East Somerset District Scout Council Data Privacy Notice

Our Privacy and Fair Processing Notice “Data Privacy Notice” describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations “GDPR

1. Scope

The East Somerset District Scout Council (ESDSC) / “we” / “us” has a responsibility for all the adult volunteers and any paid employees appointed throughout the District. In addition, ESDSC manages a number of Adult Support Units, as well as other appointments which are the responsibility of the District. ESDSC is part of The Scout Association which is incorporated by Royal Charter. ESDSC is registered with the Charity Commission.

From time to time ESDSC collects information from Young People relative to events it organises

The District Executive Committee is the data controller for the information we collect from its members and others / “you”/ “yours”. Any personal data that we collect will only be in relation to the work we do with our members and volunteers.

Scouting within the District is also carried out by Scout Groups, who being semiautonomous are responsible for the control and management of their own data

2. Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).

3. How we gather personal data

The personal data held by ESDSC is usually provided directly by Adults and the Parents/Legal Guardians of the Young People in either paper or electronic form and by exception verbally.

Where a member is under the age of 18, this information will usually be obtained from a parent /guardian and would not ordinarily be provided by the young person.

4. How do we process your personal data?

In accordance with article 5 of the GDPR personal data regulations the processes shall be:

1. a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
   b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
   c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
   d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
   e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
   f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We process the data to have the ability to contact adult members and parents and guardians of young people, to inform them of meetings and events that ESDSC itself may be running or attending, or to pass on information

We use personal data for the following purposes: –
• we collect personal and medical information for the protection and welfare of that person whilst in the care of ESDSC
• we collect religious data to respect a person’s beliefs with regards to activities, food and holidays
• To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution
• To administer membership records
• To fundraise and promote the interests of ESDSC
• To manage our volunteers
• To maintain our own accounts and records (including the processing of gift aid applications);
• To inform you of news, events, activities and services running in the ESDSC.

5. What is the legal basis for processing your / your child(ren)’s personal data?

We only use your personal information where that is permitted by the laws that protect your privacy rights. We only use personal information as follows:

1. a) Child’s Name, Age, Date of Birth, Address, Photograph, Emergency Contact Details are kept in order to satisfy the legitimate interests of the SCSC for purposes of administration, Financial Organisation and well-being of the child. The data is also passed onto event organisers to allow them to safely organise the event concerned.
   b) Child’s Health information, Religion, Ethnicity. This information is kept only with the explicit consent of the parents. The Health information is required to provide supporting information in the case of any medical emergency. Information on religion and ethnicity is stored for statistical purposes only
   c) Adult Volunteer’s Name, Age, Date of Birth, Address are kept in order to satisfy the legitimate interests of ESDSC administration and Safeguarding purposes.
   d) Adult Volunteer’s Health information, Religion, Ethnicity. This information is kept only with the Explicit consent of the Volunteer. The Health information is required to provide supporting information in the case of any medical emergency. Information on religion and ethnicity is stored for statistical purposes only.
2. How we store personal data:

We are committed to the protection of your personal information.

We generally store personal information in secure digital online database systems, where access to that data is restricted and controlled.

Compass:- is the online membership system of The Scout Association, this system is used for the collection and storage of Adult personal data.

County Database:- is the on-line membership system of Somerset County Scouts Council, this system is being superseded by Compass (as above) and will be phased out over a period of time. In the meantime, the details stored will be rationalised where possible.

Online Scout Manager:- is an online membership system run by Online Youth Manager Ltd, this is a secure membership database where we store the personal information of Adults and Youth members for the day to day running of District Explorer Units.

Events:- Young people data will be stored using a system or method approved by the County Executive Committee (or their delegate) as appropriate to the event.

Printed records and Event data
Paper is still used to capture some data for example the following: –
• Adult information forms
• Gift Aid forms.
• Events activities consent from parents, including Health and contact information
• Events coordination with event organisers.
• Award notifications/nominations

In the case of Adult information forms, this information is securely held by the line manager / Appointments Secretary and transferred to Compass (as above) as soon as practicable before the paper form is destroyed.

Gift Aid forms, will be securely held by the District Treasurer to aid in the collection of Gift Aid for, we have a legal obligation to retain this information for 7 years after our last claim.

Events

As a member of ESDSC it is hoped you will take up the opportunity to attend events and camps. In order to fulfil our legal obligations, it may be necessary to have a potentially less secure means to access personal information, such as printouts of personal contacts and medical information, (including specific event contact forms), rather than relying on secure digital systems. The reason is that the events are
often held where internet and digital access will not be available. We will minimise the use of paper to only what is required for the event/camp.

We will ensure:
a) Transfer of paper is secure, such as physical hand to hand transfer or registered post.
b) Paper forms are securely destroyed after use and in any case within 12 months
c) Secure destruction will be through a shredding machine or securely burned.
d) Paper records are always kept secure, especially when in transit, by using an appropriate secure equipment.

Awards

Sometimes we may nominate a member for national award, such nominations would require we provide contact details to the awarding organisation, this is most often done on paper via registered post.

Transitional period (destruction of documents)

All new data will be managed as outlined above, (with effect from the date that the County Executive Committee agrees this document). However, data existing at that date will be managed during a transitional period of 12 months with a view to achieving full compliance at the end of that period.

7. Sharing and transferring personal Information

We will only normally share personal information within our District leadership and Executive members.

We will however share your personal information with others outside ESDSC where we need to meet or enforce a legal obligation, this may include, The Scout Association and its insurance subsidiary “Unity”, local authority services and law enforcement, we will only share your personal information to the extent needed for those purposes.

We will never sell your personal information to any third party.

Your personal data will be treated as strictly confidential. We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so. We will take steps to anonymise the data we provide (i.e. collective reporting on gender, ethnicity, age, etc.). If identifiable data is to be shared, we will seek your consent.

Third Party Data Processors

The Scout Association & ESDSC employs the services of the following third-party data processors: –

• The Scout Association via its adult membership system “Compass” which is used to record the personal information of leaders, adults and parents who have undergone a Disclosure and Barring Service (DBS) check in conjunction with “Atlantic” software for DBS.
• The Scout Association via it Census system “Annual Census of Membership” (https://census.scouts.org.uk/) whish each year is used to collect anoymised information for children, leaders and adults.
• Online Youth Manager Ltd (Online Scout Manager) which is used to record the personal information, badge records, event and attendance records, and anonymised Census information (see above), we have a data processing agreement in place with online youth manager, more information is available at https://www.onlinescoutmanager.co.uk/security.php
• Office 365 – eastsomersetscouts.org.uk
• Dropbox – occasionally used for secure transfer of limited personal information for Appointments/Census and Risk Assesments.
• JotForm[1] – https://www.jotform.com/gdpr-compliance/ Data held in Germany

Automated decision making

ESDSC does not have any automated decision-making systems.

Transfers outside the UK & Europe (Germany)

ESDSC will not transfer your personal information outside of the UK & Germany (Europe)1, with the exception where an Event is taking place outside of the UK & Germany (Europe)1 and it is necessary to provide personal information to comply with our legal obligations, although generally such an event will have its own data collection form which will be securely held and disposed of after the event.

8. How do we protect personal data?

We take appropriate measures to ensure that the information discussed to us is kept secure, accurate and up to date and kept only for as long as necessary for the purpose for which it is used.

9. How long do we keep your personal data?

We will retain your personal information, throughout the time you are a member of ESDSC, or your Young person is enrolled on an event coordinated by ESDSC.

We will retain your full personal information) after you have left ESDSC, in accordance with Policy Organisation & Rules “POR”.

We will also keep any Gift Aid Claim information for the statutory 7 years as required by HMRC

10. Your rights and your personal data

You have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete and restrict the personal information we use. In addition, you have a right to complain to us and to the data protection regulator.

Unless subject to an exemption under GDPR, you have the following rights with respect to your personal data: –

• The right to be informed – you have a right to know how your data will be used by us. The right to access your personal data – you can ask us to share with you the data they have about you!
  • The right to rectification – this means you can update your data if it’s inaccurate or if something is missing. You can view and edit your personal information directly on our online membership systems Online Scout Manager and Compass.
  • The right to erasure – this means that you have the right to request that we delete any personal data they have about you. There are some exceptions, for example, some information can be held for legal reasons.
  • The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure if we are complying to rules, you can restrict any further use of your data until the problem is resolved.
  • The right to data portability – this means that if you ask us, we will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with others.
  • The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.
  • Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.

Please contact in the first instance

• in the case of a young person, the event coordinator/leader;
  • for adults, the District Appointments Secretary, your line manager or our Data Protection Lead for more information.

Whether or not you exercise your new rights is up to you – the main thing to remember is that they’re there if you need them.

11. Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

12. Contact Details

To exercise all relevant rights, queries of complaints please in the first instance contact our Data Protection Lead at ESDSC via email privacy@eastsomersetscouts.org.uk

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Reviewed & approved by the ESDSC: currently under review.

[1] Date is held on dedicated Servers in Germany (Europe) which are GDPR compliant.