GDPR Policy

What is GDPR and why do we need it?

As technology develops and our private data is being used and shared in countless new ways, people are understandably becoming increasingly worried about security.

There are two key reasons why the General Data Protection Regulation (GDPR) is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.

Different countries in the EU follow different rules and regulations when it comes to data, sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules.

In the UK, companies and charities are still following the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data from breaches and hacks.

What data does it protect?

When people talk about technology and digital developments, there’s always a focus on data. But what data do they mean?  GDPR aims to protect any personal data a company or charity holds about you – including your name, address, email address, images, social networking accounts, IP address or medical history.

It will also cover more sensitive data such as your sexual orientation, your genetics, your political views or any trade union memberships.

How will it affect UK businesses and charities?

Essentially, GDPR will affect everyone in all 28 EU member states, from businesses and charities big and small, to customers and consumers.

When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation.

There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total global profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e. the people the data concerns) they’ll have to inform their customers too.

How will GDPR affect me?

While businesses and charities will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.

That said, individual consumers will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party.

However, GDPR also gives you a number of ‘rights’ when it comes to your data, including:

The right to be informed – you have a right to know how your data will be used by a company.

The right to access your personal data – you can ask any company to share with you the data they have about you.

The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.

The right to erasure – this means that you have the right to request that a company deletes any personal data they have about you. There are some exceptions, for example, some information can be held by employers and ex-employers for legal reasons.

The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.

The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.

The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.

Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.

Whether or not you exercise your new rights is up to you, the main thing to remember is that they’re there if you need them.

Fair Processing Notice

Our Fair Processing Notice describes the categories of personal data we process and for what purposes.

We are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR).

Who we are

Ashby Hastings Scout Group (AHSG) is a youth charity (registered charity number 521718) and we are a regulated as a member of the UK Scout Association. See http://scouts.org.uk for more information.

We hold an Annual General Meeting each July where members of the charity executive are elected, any parent of a youth member can decide to be in the executive at the AGM and every parent has the right to attend the Annual General Meeting.

We are based at the Ashby Scout Hut, Wilfred Gardens, Ashby de la Zouch, LE65 2GX, also referred to as BP/Shell Scout Centre.

Your rights

You have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete and restrict the personal information we use. In addition, you have a right to complain to us and to the data protection regulator (the Information Commissioner’s Office).

Please contact a leader or the Group Scout Leader for more information in the first instance.

You can view and edit your personal information directly on our online membership systems Online Scout Manager (for young people, parents and leaders) and Compass (for leaders and other adult volunteers with a Scout-issued DBS).

Whose personal information we process

We process information about our youth members (Beavers, Cubs, Scouts and Young Leaders), our adult members (Leaders), parents and legal guardians of our youth members, emergency contacts for our adult members, and people who provide services to us (building maintenance, events, fundraising etc).

How we gather personal information

The majority of the personal information we hold about you is provided to us directly by you or by parents / legal guardian of young people in either paper form, email/SMS text message or via our online membership systems.  In the case of an adult member, data may also be provided by third party reference agencies such as the Disclosure and Barring service (DBS).

How we use your personal information

We collect personal and medical information for the protection of the individual whilst a member of Ashby Hastings Scout Group.

The collection of data about members’ religious and spiritual beliefs is necessary to respect their beliefs with regards to activities, food and holidays.

We process the personal data of parents/legal guardians to ensure we can contact them to facilitate their child’s membership of AHSG and to communicate in case of emergency or for administration of the group.

We process special category data of young people, their parents/legal guardians and adult volunteers for the purpose of safeguarding to ensure that we have DBS checks in place for adults who will be volunteering at AHSG events and camps.

Our legal basis for using your personal information

We only use your personal information where that is permitted by the laws that protect your privacy rights. We only use personal information where:

a) We need to use the information to comply with our legal obligations (for instance, the performance of a contract, meeting our safeguarding obligations).

b) We need to use the information to contact you, regarding meetings, events, collection of membership fees etc, i.e. for the day to day running of the group.

c) We need to use the information to protect your health and safety whilst participating in AHSG activities.

Sharing and transferring personal information

We will only share your personal information with others outside Ashby Hastings Scout Group we (or an affiliate processing your data on our behalf) are required to do so by law, obligation, regulation or legal proceedings.  This may include, but is not restricted to, organisers of events and camps the member is attending, Ashby and Coalville District Scouts, Leicestershire County Scouts, The Scout Association and its insurance subsidiary “Unity”, local authority services and law enforcement. When we do need to share data, we will only share the information to the extent it is necessary.

If you move from Ashby Hastings Scout Group to another Scout Group or Explorer Group we will transfer your personal information to them.

To participate in some events it may be necessary to share your information with the third party organisers of the event or activity.  This may include health information.

We will never sell your personal information to any third party.

Sometimes we may nominate a member for a district, county or national award, (such as a Scouting or Duke of Edinburgh award).  Such nominations would require the disclosure of data about the individual nominee.

Third Party Data Processors

Ashby Hastings Scout Group uses the services of the following third-party data processors:

• The Scout Association via its membership system “Compass” which is used to record the personal information of leaders, adults and parents who have undergone a DBS check.

• Online Youth Manager Ltd (Online Scout Manager) which is used to record the personal information including special category data, badge records, event and attendance records etc.  We have a data processing agreement in place with online youth manager, more information is available at https://www.onlinescoutmanager.co.uk/security.php

• We use Xero to manage our accounts and store details of financial transactions.

• Dropbox may be used occasionally for secure transfer of limited personal information for events.

• We plan to migrate to using G Suite (Google Drive) to hold AHSG records and leader emails.  In the meantime, individual Leaders use a variety of email providers and may store limited personal information on personal computers.  Leaders may also hold phone numbers and email addresses pertinent to their role on their personal mobile phones.

How long we keep your personal information for

We will retain your personal information throughout the time you are a member or volunteer with Ashby Hastings Scout Group.

We will retain your full personal information for a period of six months after you or your child has left AHSG, and in a much more limited form (just name, badge and attendance records, or volunteering records) for a period of up to 15 years to fulfil our legal obligations, for insurance and legal claims.

We will also keep any Gift Aid Claim information for the statutory 7 years as required by HMRC.  Gift Aid information is stored on OSM and within our accounts.

Automated decision making

AHSG does not have any automated decision-making systems.

Transfers outside the UK

AHSG will not transfer your personal information outside of the European Economic Area (EEA), with the exception where an event is taking place outside of the EEA and it is necessary to provide personal information to comply with our legal obligations, although generally such an event will have its own data collection form which will be securely held and disposed of after the event.

Data Storage

Ashby Hastings Scout Group is committed to the protection of your personal information.

We generally store personal information in one of two secure digital online database systems, where access to that data is restricted and controlled.

Compass is the online membership system of The Scout Association, this system is used for the collection and storage of Adult personal data.

Online Scout Manager is an online membership system run by Online Youth Manager Ltd, this is a secure membership database where we store the personal information of Adults and Youth members for the day to day running of the group.

Printed records and Event data

Paper is still used by AHSG occasionally, notably health forms which must be taken to events in hard copy but are securely destroyed immediately after the event.

In the case of Joining forms, DBS applications, and health forms this information is securely held by the appropriate leader and transferred to our secure digital systems as soon as possible before the paper form is destroyed.

If you have any questions about this statement, or any concerns about how we process your personal data, please contact your Section Leader or the Group Scout Leader.