Data Protection, Confidentiality and Privacy Policy

INTRODUCTION

 

4th Gosport Scout Group (hence referred to as 4th Gosport) is committed to protecting the rights and privacy of individuals, including our staff, volunteers, members of the public and others. This Data Privacy Policy describes the categories of personal data 4th Gosport process and for what purposes.

We will ensure that we collect and use such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR), the regulations set by the European Union, and Data Protection Act 2018 (DPA 2018), the UK law that encompasses the GDPR. This policy sets out how Hampshire Scouts will comply with these regulations.

4th Gosport is committed to fully complying with the Data Protection rules at all times. This means that every person (Leaders, Managers, Administrators, Honorary Officers and Trustees) involved in 4th Gosport must observe this policy.

​

Who Are We?

4th Gosport are a registered charity with the Charity Commission for England & Wales (charity number XXXXXX).
The Data Controller is [ DISTRICT / GROUP ]. The contact address is; [ ADDRESS FOR POSTAL CONTACT ]
We have appointed [ NAME AND ROLE ] as Data Protection Officer, who can be contacted at [ CONTACT DETAIL ]

HOW WE PROCESS DATA

The Legal Basis of our Data Processing
To achieve the purposes of the charity we process data for our legitimate interests. This includes processing for the purposes of:
• Administration of the Scouting Programme and Activities
• Governance
• Safety and Safeguarding
• Fundraising and Public /Community Relations

We will process data by holding paper and electronic records, using the facilities of our data processing partners and sending communications by paper and electronic means.

We process data for legal reasons. This includes for the purposes of:
• Maintaining safety and safeguarding records in compliance with the Scout Association’s Policy Organisation and Rules (POR)
• Employment purposes (If Applicable)

• Maintaining accounting records as required by HMRC and charity regulation

We process data by reason of data subjects’ consent. This includes for the purposes of:
• Providing information to members about the Scouting programme
• Providing communications relevant to governance, administration and fundraising
• Statistical reporting about inclusion relating to ethnicity and disability

 

Categories of Personal Data we process
Data will be processed about members’, adult helpers’ and employees’ Ethnicity, Health, Disability and Religious Belief to enable inclusion.

Information about criminal records will be processed to inform recruitment decisions but will not be kept. (Disclosure of all criminal convictions and cautions and the provision of an enhanced certificate from the Disclosure and Barring Service is required for all adults in relevant roles, this being in compliance with the relevant legislation about filtering and rehabilitation of offenders)

The personal data of members and adult helpers we process will include full name and contact details, date of birth and age, records of service, and training. Records of service will include roles and activities undertaken and role reviews. Relevant records will be kept for the management of Safety, Safeguarding and Personnel.

Financial information about bank accounts, payment of membership and activity fees, donations, payroll information, the processing of gift aid and the maintenance of records is processed as required by and in accordance with regulations.

Sharing of your Personal Data with Third Parties
4th Gosport works with partner data processors including but not limited to; The Scout Association (TSA), Online Scout Manager (OSM), Duke of Edinburgh Award Scheme, Google, Microsoft Sharepoint. 4th Gosport has determined that our partner organisations processing data on its behalf are compliant with GDPR as far as it can assess.

Subject to Data Protection regulations 4th Gosport will share personal data as relevant with the Scout Association to enable to provision of the Scout programme and activities, training opportunities, administration and promotion.

Your data may also be shared to comply with legal requirements when necessary or to others when we have your consent, or shared with medical services to protect your vital interests.

Your data will be processed by partner data processors including cloud-based services for the good administration of the Hampshire Scouts and achievement of its charitable purposes.

Personal data may be transferred outside the UK and European Economic Area (EEA) through the use of cloud computing systems. The use of these systems has been considered for their data security compliance; their use is approved by the board of trustees.

​

Safeguarding Partnership
4th Gosport is a member of the Scout Association (TSA) and complies with its Policy Organisation and Rules (POR). POR includes the safeguarding processes involving recruitment and safeguarding investigations. Personal information will be passed to TSA for their processes in safer recruitment and safeguarding. Information will be passed to the Police when there is a relevant concern.

Further processing
If we wish to use your personal data for a new purpose not already outlined to you or within this policy, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

 

DATA SUBJECT RIGHTS

Your Rights under Data Protection Regulation
People’s (Data Subjects) rights are as follows:
• To be informed about how personal data is processed: this Data Protection and Privacy Policy seeks to provide that information
• To have personal data corrected: 4th Gosport requests all members to notify any changes and will update information without delay.
• To object to processing: 4th Gosport will comply with all requests as far as possible, some records are maintained for the formal administration of the charity, for safety and for safeguarding purposes when retention of records will be required.
• To restrict processing: 4th Gosport will comply with all requests as far as possible,
• To have personal data erased: 4th Gosport will comply with all requests as far as possible.
• To request access: 4th Gosport will comply with current regulations
• To move, copy or transfer personal data: 4th Gosport will comply with requests as far as possible acknowledging that adult member records are included in TSA Portal. The transfer of young persons data in OSM may be possible.

 

Subject Access Requests
Any person, who is the subject of personal data held by 4th Gosport, may make a Subject Access Request by contacting the Data Protection Officer. The request will be processed in accordance with current regulations.

Questions about Data Protection or the use of Personal Data
Any questions or comments about data protection or this policy, notwithstanding personal rights above, should be addressed to the Data Protection Officer.

​

DATA MANAGEMENT PROCESSES
 

Data Breaches
Any loss of personal data, as described in the legislation, must be reported to the Data Protection Officer (DPO) including:
• Data being accessed by unauthorised person(s) either in 4th Gosport or externally
• Data or records being lost (or found)
• Systems failing their security including IT and hard copy files

The DPO will consider the seriousness of the data breach and if necessary, report the matter to the Information Commissioner’s Office (ICO). The record of every Data Breach and the actions taken will be recorded in the Data Privacy Breach log. 4th Gosport will cooperate with the ICO fully to respond to any matters.

The matter will be investigated and if possible, the root cause of the breach will be determined. Corrective action will be taken in accordance with the regulations.

If a breach is likely to result in a high risk to the rights and freedoms of individuals, those affected by the data breach will be informed as soon as is practicable so that they may take appropriate action. All breaches will be reported as a matter of routine to the Board of Trustees.

Retention of Records
Records will be retained for the good administration of 4th Gosport as follows:
• For Governance matters - indefinitely
• Attendance records for safeguarding purposes – indefinitely
• Financial records will be retained for six years.
• Employment records will be kept for six years after employment termination. Working time documents including annual leave, overtime and time off for other reasons will be retained for two years.
• Accident and Incident Reports will be retained for three years unless relating to a child in which case this will be retained until the subject reaches the age of 21.
• Membership, involvement, appointments and training records will be kept in compliance with the Scout Association’s policy.
• Notes and records from Safeguarding investigations will be sent to the Safeguarding Team at Scout HQ for retention and not kept locally
• Subject Access Request records and responses will be retained for one year after a response is issued by the 4th Gosport.

​

ADMINISTRATIVE PROCEDURES
 

Access to Data by 4th Gosport Personnel
All leaders, administrators and executive (personnel) with access to personal data will be trained in Data Protection. For most the Scout Association Online training will suffice.

Everyone with access to personal data must comply fully with this policy and must raise any concerns with their line manager or the DPO.

​

All personnel will only use the personal data of 4th Gosport for the achievement of the charitable purposes as set out above and not for any other reason. Personal data will only be accessed and processed as relevant to their role in 4th Gosport.

Personal data must not be shared outside of 4th Gosport by any personnel except in accordance with the specific conditions of this policy.

Personnel may process data on their home PC providing it is secure from possible unauthorised access. PCs must be protected by firewall and internet security. Data will only be placed on portable devices if the device allows password protection and encryption and is backed-up sufficiently.

When a PC or any other electronic device on which data is physically stored is disposed of the data on the hard drive must be properly and fully erased or destroyed, not just deleted.

Paper based files used at home must be kept secure. Files must only be transported when essential and when the data security risk has been considered and management steps put in
place.

Processing of Adult Members’ Personal records
The personal membership profile of each member is kept on TSA Portal. It is the responsibility of each member to ensure that they keep their own record up to date.

Creation of Directories
The compilation of any directory must have the approval of the [ DISTRICT COMMISSIONER / GROUP SCOUT LEADER ]. Directories must only contain the information that is specifically consented to be included. The request for consent must include information about access to or distribution of the directory. The directory must be kept up-to-date by a named person, and those persons contained within the directory have the right to have their data removed at their request.

Consent to Bulk Mailings
Bulk electronic mailings will be sent for notification of events, administration and governance. Anyone who wishes not to receive such mailings, providing it is not a duty, will be unsubscribed. All mailings will have an unsubscribe facility.

​

MANAGEMENT OF THIS POLICY
 

This policy is approved and owned by the Board of Trustees, with operational oversight of the measures set out above delegated to the Data Protection Officer.

Communication of this Policy
This policy is placed on the website and is available at www.4thgosportscoutgroup.com/privacypolicy
 

Review of this Policy
This policy will be reviewed periodically as any changes in regulations or best practice occur; this will be at least every 3 years.

Approval of this Policy
This policy was approved by [ DETAILS ]