general data protection regulation (gdpr)
GENERAL DATA PROTECTION REGULATION (GDPR) (REGULATION (EU) 2016/679)
What is this document about?
To support our work with young people, we need to collect and retain certain data about those young people, as well as their parents, and our leaders, helpers and friends. The "General Data Protection Regulation" (GDPR) dictates how we must treat this data, and one of the things it requires is that we publish a Privacy Notice, that describes to you (the "data subject" - the person whose data we hold) what data we hold, and what we do with it. Every member of the Group is deemed to be a “data subject”, irrespective of age.
This document is that Privacy Notice.
This relates to the data held for Group purposes, specifically:
- Personal Information Forms (paper)
- Activity permissions forms (paper)
- Electronic registers (principally the Group management google doc’s and any excel spreadsheets or similar document’s produced for specific events).
- Mailchimp contact list
- Gmail contact list
The "Data Controller" is the person or organisation responsible for managing the data. For the purposes of this Privacy Notice, the Data Controller is the "1st Methlick Scout Group" Executive Committee. We can be contacted at email@example.com
Why do we collect data?
The information we collect is used to ensure that we provide the best service to our members, by ensuring that our leaders have all the information they need to deliver that service.
If you are a member of the Scout Group, or a parent or guardian, then we collect and use your personal data in our legitimate interests (specifically, it helps us to provide Scouting to our members, in a safe and appropriate manner), and therefore, according to the GDPR, we do not require your explicit consent.
If you are a leader, helper, or friend, we also need to keep some data about you, so that we can contact you when necessary and again ensure we can provide Scouting to you.
What data do we hold?
We keep data about our members, leaders, and friends, and their immediate family members. The data includes some or all of the following: names, date of birth, nationality, ethnicity, religion, disabilities, health and dietary issues, address, contact details, National Health number, relationships with other people (including family and health professionals), and history within the Scout Group. This is primarily gathered through our Personal Information form that each member completes when they join, or move section.
The only financial data we hold is to record payment of subscriptions, activities or camps, and whether each individual is eligible for Gift Aid. No bank details are kept on file in any shape or form.
From time to time activity permissions forms will be used with reference to specific events. These will be forms designed to capture and manage specific items of data ahead of events. These capture the same information as outlined above. These forms remain in the possession of the event leader during the event and are only used in the case of emergency. Following the event, the Data is securely disposed of, unless the subject has been involved in an incident where we need the form for investigation, insurance and legal purposes. Activity permissions forms will be retained for 1 month following the event and then destroyed in a secure manner.
Where do we get the data from?
In most cases, the information we hold about a data subject is provided by the subject themselves, or by their legal guardian/parents.
We also retain data about the history of members within the Group, such as dates of transition between Sections, participation in events, and attainment of badges or awards. This data is generated within the Group.
Who has access to the data?
The data is generally accessible to all the leaders of the Scout Group, and to no one else. We may have to share this information with the wider Scout Association, but we do not share this information with other organisations outside of scouting (unless legally enforced to do so, unless you ask us to or unless we have specifically asked for your consent to do so).
Your data will never be sold to 3rd parties.
Information is held on a computer system, to ensure that it is readily accessible to everyone that may need it, and that it can easily be kept up to date and accurate. The data is protected by a system of permissions and passwords, to ensure that the data is not accessible to people who should not have access.
Paper copies of the Personal information forms are kept in a locked area of the scout hut, and then further locked away in a drawer.
Parents, leaders, helpers and friends names and email addresses are held in Mailchimp and Gmail systems. These cloud services are password protected and access is restricted to specific leaders and administrators.
As a volunteer organisation it must be recognised that electronic records are accessed via machines not owned or controlled by the Group and which are the personal property of adults within the Group. All adults within the Group who have been granted access to these electronic records/systems are regularly reminded about the need for system security, the use of strong and secure passwords, and ensuring that access is not possible by anyone else using their machine.
How can a subject know what is held?
You may see a copy of the data we hold about you/your child, by request to the Data Controller via a Subject Access Request (SAR) – there is a process for doing this and we are allowed to charge for this service. You may ask that we correct any inaccuracies to personal details. Indeed, we positively welcome being updated with changes to personal details. You don’t need to do a SAR for this if you change your mobile number or email address for example! Just let your section leader and Group Scout Leader know. If you wish to instigate a SAR there is a process we must follow, email firstname.lastname@example.org in first instance with your specific request and the relevant paperwork will be issued.
How long do we keep the data?
Some key data (records of incidents, insurance claims, etc) we will keep indefinitely, other items we will destroy when your child reaches 18 years old. We will need records to be able to support or refute any complaints or queries you may have. However, data that is considered "sensitive" (including medical, ethnicity, religion data) will be erased 6 months after you leave the Group.
Those wishing to exercise their right to be forgotten and have their data deleted should contact the Data Controller and your request will be dealt with.
Communication with parents is on an information basis governed by permissions granted via the Personal Information form with no marketing or sales implications. We are a charity; we do not sell a service or product in order to make profit. You will receive communications which relate to the Group, and section of which you/your child is a member. Therefore standard marketing preferences and permissions governed by GDPR regulations in the commercial world do not apply to us – so we don’t need you to opt in.