6th Lichfield Scout Group Data Protection Policy
The General Data Protection Regulations (GDPR) governs the collection, recording, storage, use and disclosure of personal data, whether such data are held electronically or in manual form. Young people have the same rights as adults under the GDPR. The policy of the 6th Lichfield Scout Group (the “Group”) is outlined below.
We consider data to be any information held about a living individual who can be identified from the information itself or other information also held. Data can include photos and images.
Sensitive personal data may be any information relating to: race or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or commission of offences or alleged offences.
Data must be:
1. Processed fairly and lawfully;
2. Obtained for a specified and lawful purpose;
3. Adequate, relevant and not excessive for purpose;
4. Accurate and up-to-date;
5. Kept only for as long as required;
6. Processed in accordance with the data subjects rights;
7. Be kept secure proportionately to the level of harm that could result if unauthorised access occurs;
8. Not transmitted outside the European Economic Area (EEA) without consent from the data subject.
Group Data Protection Responsibility
The Group Executive Committee has overall responsibility for GDPR compliance. Any specific responsibilities delegated to individuals are outlined in this policy. The Group Scout Leader is the Data Protection Officer who will oversee the management and implementation of the GDPR and maintain the compliance records.
Data held by the Group
The Group holds data relating to the Group and Section Leaders including Young Leaders, children (members of Squirrel Scouts, Beaver Scouts, Cub Scouts and Scouts as well as those on waiting lists and lists of intent), their parents or guardians, next of kin and doctors. The Group may also hold data pertaining to a person involved in an accident or other incident until such time as there is no longer a possibility of liability or legal action. The data includes; names; addresses; telephone numbers; email addresses; occupations; school attended; doctor’s name, address and telephone number; hobbies/interests; important medical information; important safety information; volunteering information or details of any incident referred to above. The Group may also hold data relating to individuals or organisations who hire or otherwise use the HQ building or grounds. This may reasonably include personal and contact details, copies of risk assessments, insurances and other data deemed necessary to the safe hiring of the hall
Storage of Data
The Group stores data using ‘Online Scout Manager’ (“OSM”), a third party on-line, data management system that has been specifically designed for Scout Groups. Group Executive members and Leaders each have access to their own role or Section email address The Group facilitates communications by means of a Group website that may contain photographs of members of the Group. The Group operates several closed Whatsapp groups to ease communication, examples may be to facilitate dual authorisation of expense or to plan section programmes. On occasion we store data in written format, as and when needed, to perform Group activities, such as a lists of attendees at an event/activity or legal permission to shoot consents. We destroy this data once it is no longer required.
Access to Data
Access to OSM is authorised and managed by the Group Scout Leader (“GSL”). There are a number of different access rights and each individual who is granted access to the data are restricted to only that data that they require to perform their function within the Group. Each OSM user has unique access credentials in the form of a username and password. Access to data help on Compass is authorised and managed by the District Commissioner. Each Compass user is issued with a separate username and password. Each user is only given the access to data that their role requires.
Accuracy and Deletion of Data
Initially we collect data when a new child, adult volunteer or leader joins the Group. Contact, medical and other details can be updated by a member at any time via OSM or, for Adult members, via Compass. An annual email or note may be issued to each leader or parent/guardian to remind them to check that the details are still correct. Data necessary to process a DBS application shall only be retained until the DBS has been granted or otherwise. We retain data until the Group no longer requires it or reasonably foresees that it will not be required by any other Scouting Group. This may mean that we retain some data for a number of years before being deleted however if a child, parent or leader has not been active within the Group for a period of two consecutive years then their data will be deleted (with the exception of accident/incident records as previously described) An individual’s data, or part thereof, will be deleted on receipt of a request to do so by the individual concerned if they are an adult or by the parent or guardian of a child. Where we have deleted individual’s data such that the Group no longer has sufficient information to allow the individual to remain as a member of the Group (e.g. because a child’s data no longer contains a parent’s contact details) their place will be immediately withdrawn. Any data stored solely for the purposes of claiming Gift Aid will be retained for a maximum of six years after a member has become dormant within the Group, after which time we will delete their data.
Subject Access Request
A Subject Access Request (“SAR”) should be in writing or by email and sent to the Group Data Protection Officer. For children aged 12 years or older the SAR has to be made by the child. If they are aged 11 years or younger, a person with parental responsibility can make the SAR. In this case identity documents have to be presented for both the adult and young person, unless the person with parental responsibility is well known to either the GSL or a Section Leader, or both. The SAR will be completed by the Group, under the direction of the Data Protection Officer, within 30 days. There is no charge for a SAR unless an individual is making excessive and/or unfounded requests. Details of all SARs shall be recorded in the Group Executive minutes.
Use of Photographs and Video
Images (e.g. photographs and videos) that are not linked to personal identifiable information (e.g. full name) are not considered to be Personal Information.
Photographs may be taken at Group meetings, activities and events. Photographs may be taken by Leaders but they may also be taken by other parents, young people and other people that may not be related to the Group at all. There is no practical way of policing the taking and publishing of photographs of all events and activities that the Group undertakes.
The Group will use photographs in closed social media groups (e.g. Facebook) and in emails to inform parents of the activities that the young people are undertaking. Photographs may also be used on display boards in HQ. The Group will also use photographs on its public Facebook Group and Website (www.6thlichfield.org). The Group will also provide photographs to the local press and to other Official Scout Organisations for publicity purposes. When photographs are provided to third parties, the individuals in the photographs will not be identified by name without their (or, if they are a minor, their parent’s/guardian’s) permission.
Whilst it is not possible to make any guarantees about how and where photographs will be used, the Group recognises that there may be strong reasons for protecting the identity of some young people. Where there is a need to restrict the use of photography of a young person the parent or guardian must inform their Section Leader and the Group make all reasonable efforts to ensure that the needs of the young person are met.
The Group may use online systems (e.g. Zoom or Microsoft Teams) to facilitate online meetings. Video, audio and still images will be transmitted through these services during these meetings and may be captured by any participants. There is no practical way to prevent this capture or to control their onward transmission. The Group may from time to time make recordings of all or part of a meeting. These recordings will be used to post video or photographs on our closed social media groups and may be used for Leader training. Participants shall be informed that a meeting will be recorded and may withdraw without prejudice from the meeting.
Privacy Notice and Communicating with Members
The Privacy Notice is available on the Group website. The Privacy Notice will be reviewed by the Executive Committee on an annual basis.
Data will be disclosed to any Executive Committee member or Leader within the Group as required to allow them to perform their function. Data will be disclosed to other Scouting Groups or official Scouting Organisations as required in order to facilitate normal Group activities. Data will be disclosed to other third parties for the purpose of running youth activities; to comply with any legal requirements; to comply with charity law and to enable financial transactions between members and the Group. Details of data that are disclosed by the Group can be found in the Group Framework Register.
Breaches of the GDPR
Any known or suspected breach of data must be reported to the Data Protection Officer as soon as possible. The Data Protection Officer, along with the Executive Committee, will then act to determine the risk associated with the breach and put into place any actions required to mitigate further breaches if these are reasonably foreseeable. If a breach is likely to result in a high risk (e.g. criminal activity such as fraud, or published in the public domain) to the rights and/or freedoms of individuals then the Group must notify those concerned without undue delay.
If it is established that the GDPR has been breached and this is likely to result in a risk to the rights and/or freedoms of an individual it is the responsibility of the Executive Committee led by the Chair to advise the Information Commissioner’s Office (“ICO”) and, if a serious breach also the Charity Commission. The report must be issued within 72 hours. Details of all breaches are recorded in the Group Framework Register.
Adopted by Group Executive
1st November 2021
Prepared by C.M.Ecob Group Scout Leader (Acting) 16.10.2021