The General Data Protection Regulation (GDPR) is a revised set of data protection rules coming into effect in May 2018. They will affect how you handle and store personal data in local Scouting.
Below are links to early guidance to help inform you of what action you may need to take locally to act in line with the rules and some guidance about why local Scouting will not be required to appoint a Data Protection Office, as well as the areas the Association is considering to signpost further information to help you comply with GDPR.
CLICK HERE to download our document which offers a good introduction to GDPR in relation to local Scouting.
Over the coming months, we will be provide further advice and guidance which should hopefully address some these more specifically. However, we address two main queries here which we hope will assist generally.
The Scout GDPR Pack
Duty of care for the security of data lies with everybody that gathers, handles or receives personal data. The Scout Group, District, County, Area, Region or Country Executive Committee has overall responsibility for making sure that they comply with legal requirements, including data protection legislation.
The Scout Association is working with a consulting partner, Black Penny Consulting. Together they will be issuing a GDPR pack which will give the Scout Group, District, County, Area, Region or Country an easy to follow guide on how to document processes and best practices to follow.
This GDPR pack will help guide adult volunteers on how to handle the data of the young people they are responsible for and the adult volunteers in their Scout Group, District, County, Area, Region or Country.
The GDPR pack will be delivered to all members (as posted here as soon as we receive it), in March and will include:
- presentation pack detailing the GDPR legislation
- a step-by-step guide on how to fill out the documentation
- pre-populated registers documenting the data types and lawful processes for collection, storage and use of data
- guides on how to handle SARs and breaches
- a guide on how to maintain compliance
- a FAQ fact sheet
In the meantime below are some FAQs...
Q. Does my Group/District need to appoint a Data Protection Officer (DPO)?
As under the current law, each Scout Unit (e.g. Scout Group, District or County/Area) will still be a Data Controller in its own right and overall responsibility for compliance with data protection will continue to lie with the relevant Executive Committee (i.e. the Charity Trustees). Under the GDPR, it will be mandatory for public authorities or those organisations processing personal data on a large scale as a ‘core’ activity for systematic monitoring purpose or involving sensitive personal data will need to appoint a DPO. Therefore, Scout Units as smaller organisations operating locally will not be required to appoint a DPO. However, Executive Committees must ensure that they can fulfil their obligations under the GDPR and therefore it is advisable to allocate an appropriately senior individual locally to oversee GDPR compliance wherever possible.
Q. Will the Association be providing training or guidance about how Scout Units can comply with GDPR?
The Association assists members by providing general advice and guidance about data protection on its website. It will continue to update this information with regard to GDPR compliance over the coming months. In addition, as part of its own GDPR Strategy, the Association is considering additional ways in which it can best assist members with any specific advice, guidance or training regarding compliance e.g. provision of factsheets, checklists, toolkits, sample suggested Privacy Notices, training modules etc. and will update Members in the forthcoming months about this also. However, it is important to note that as Data Controllers, Scout Units are directly responsible for any personal data they process and must therefore ensure that they are aware of their responsibilities under the law. Each adult Member and Associate Member must also ensure that when handling any personal data they comply with data protection law. Data protection is wide ranging subject and is regulated by the Information Commissioner Office which produces a large amount of relevant guidance. Therefore for queries generally or if in any doubt, members should check the guidance provided by the ICO on its website as this is the best and most direct source of relevant information on data protection https://ico.org.uk
The Information Commissioner's Office has replaced their Getting ready for the GDPR checklist with two new checklists - one for data controllers, and another for data processors.
Before undertaking the self assessment checklist to help your group, unit or district get ready for the GDPR, you should first understand that your relevant executive committee is your “data controller” and your relevant leaders are the “data processors”. The definition of these two terms can be found HERE.
Archived and historic data
The Heritage Team at HQ has been referring to the Association of Independent Museums guide - Successfully managing privacy and data regulations in small museums, which should be used as a starting point for those working with or holding archic=ved or historic data.
Also, there are exemptions in the current Data Protection Act for using archives for research purposes. It’s thought that these will continue under GDPR, however at the time of posting, HQ are still waiting for this to be confirmed from the ICO/Government.
The Code of practice for archivists and records managers under Section 51(4) of the Data Protection Act 1998
See relevant section under 4.9 for further information noting that FOI Act does not incorporate The Scout Association.
Further information will be communicated in the coming months.