Data Privacy Notice v1.0
Data Privacy Notice: 9th Maidenhead (URC) Group
Our Privacy Notice describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of the UK Data Protection Bill (2018).
Who are we?
Our Scout Group, 9th Maidenhead (URC) Scout Group (later referred to as the Scout Group) is a youth charity. Our mission is to actively engage and support young people in their personal development, empowering them to make a positive contribution to society.
We hold an annual general meeting (AGM) every year in July. This is where members of the Group Executive committee, our trustees, are elected (we tend to call this committee the Parent Support Group or PSG). Any parent, guardian or carer of a youth member can volunteer to be on the executive committee at the AGM and every parent, guardian or carer has the right to attend the Annual General Meeting.
We are based at the United Reformed Church (URC), West Street, Maidenhead, Sl6 1RL. The Scout hut is at Holmanleaze, Maidenhead, SL6 8AW.
Our Group Executive Committee is the data controller for the information we collect from you. Any personal data that we collect will only be in relation to the work we do with our members (both adult and youth) and through our relationship with supporters, donors and funders.
To exercise all relevant rights, queries or complaints please contact:
John Holton (Group Scout Leader): [email protected]
You can contact the Information Commissioners Office (ICO) on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data, the data subject. Identification can be by the information alone or in conjunction with any other information in our Scout Group’s (the data controller) possession or likely to come into its possession. The processing of personal data is governed by the EU General Data Protection Regulations (GDPR)/UK Data Protection Bill (2018).
How we gather personal data
The personal data we hold is provided to us directly by adult members or by parents, guardians or carers via paper forms or email.
In the case of an adult member data may also be provided by third party reference agencies, such as the Disclosure and Barring Service (DBS).
Where a member is under the age of 18 (a youth member) this information will only be obtained from a parent, guardian or carer and cannot be provided by the young person.
How do we process your personal data?
We comply with our obligations under the GDPR by:
keeping personal data up to date
storing it securely to protect it from loss, misuse, unauthorised access and disclosure
destroying it when we no longer need it
not collecting or retaining data we do not need
ensuring that appropriate measures are in place to protect personal data held electronically and on paper.
We process the data to contact the member, parent, guardian or carer, to inform them of meetings, activities and events that the Group may be running or attending.
We use personal data for the following purposes:
we collect personal and medical information for the protection of that person whilst in the care of the Scout Group
to enable us to provide a voluntary service for the benefit of the public to administer membership records
to fundraise and promote the interests of the Scout Group
to manage our volunteers
to maintain our own accounts and records (including the processing of gift aid applications)
to inform members of news, events, activities and services running at the Scout Group and the United Reformed Church (who are our sponsors)
What is the legal basis for processing your, your child’s or children’s personal data?
We use personal data where:
we need to use the information to keep in contact with you regarding meetings, events, collection of membership fees etc., – in other words, for the day to day running of the Scout Group
processing is in our (or your) legitimate interests and is necessary as part of a Not-For-Profit organisation (for example, information to keep in contact with you regarding meetings, events, collection of membership fees etc.) Article 6(1)(f) & Article 9(2)(d)
we need to use the information to comply with our legal obligations (for example, in relation to DBS checks for adult members etc.) Article 6(1)(c)
the processing is necessary to protect the vital interests of an individual where the data subject is physically or legally incapable of giving consent (for example, allergy or health information during activities, camping etc.) Articles 6(1)(d) & 9(2)(c)
How we store personal data
We are committed to the protection of your personal data. Where we store personal data on a PC or laptop we will encrypt the data. If we need to transport your data we will use encrypted data drives, encrypted USB sticks or similar encrypted devices. We may also store personal data in secure digital online database systems, where access to that data is restricted and controlled. We also use other systems which are discussed below.
The online membership system of The Scout Association, this system is used for the collection and storage of adult personal data. This includes sensitive personal data.
Online Scout Manager
An online membership system run by Online Youth Manager Ltd, this is a secure membership database where we store the personal data of adults and youth members for the day to day running of the group. This includes sensitive personal data.
Google Cloud Drive
For some events personal data will be put onto spreadsheets and stored in Google Cloud Drive.
Paper is still used within the sections to capture and retain some data in, for example:
new joiners forms
new joiners waiting lists
gift aid collection forms
ID checking form (for DBS processing)
events consent from parent, guardian or carer
events coordination with event organisers
events contact lists
near miss forms.
In the case of Joining forms, information is securely held by the leader, or waiting list manager, and transferred to our secure digital systems as soon as possible before the paper form is destroyed.
Gift Aid collection forms will be securely held by the Group’s Gift Aid co-ordinator to aid in the collection of
Gift Aid for termly membership fees. We have a legal obligation to retain this information for 7 years after our last claim.
Attendance registers are held securely by the Group Scout Leader for 7 years in accordance with HMRC requirements.
Accident report forms are held securely by the Group Scout Leader until the member reaches the age of 21 years.
As a member of 9th Maidenhead (URC) Scout Group it is hoped all members will take up the opportunity to attend events and camps. Where it is necessary to fulfil our legal obligations, we will be required to potentially have a less secure means to access personal data, such as printouts of personal contacts and medical information (including specific event contact forms), rather than relying on secure digital systems, as often the events are held where internet and digital access may not be available or where we may not be able to keep electronic devices charged. We will minimise the use of paper to only what is required for the event/camp. We will ensure:
Transfer of paper is secure, such as physical hand to hand transfer or registered post
Paper forms are securely destroyed after use
Secure destruction will be through a shredding machine
Always keeping the paper records secure;
when in transit
if stored on a long-term basis, in a secure location
Sharing and transferring personal data
We will only normally share personal data within our Scout Group between leaders and executive members as the need arises.
We may share your personal data with others outside our Scout Group where we need to meet or enforce a legal obligation. We will only share your personal data to the extent needed for those purposes.
If you move from the 9th Maidenhead (URC) Scout Group, to another Scout Group or Explorer Scout Unit, we will transfer your personal data to them with your consent.
We will never sell your personal data to any third party for any purpose.
Your personal data will be treated as strictly confidential. We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so. We will take steps to anonymise the data we provide (i.e. collective reporting on gender, ethnicity, age, etc.). If identifiable data is to be shared, we will seek your consent.
Third Party Data Processors
9th Maidenhead (URC) Scout Group, employs the services of the following third-party data processors:
The Scout Association via its adult membership system “Compass” which is used to record the personal data of leaders, adults and parents, guardians or carers who have undergone a Disclosure and Barring Service (DBS) check.
Online Youth Manager Ltd (Online Scout Manager) which is used to record the personal data, badge records, event and attendance records etc. We have a data processing agreement in place with Online Youth Manager, more information is available at https://www.onlinescoutmanager.co.uk/security.html
Dropbox inc. occasionally used for secure transfer of limited personal data for events.
GSuite (Google Inc.) used to store contract details of adult members of the Group, send and receive emails, share calendars for public and internal events, share files internally and store data.
CAF Bank for processing receipt of subscriptions or fees and payment of out of pocket expenses to leaders/members.
HMRC for processing Gift Aid claims.
WIX hosts the website, limited personal data is shared. Contact forms may also contain limited personal data and these are held securely on the site until transferred.
Automated decision making
9th Maidenhead (URC) Scout Group uses the following processes and tools:
WIX for the sending of reminder emails and the tracking of responses
Transfers outside the UK
The 9th Maidenhead (URC) Scout Group will not transfer your personal data outside of the UK. The only exception is where an event is taking place outside of the UK and it is necessary to provide personal data to comply with our legal obligations, although generally such an event will have its own data collection form which will be securely held and disposed of after the event.
How do we protect personal data?
We take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for as long as necessary for the purpose for which it was collected.
How long do we keep your personal data?
We will retain your personal data, throughout the time individuals are an adult or youth member of the 9th Maidenhead (URC) Scout Group.
For youth members to fulfil our legal obligations, and for insurance and legal claims, we will retain:
full personal data for a period of up to one year after members have left the Scout Group
limited information (just name, and attendance records) for a period of up to 15 years (or until the age 21)
Accident records until the youth member reaches the age of 21
The Scout Association may retain personal data relating to Adults indefinitely.
For parents, carers and guardians, we will keep any Gift Aid Claim information for 7 years, as required by HMRC.
Your rights and your personal data
Adult members and the parents, carers or guardians of youth members have the right to object to how we process their personal data. Adult members also have the right to access, correct, sometimes delete and restrict the personal data we use. In addition, they have a right to complain to us and to the data protection regulator.
Unless subject to an exemption under the GDPR, adult members have the following rights with respect to their personal data:
The right to be informed – right to know how your data will be used by our Scout Group
The right to access – members can ask the Group to share the data held related to them
The right to rectification – this just means that members can update their data if it’s inaccurate or if something is missing.
The right to erasure (the right to be forgotten) – this means that adult members have the right to request that we delete any ersonal data held related to them. There are some exceptions, for example, some information can be retained for legal reasons
The right to restrict processing – if adult members think there’s something wrong with the data being held about them, or they aren’t sure if we are complying with the rules, they can restrict any further use of that data until the problem is resolved
The right to data portability – this means that if an adult member asks us we will have to share their data with them in a way that can be read digitally. This makes it easier to share information with others
The right to object – adult members can object to the ways their data is being used.
In the first instance, please contact John Holton (Group Scout Leader) for more information – contact details above.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
We will notify our users of any breach of data via email within 72 hours of identifying the breach.
Reviewed: 30th November 2018.