Ensuring GDPR and My Scout Group Compliance
Specific Steps for Scout Groups to meet Compliance
It is imperative that every Scout Group understands the principles of Data Protection and how the upcoming changes in legislation will affect them. The following are key steps Scout Groups should take:
GDPR will benefit all of us; it will help ensure that our Personal Information is protected from misuse. It will also ensure that, as a Data Controller, each Scout Group, County or Provincial team will be accountable for how it collects, uses and stores information about the members under their remit. It is critically important that every member is aware of the changes that GDPR will bring and how that impacts them, either as a member of Scouting Ireland or an adult volunteer working on behalf of their Scout Group a County, Province, National Team etc.
This awareness will also benefit all of us in our personal lives as GDPR also relates to Banks, Insurance Companies, Utility providers, Online Marketing etc. Scout Groups should ensure that information relating to GDPR is made available to Group Council Members, all adult volunteer members, young people, parents or anyone who is in anyway involved with the Scout Group.
As the saying goes, ‘You can’t manage what you can’t measure’ and this is especially true regarding Data Protection. Each Scout Group must understand exactly what Personal Information it holds (and the responsibility associated with holding it). To ensure this is clear, it is important that every Scout Group makes an inventory of the personal data that it holds and examines it under the following headings:
- Why is it being held?
- How was it obtained?
- Why was it gathered?
- How long is it being retained for?
- How secure is it?
- Is it shared with any third parties?
Obviously, the primary source of Personal Information held by a Scout Group is its membership database. All registered members’ information is stored on Scouting Ireland’s central Membership Management System (pTools Software) and responsibility for this information is jointly held by Scouting Ireland centrally
Specific consideration must also be given to paper membership forms and how these are managed once they have been completed and received by the Scout Group. It is OK to collect information on paper forms, and to retain them in hard copy after they have been completed, as long as the member/parent is made aware of this at the time they are completing the form. Tick boxes (or similar) should be used to obtain the person’s consent to process their information. It is vitally important that any completed forms are stored securely in a specified location.
The same logic should be applied to any other system or database used to assist a Scout Group when managing its membership. It is OK to use technology supports in this way but careful attention must be paid to how and where data is stored (it must be secure and should be encrypted) and individuals must be informed if a third party is being used for this purpose. Most third-party providers (online registration, text messaging, fundraising) will be well aware of GDPR and will be able to advise on how they are ensuring compliance. If your Scout Group is using a third-party system you should contact them to verify that they are in compliance with GDPR.
Other likely categories of Personal Information held by Scout Groups will include:
- Information required for adult membership applications
- Managing Medications Forms
- Youth membership applications
- Text or messaging systems
- Email lists or distribution groups
- Attendance lists
- Information captured on Scout Group websites
There may also be others, depending on individual Scout Groups, and it is important that each Scout Group has a record of all Personal Data that it ‘controls’. A tool to help support Scout Groups in this task is available. This document is A Sample Scout Group Record of Processing Activities.
As noted above, it is required that individuals are made aware of certain information such as why their data is being collected and who will have access to it, their data is obtained. Under existing Data Protection law, it has always been a requirement to provide some of this information to individuals. GDPR builds on this requirement and expands the information that must be given to Individuals in advance of collecting and using their data.
Existing adult membership forms and other forms used to collect data (e.g. youth membership forms) must be updated to specifically tell individuals the following:
• The Scout Groups identity
• The reasons for collecting the information
• What the collected data will be used for
• Who it will be shared with
• If it’s going to be transferred outside the EU
• The ‘legal basis’ insert link to definitions page for processing the information
• How long it will be retained for
• The right of members to complain if they are unhappy with the Scout Group’s implementation of GDPR
• Other specific personal privacy rights relevant under GDPR (as outlined in Personal Privacy Rights section) insert Link to section
Scouting Ireland has obtained advice on how these requirements should be reflected on standard Scouting Ireland Membership forms and a sample membership form is available from the download section on this page.
Ensure Personal Privacy Rights
GDPR enshrines certain rights for individuals that must be supported by every Data Controller, including Scout Groups. It should be noted by members that these rights extend to any entity that holds your information including financial institutions, utility companies etc.
These rights include:
- Access to all information held about an individual (Subject Access Request) – This allows any member (or member’s parent /guardian in the case of children) to request a copy of all information held about them. This must be provided within one month. Note: Maintaining the Processing Activities Record will make it easier to process Subject Access Requests in a timely manner.
- To have inaccuracies corrected
- To have information erased
- To object to direct marketing
- To restrict processing of their information including automated decision making
Obtain and Manage Consent
GDPR is very clear that an individual must be informed of what their personal information is going to be used for, who will have access to it, where it will be stored and how long it will be held for. Consent must be ‘freely given, specific, informed and unambiguous’. Members cannot be forced into consent or unaware that they are giving consent. Obtaining consent requires an affirmative action of agreement – it cannot be inferred through silence (not objecting), pre-ticked boxes or inactivity. Consent must also be verifiable – Data Controllers must be able to demonstrate that consent was validly given and a data audit trail should be maintained.
Note: Where paper forms are used to collect personal information (e.g. Membership applications), the retention period (how long it is kept for) for the form, or relevant portion of the form. Under GDPR, minors below the age of 16 are not permitted to give consent for Data Processing. A child’s Parent or Guardian must give consent on their behalf. Existing Scouting Ireland policies relating to youth members already support this legislative requirement.
Report Data Breaches
If unauthorised access to Personal Data occurs or Personal Data is lost or stolen, the Data Protection Commissioner must be notified within 72 Hours of it being identified. This is a requirement for all paper information and all electronic information (unless the data is encrypted or anonymised). If the breach is likely to cause harm to the individual (identity theft or breach of confidentiality) then the individual must also be informed. A procedure to detect, report and investigate data breaches should be in place. It is imperative that Data Breaches or possible Data Breaches are not ignored in the hope that no one will notice, they must be investigated and reported if appropriate to do so to Scouting Irelands Data Protection Officer within 48 hours. Advice on data protection queries can be obtained by emailing email@example.com. Further information on Reporting Data Breaches can be found here.
Note: All breaches or possible breaches must be reported to Scouting Ireland within 48 hours of identification. This is imperative as there is a 72-hour deadline for notification to the Data Protection Commissioner. This applies irrespective of any steps being taken to understand the causes of the breach.
Ensure Privacy by Design
GDPR seeks to ensure that all significant new processes, initiatives or projects are
Identify Data Protection Representatives
Every Scout Group should identify someone to coordinate their approach to meeting their Data Protection obligations. This will include identifying and recording the specific locations where data is held in each Scout Group, ensuring that consent is obtained in the appropriate manner and maintained accordingly. Scouting Ireland centrally has a Data Protection Officer who will provide expertise and guidance for any Data Protection queries that require additional/legal advice. Queries of this nature can be submitted to firstname.lastname@example.org