numbers, etc) is required to ensure that we can contact parents and guardians in the event of any emergency. This is stored in Online Scout Manager (OSM) which has access restricted to certain DBS cleared leaders in the Group. This information is required for our 'In Touch' policy. Some of this information will include medical and religious information for health and safety purposes.
As children move between sections the PII is initially copied to the new section and then removed from the old section, using the OSM Remove functionality, once all badges from the previous section have been awarded. This is typically within a term of the transfer. A record that the child was a member of the section in the Group is maintained for historic purposes. Where the transfer is to another Scout Group, specific parental permission is obtained prior to the data being copied/transferred.
Where a child leaves the Group the information is removed, at the end of that term, again using the OSM Remove functionality. Again a record that the child was a member of the section in the Group is maintained for historic purposes.
At times paper records are required for various events and activities (e.g. camps) to allow information to be immediately for emergency and other purposes. Records are completed by parents/guardians and handed to the nominated individual for the event. These are stored at the event in a location which is known to the leaders for emergency purposes. After the event the records are maintained safely at the home of the nominated individual for up to a year so that data for the next similar event can be checked against the previous event. We have found that at times, parents/guardians forget to include certain important information on health forms (e.g. the fact a child is asthmatic) and hence the forms can be used for cross checking. Once the forms are no longer required they are shredded.
Certain events and activities require contact, medical and religious information to be transferred to third Parties (for instance County events like Scoutabout). All the organisations are GDPR compliant and the information is again completed by the parent/guardian and stored safely by the third Party (e.g. Surrey County Scout Council). Photographs are also regarded as PII where individuals are named against the photograph. Photos, and occasionally videos, are used by the Scout Group for uploading to Facebook to show parents/guardians activities being undertaken by their children. In addition some photos with names are usedin the Scout Group history. Permission is sought on OSM from parents/guardians to allow photos and names to be used for these activities.
The Ashley Explorer Unit use WhatsApp to pass messages about programmes, activities and events as well as other general information related to the Scout Group. The WhatsApp group contains names and phone numbers of the children and hence is only shared within the Unit.
Contact information for leaders is treated in the same way as the children with regard to storage and processing.
Emails For security reasons all emails from section leaders will now be shared via OSM which targets the parents/guardians and children (where they have a valid email address) directly and does not disclose email addresses to other individuals.
Parents/guardians will occasionally reply to emails sent from OSM. Email accounts of section leaders will be password protected and only read on devices which have passwords (e.g. mobile phones, laptops and desktop computers). The section leader will process the email, depending on the contents, and once the issue has been resolved will delete the email if it contains personal data. Typically this may require the leader to upload the information into OSM.
Waiting Lists Children waiting to join the sections in our Scout Group are requested to provide contact information (name, sex, DOB, postcode, contact number) via email. This information is then transferred to our waiting list within OSM and the original email deleted as soon as possible.
At least once a year, people on the waiting list will be contacted to ensure their information is correct. We will ask if they wish to remain on the list and if they are happy for us to store their personal data. Where people request to be removed from the list their information will be deleted, effective the following term.
Online Scout Manager (OSM) - Online Scout Manager
is the tool the Scout Group uses to record information about children and adults associated with the Scout Group. OSM itself has its own GDPR policy.
Dropbox Dropbox is a file sharing location used by the Group to share programmes, newsletters, camp plans, etc between section leaders and helpers. No personal information is stored on Dropbox with the exception of when 'In Touch' lists need to be physically generated for various events and activities. This information is then password protected, where possible, and deleted as soon as it is no longer required.
In addition the Group History is stored on Dropbox which may contain names and photos of various members of the Group. Permission will have been sought for all photos captured after 25th May 2018 and stored in the History.
Hall and Forge Bookings The Scout Group gathers personal information for the purpose of renting out their buildings to help them fund the Group. Information is either submitted via email to email@example.com or via the website. This uses the plugin Formspree which is GDPR compliant.
The data is retained purely for the purposes of bookings and invoicing and is destroyed within 3 months of a booking unless required for accounting and other purposes.
Data Subject Rights (GDPR)
Breach Notification We will notify our parents/guardians/leaders/helpers of any breach of data via email within 72hrs of identifying the breach.
Right to be Informed Parents/guardians/leaders/helpers are informed when they join the Scout Group that their personal information, and that of their children, is held in Online Scout Manager.
Right to Access Parents/guardians are able to download information about their children using OSM. Additional requests for information should be made to the Data Protection Officer. The same holds for leaders/helpers.
Right to Rectification Parents/guardians/leaders/helper are able to correct the information held using Online Scout Manager (OSM). Parents/guardians on the waiting list can request for information to be corrected by contacting the section leader of the appropriate section or the Group Scout Leader, Richard Ascough.
Right for Erasure Parents/guardians/leaders/helpers are able to request for information to be deleted, but should be aware that in order to be a member of the Scout Group the information is required. 'Legitimate interests' is likely to be more appropriate and therefore consent is not required, as the data provided by parents is expected to be stored and processed for the purposes of running a Group/Unit and its associated events.
Parents/guardians of children on the waiting list should request for the information to be deleted by contacting
the section leader of the appropriate section or the Group Scout Leader.
Right for Restricted Processing Whilst parents/guardians/leaders/helpers are able to request for restricted processing, 'legitimate interests' means that the information held is required for the purposes of running a Group/Unit and its associated events.
Data Portability Parents/guardians of children in the Scout Group or on the waiting list can request for information to be transferred to another Scout Group.
Right to Object Parents/guardians/leaders/helpers are able to object to the processing of their information and that or their children by contacting the Data Protection Officer.
Data Protection Officer Richard Ascough, the Group Scout Leader, is the Data Protection Officer for the 3rd Epsom Scout Group including the Ashley Explorer Unit. He can be contacted via the Contact Us pages.