What is GDPR and why do we need it?
As technology develops and our private data is being used and shared in countless new ways, people are understandably becoming increasingly worried about security.
There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.
Different countries in the EU follow different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules!
In the UK, companies and charities used to follow the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data from breaches and hacks. GDPR came into effect on 25th May 2018.
What data does it protect?
When people talk about technology and digital developments, there’s always a focus on data. But what data do they mean? GDPR aims to protect any personal data a company or charity holds about individuals – including their name, address, email address, images, social networking accounts, IP address or medical history.
It may also cover more sensitive data such as their sexual orientation, genetics, political views or any trade union memberships.
How will it affect UK businesses and charities?
Essentially, GDPR will affect everyone in all 28 EU member states, from businesses and charities big and small, to customers and consumers.
When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation.
There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e. the people the data concerns) they’ll have to inform their customers too.
How will GDPR affect you?
While businesses and charities will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.
That said, individual consumers will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party.
However, GDPR also gives individuals a number of ‘rights’ when it comes to their data, including:
The right to be informed – you have a right to know how your data will be used by a company.
The right to access your personal data – you can ask any company to share with you the data they have about you!
The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.
The right to erasure – this means that you have the right to request that a company deletes any personal data they have about you. There are some exceptions, for example, some information can be held by employers and ex-employers for legal reasons.
The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.
The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.
The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.
Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.
Whether or not you exercise your new rights is up to you – the main thing to remember is that they’re there if you need them.
Fair Processing Notice
Our Fair Processing Notice describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR).
Who we are
13th Wimbledon Scout Group and SSESU is a member of The Scout Association which is incorporated by Royal Charter. We are not required to be registered with the UK Charity Commission as we are classed as a sub branch in the Royal Charter, See http://scouts.org.uk for more information.
Every year in April /May/ June we hold an annual general meeting where members of the charity executive are elected, any parent or a youth member can choose to stand for election on the Group Executive at the AGM and every parent has the right to attend the Annual General Meeting, no matter. We are based at St Saviours Church, Grand Drive, LONDON, SW20 9DG.
You have the right to object to how we process your personal information. You also have the right to access know what information we hold on you or your children and request that it be corrected, sometimes deleted and restrict the personal information we use. In addition, you have a right to complain to us and to the data protection regulator.
Please contact a leader or the Group Scout Leader for more information, in the first instance.
How we gather personal information
The majority of the personal information we hold on you, is provided to us directly by yourself or by parents / legal guardian in either paper form or via our online membership systems. In the case of an adult member, data may also be provided by third party reference agencies, such as the Disclosure and Barring Service (DBS).
Where a member is under the age of 13, this information will only be obtained from a parent / guardian and cannot be provided by the young person. However we will accept, and potentially record, any personal information, such as about any ongoing medical treatment, from any member no matter their age.
How we use your personal information
We collect your personal and medical information for the protection and identification of that person whilst in the care of the Scout Group.
The collection of a person’s religion data is necessary to respect their beliefs with regards to activities, food and holidays.
We process the data to have the ability to contact the member, parents and guardians, to inform them of meetings and events that the Group itself may be running or attending.
Our legal basis for using your personal information
We only use personal information where that is permitted by the laws that protect individuals’ privacy rights. We only use personal information where:
- a) We need to use the information to comply with our legal obligations.
- b) We need to use the information legitimately to contact individuals, regarding meetings, events, collection of membership fees etc, i.e. for the day to day running of the Group.
- c) It is fair to use the personal information in your interests, where there is no disadvantage to you – this can include where it is in our interests to contact you about products or services within scouting.
Sharing and transferring personal Information
We will only normally share personal information with relevant section leaders, assistant section leaders, Executive Committee members and other members of the Group, such as occasional helpers or section assistants, who have been asked to perform a particular task for the effective operation of a scout section or the Group.
We will, however, share personal information with others outside 13th Wimbledon and SSESU where we (or an affiliate processing your data on our behalf) are required to do so by law, obligation, regulation or legal proceedings. This may include organisers of events and camps the member is attending, such as Wimbledon and Wandle District Scouts, Greater London South West County Scouts etc so they may fulfil any legal obligations although generally such an event will have its own data collection form which will be securely held and disposed of after the event.
We may also share personal detail with The Scout Association and its insurance subsidiary “Unity”, along with any other insurance company or insurance agent 13th Wimbledon and SSESU has contracted to provide services.
We would also share details in response to a valid, legally compliant request by a relevant public authority or law enforcement agency. We would also share details during an emergency when we believe physical safety is at risk if not sharing the details would cause harm or distress. In all cases we will only share personal information to the extent needed for those purposes.
If an individual moves from 13th Wimbledon or SSESU, to another scout group or explorer unit we will transfer their personal information to them.
We will never sell personal information to any third party for the purposes of marketing.
Sometimes we may nominate a member for a national award, (such as a Scouting or Duke of Edinburgh award). Nominations for such awards would require we provide contact details to that organisation.
Third Party Data Processors
13th Wimbledon and SSESU, employs the services of the following third-party data processors:
The Scout Association via its membership system “Compass” which is used to record the personal information of leaders, adults and parents who have undergone a Disclosure and Barring Service ( DBS) check.
Unity Insurance (The Scout Association Insurance company)
Online Youth Manager Ltd (Online Scout Manager) which is used to record the personal information, badge records, event and attendance records etc, we have a data processing agreement in place with online youth manager, more information is available at https://www.onlinescoutmanager.co.uk/security.php
Dropbox inc occasionally used for secure transfer of limited personal information for events.
Google occasionally used for secure transfer of limited personal information for events.
How long we keep your personal information for
We will retain your personal information, throughout the time you are a member of 13th Wimbledon Scout Group and SSESU.
We will retain your full personal information for a period of at least six months after you have left 13th Wimbledon Scout Group and SSESU, and a more limited information for a period of up to 15 years (until age 21) to fulfil our legal obligations for insurance, legal claims any Gift Aid Claim information for the statutory 7 years as required by HMRC (which may be beyond age 21).
We will also keep any Gift Aid Claim information for the statutory 7 years as required by HMRC (which may be beyond age 21)
Automated decision making
13th Wimbledon and SSESU does not have any automated decision-making systems.
Transfers outside the UK
13th Wimbledon and SSESU will not transfer your personal information outside of the UK, with the exception where an Event is taking place outside of the UK and it is necessary to provide personal information to comply with our legal obligations, although generally such an event will have its own data collection form which will be securely held and disposed of after the event.
13th Wimbledon and SSESU is committed to the protection of your personal information.
We generally store personal information in one of two secure digital online database systems, where access to that data is restricted and controlled.
Compass: – is the online membership system of The Scout Association, this system is used for the collection and storage of Adult personal data.
Online Scout Manager is an online membership system run by Online Youth Manager Ltd, this is a secure membership database where we store the personal information of Adults and Youth members for the day to day running of the group.
Printed records and Event data
Paper is still used within 13th Wimbledon and SSESU to capture and retain some data for example the following: –
- New joiners form.
- New joiners waiting lists.
- Health and contact records update forms.
- Gift Aid Collection forms.
- Events consent from parents.
- Events coordination with event organisers.
- Award notifications/nominations
In the case of Joining forms, health and contact update forms, this information is securely held by the leader or waiting list manager, and transferred to our secure digital systems as soon as possible.
As a member of 13th Wimbledon and SSESU it is hoped you will take up the opportunity to attend events and camps, where is necessary to fulfil our legal obligations we will be required to potentially have a less secure means to access personal information, such as printouts of personal contacts and medical information, (including specific event contact forms), rather than relying on secure digital systems, as often the events are held where internet and digital access will not be available. We will minimise the use of paper to only what is required for the event/camp.
We will ensure
- a) Transfer of paper is secure, such as physical hand to hand transfer or registered post.
- b) Paper forms are securely destroyed after use.
- c) Always keeping the paper records secure, especially when in transit, by using:
- i. A lockable brief case.
- ii. A lockable filing cabinet if long term stored.
- d) Anything stored away from the aforementioned online methods but on computers will be password protected
Sometimes we may nominate a member for national award, (such as Queens Scout or Duke of Edinburgh award) such nominations would require we provide contact details to the awarding organisation, this is most often done on paper via registered post.
The law on image use and GDPR needs further clarification, the position 13th Wimbledon and SSESU is as follows: –
Photographs / images (which can be classed as personal information) of yourself or your son/daughter may be taken during activities and be used within a Scouting context and publicity material for example Scouting publications and the media. Images may be published to official Scout websites and scouting affiliated social media and our public display boards in the church (but will never identify individuals in line with Scout Association guidelines).
We cannot ask for explicit consent “Yes/No”, as consent presumes that it can be revoked, as is your right to do so under the GDPR regulations.
If we publish a photograph or image in any public forum, we no longer have control over that photograph, as it can be downloaded, screenshotted, re-photographed and shared by others, stored in systems not related or controlled by 13th Wimbledon Scout Group and SSESU. Nevertheless we will be responsive to anyone who requests that pictures should of their children should not be used in any forum likely to go beyond the Group.
Under GDPR consent is invalid if people cannot easily withdraw consent, which would be the case with publishing to any publicly accessible system, therefore if you do not wish your son/daughter to appear in these then please confirm, in writing, to the Group Scout Leader or Explorer Scout Leader (where applicable), and we will not publish any photographs of you or your child on a public forum such as social media from that point forward, we will be unable to confirm full removal of images and photographs from the historical record online or otherwise stored.
Please note that the Group cannot control or stop images being taken by other individuals, parents or organisations not connected with the 13th Wimbledon Scout Group and SSESU leadership team.
13th Wimbledon and SSESU may store an image of you or your child on the Online Scout Manager (OSM) membership database for the purposes of identification, alongside and linked to the personal information. Access to this image is limited to the leaders and authorised users of OSM as is the rest of the personal information.