Under the data protection law starting in May 2018 there are a number of legal bases to allow us to process your personal information. One of the lawful bases we predominantly draw upon is ‘legitimate interests’, indicating that we have a genuine and legitimate reason to process this data (providing we are not harming any of your rights and interests in doing so). Pamber Heath Scout Group use the following personal information for our legitimate interests in delivering Scouting to our members and creating a positive impact in the community:
· In order to provide Scouting to our members, we must store and process their personal data including special category data (previously sensitive personal data) which includes medical details, disabilities or other special requirements and where relevant, religion to ensure we can make any necessary arrangements or adjustments (might include meeting halal requirements or respecting Sabbaths). Processing of special category data is limited to our members and is carried out with appropriate safeguards by us as a not-for-profit body.
· We store and process personal data and special category data belonging to Adult Volunteers for the above reasons and for the purposes of disclosure checks and safeguarding.
· We hold limited data on prospective members (name, DOB and contact email) to enable us to manage our waiting list.
· We also maintain an email mailing list of interested parties to enable us to send out communications which enable us to further our objectives. Although this list includes non-members, we believe the processing of the personal data on this mailing list is also covered by our legitimate interests. We only hold the name and email address of individuals who have expressed an interest in the Group through being a prospective, current or previous member or supporter. We use this mailing list to provide interested parties with news on the Group which may include upcoming or previous events, recruitment drives, fundraising efforts and other news that furthers the objectives of the Scout Group. All parties can unsubscribe from the mailing list at any point.
On an Annual Basis, we shall use the Census Aggregator function of OSM to capture ethnicity/disability/gender information from members. Adults must explicitly opt in to provide this information on behalf of their child. Aggregated census results are provided to The Scout Association for equality monitoring purposes.
In addition, we process data as part of our Legal Obligations; this includes but is not limited to: Accident Book records, donation and gift aid information which must be disclosed to HMRC, and when cooperating with an investigation by the authorities or a court order. If there is an incident in Scouting where medical assistance (beyond first aid) was required or there are safeguarding issues, this will be reported to The Scout Association to retain.
How we use your data
We minimise the risk of a data breach by reducing the reliance on paper and email where possible, preferring central data storage solutions.
We use a number of GPDR compliant Third Party processors to store and process data:
- We use Online Scout Manager (OSM) to manage youth data. We use OSM and Compass to store adult data. OSM enables members to edit their information. Compass is managed by The Scout Association (TSA) and adults can access their data through registering with Compass.
- Online Scout Manager directs users to Go Cardless for payment collection. Users explicitly consent to their data being held by Go Cardless through the sign-up process.
- We use MailChimp to manage our Newsletter mailing list. We selected the MailChimp platform as it gives you the power to subscribe and unsubscribe at any point.
- We use SurveyMonkey to gather expressions of interest or similar data capture exercises. An explanation of how the data will be used will be included on each survey.
- We use OneDrive to share personal information across the District for District Events when we cannot simply share OSM, rather than emailing this information.
Whilst we use paper records as a backup on events and for capturing data, we securely destroy paper records as soon as is practicable. When using our PCs to process data, we use strong password protected PCs with up to date virus and malware checkers. We will anonymise data where possible, i.e. for example if we need to communicate to request additional support to meet the needs of a young person we would anonymise this request.
How long we will keep your data?
Member Records: Our retention policy is to remove youth member records from OSM 6 months following departure, or sooner if requested. This period is to allow a young person to change their mind before their badge history is entirely lost. We can transfer OSM records to any other Group or can provide you an export of the history should you wish to retain it. Financial/Giftaid records are retained for the statutory required minimum 6 years after the end of the accounting period.
SurveyMonkey: Surveys are shared with other adult volunteers in the Scout Group then deleted 6 months after they are no longer relevant. There is no obligation to complete a SurveyMonkey survey and you may complete it anonymously if preferred.
Accident Book: Recommendations are to hold accident book records for three years (adults) or until the young person is 21. COSHH incidents should be held for 40 years. Paper accident book records shall therefore be kept in a secure storage container until that time has elapsed.
Newsletter: We will retain your contact email address on our MailChimp Newsletter as an alumnus of the Group to keep you up to date with recent developments in the Group. You are able to unsubscribe from this at any point.
The Scout Association (TSA): TSA will retain records of incidents (medical interventions or safeguarding) reported to them in line with their retention policy, expected to be indefinitely. Adult data is held indefinitely by The Scout Association on Compass. On closing of an adult role at Pamber Heath Scout Group, we will no longer have access to this data.
Data Controller & Subject Access Requests
Data Controller. The data controller for Pamber Heath Scout Group is the Executive Committee as a legal entity. Subject Access Requests are to be submitted to the Executive Committee either via direct contact with the Group Chair or in writing to firstname.lastname@example.org or the Executive Committee Postbox, Pamber Heath Scout Den, Pelican Road, Pamber Heath, RG26 3EL. Leaders will provide guidance as required. Due to our size and nature of processing, we are not required to be individually registered with the ICO. The Scout Association is registered with the ICO.
34SP.com (Our Data Host) collects the IP address of anyone visiting and stores it in our site’s access logs. IP addresses are used to track attacks on websites and allows 34SP to take steps to prevent those attacks. Access logs are kept for 28 days.
GDPR Compliance Statement
· We have checked that legitimate interests is the most appropriate basis.
· We understand our responsibility to protect the individual’s interests.
· We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
· We have identified the relevant legitimate interests.
· We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
· We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
· We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
· We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
· If we process children’s data, we take extra care to make sure we protect their interests.
· We have considered safeguards to reduce the impact where possible.
· We have considered whether we can offer an opt out.
· If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
· We keep our LIA under review, and repeat it if circumstances change.
· We include information about our legitimate interests in our privacy information.