22nd May 2018

Data Privacy Notice

Data Privacy Notice: Dringhouses (PC) Scout Group

VersionAuthor/ EditorRelease Date
1.0David Thorne19th May 2018

Our Privacy and Fair Processing Notice describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR).

Who are we?

Our Scout Group, Dringhouses (PC) Scout Group, is a youth charity. Our mission is to actively engage and support young people in their personal development, empowering them to make a positive contribution to society. We are incorporated by royal charter and are regulated as a member of The Scout Association in the UK, (see www.scouts.org.uk for more information).  We are also registered with the Charity Commission (registration number 1064151).

We hold an annual general meeting (AGM) every year in July.  This is where members of the charity executive committee (our trustees) are elected.  Any parent, guardian or carer of a youth member can volunteer to be on the executive committee at the AGM and every parent, guardian or carer has the right to attend the Annual General Meeting.

We are based at The Scout Hut, St Edward the Confessor Church, Tadcaster Road, YORK, YO24 1QG.

Our Group Executive Committee is the data controller for the information we collect from you. Any personal data that we collect will only be in relation to the work we do with our members (both adult and youth) and through our relationship with supporters, donors and funders.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data, the data subject.  Identification can be by the information alone or in conjunction with any other information in our Scout Group’s (the data controller’s), possession or likely to come into its possession. The processing of personal data is governed by the General Data Protection Regulations (the GDPR).

How we gather personal data

The majority of the personal data we hold is provided to us directly by adult members or by parents, guardians or carers via our online membership systems.

In the case of an adult member data may also be provided by third party reference agencies, such as the Disclosure and Barring Service (DBS).

Where a member is under the age of 18 (a youth member), this information will only be obtained from a parent, guardian or carer and cannot be provided by the young person.

How do we process your personal data?

We comply with our obligations under the GDPR by:

  • keeping personal data up to date
  • storing it securely to protect it from loss, misuse, unauthorised access and disclosure
  • destroying it when we no longer need it
  • not collecting or retaining data we do not need
  • ensuring that appropriate technical measures are in place to protect personal data held electronically and on paper.

We process the data to contact the member, parent, guardian or carer, to inform them of meetings, activities and events that the Group may be running or attending.

We use personal data for the following purposes:

  • we collect personal and medical information for the protection of that person whilst in the care of the Scout Group.
  • To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution
  • to administer membership records
  • to fundraise and promote the interests of the Scout Group
  • to manage our volunteers
  • to maintain our own accounts and records (including the processing of gift aid applications)
  • to inform members of news, events, activities and services running at Dringhouses (PC) Scout Group, within the Scouting District of York Ebor and occasionally York Minster and within the Scout County of North Yorkshire.

What is the legal basis for processing your/your child(ren)’s personal data?

We only use personal data where:

  • we need to use the information to comply with our legal obligations (for example, in relation to DBS checks for adult members)
  • we need to use the information to contact with you, regarding meetings, events, collection of membership fee’s etc, – in other words, for the day to day running of the group
  • it is fair to use the personal data in your interests, where there is no disadvantage to you – this can include where it is in our interests to contact you about products or services within scouting
  • the processing is necessary for the person’s legitimate interests or the legitimate interests of our Scout Group unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

How we store personal data

We are committed to the protection of your personal data. We generally store personal data in one of two secure digital online database systems, where access to that data is restricted and controlled. We also use a number of other systems which are discussed below.

Compass

The online membership system of The Scout Association, this system is used for the collection and storage of adult personal data.  This includes sensitive personal data.

Online Scout Manager

An online membership system run by Online Youth Manager Ltd, this is a secure membership database where we store the personal data of adults and youth members for the day to day running of the group.  This includes sensitive personal data.

Google Cloud Drive

For some events personal data will be stored in spreadsheets and stored in the Google Cloud Drive

Printed records

Paper is still used within the sections to capture and retain some data for example the following:

  • attendance registers
  • new joiners form
  • new joiners waiting lists
  • gift aid collection forms
  • ID checking form (for DBS processing)
  • events consent from parent, guardian or carer
  • events coordination with event organisers
  • events contact lists
  • award notifications/nominations
  • accident/ bump on the head forms
  • near miss forms.

In the case of Joining forms the information is securely held by the leader, or waiting list manager, and transferred to our secure digital systems as soon as possible before the paper form is destroyed.

Gift Aid collection forms will be securely held by the Group’s Treasurer to aid in the collection of Gift Aid for monthly membership fees.  We have a legal obligation to retain this information for 7 years after our last claim.

Accident report forms and attendance registers are held securely by the Group Scout Leader for 21 years, maybe indefinitely in the case of a more serious incident.

Events

As a member of Dringhouses (PC) Scout Group it is hoped all members will take up the opportunity to attend events and camps.  Where it is necessary to fulfil our legal obligations we will be required to potentially have a less secure means to access personal data, such as printouts of personal contacts and medical information, (including specific event contact forms), rather than relying on secure digital systems, as often the events are held where internet and digital access may not be available or where we may not be able to keep electronic devices charged. We will minimise the use of paper to only what is required for the event/camp.  We will ensure:

  • Transfer of paper is secure, such as physical hand to hand transfer or registered post.
  • Paper forms are securely destroyed after use.
  • Secure destruction will be through a shredding machine or securely burned.
  • Always keeping the paper records secure
    • when in transit, by using a lockable brief case
    • if stored on a long term basis, in a lockable filing cabinet
  • If transferred to from one leader to another, we will audit that they return them when the event is complete.

Awards

Sometimes we may nominate a member for national award such as Queen’s Scout or Duke of Edinburgh award.  To make such nominations we are required to provide contact details to the awarding organisation – this is most often done on paper via registered post.

Sharing and transferring personal data

We will only normally share personal data within our Scout Group between leaders and executive members as the need arises.

We will share your personal data with others outside our Scout Group where we need to meet or enforce a legal obligation.  This may include York Ebor District, North Yorkshire Scout County, The Scout Association and it insurance subsidiary “Unity”, other insurance providers, local authority services and law enforcement.  We will only share your personal data to the extent needed for those purposes.

If you move from Dringhouses (PC) Scout Group, to another Scout Group or Explorer Scout Unit we will transfer your personal data to them.

We will never sell your personal data to any third party for the purposes of marketing.

Your personal data will be treated as strictly confidential.  We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so. We will take steps to anonymise the data we provide (i.e. collective reporting on gender, ethnicity, age, etc.).  If identifiable data is to be shared we will seek your consent.

Third Party Data Processors

Dringhouses (PC) Scout Group, employs the services of the following third-party data processors:

The Scout Association via its adult membership system “Compass” which is used to record the personal data of leaders, adults and parents, guardians or carers who have undergone a Disclosure and Barring Service (DBS) check.

Online Youth Manager Ltd (Online Scout Manager) which is used to record the personal data, badge records, event and attendance records etc, we have a data processing agreement in place with online youth manager, more information is available at https://www.onlinescoutmanager.co.uk/security.html

Dropbox inc. occasionally used for secure transfer of limited personal data for events.

GSuite (Google Inc.) used to store contract details of adult members of the Group, send and receive emails, share calendars for public and internal events, share files internally and store data.

Microsoft One Drive occasionally used for secure transfer of limited personal data for events.

GoCardless (Payment Processor) for processing direct debit payments for subs and events.

HSBC bank for processing receipt of subscriptions or fees and payment of out of pocket expenses to leaders/ members.

HMRC for processing Gift Aid claims.

GoDaddy hosts the website, limited personal data is shared to enable the creation of user accounts, contact forms may also contain limited personal data and these are held securely on the site until transferred to OSM or Compass.

Automated decision making

Dringhouses (PC) Scout Group uses the following processes and tools:

Mail Chimp for the sending or emails and the tracking of responses

Hootsuite for publishing social media content across platforms (Facebook, Google +, Instagram and Twitter)

Transfers outside the UK

Dringhouses (PC) Scout Group will not transfer your personal data outside of the UK.  The only exception is where an event is taking place outside of the UK and it is necessary to provide personal data to comply with our legal obligations, although generally such an event will have its own data collection form which will be securely held and disposed of after the event.

How do we protect personal data?

We take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for as long as necessary for the purpose for which it was collected.

How long do we keep your personal data?

We will retain your personal data, throughout the time individuals are an adult or youth member of Dringhouses (PC) Scout Group.

For youth members, to fulfil our legal obligations for insurance and legal claims, we will retain:

  • full personal data for a period of up to one year after members have left the Group
  • limited information (just name, and attendance records) for a period of up to 15 years (or until the age 21)
  • The Scout Association may retain personal data relating to Adults indefinitely.

For parents, carers and guardians, we will keep any Gift Aid Claim information for 7 years as required by HMRC .

Your rights and your personal data

Adult members and the parents, carers or guardians of youth members have the right to object to how we process their personal data. Members also have the right to access, correct, sometimes delete and restrict the personal data we use. In addition, they have a right to complain to us and to the data protection regulator.

Unless subject to an exemption under the GDPR, members have the following rights with respect to their personal data:

  • The right to be informed –a right to know how your data will be used by our Scout Group
  • The right to access– members can ask the Group to share the data held related to them
  • The right to rectification – this just means that members can update their data if it’s inaccurate or if something is missing. Members can view and edit their personal data directly on our online membership systems Online Scout Manager and Compass
  • The right to erasure (the right to be forgotten) – this means that members have the right to request that we delete any personal data held related to them. There are some exceptions, for example, some information can be retained for legal reasons
  • The right to restrict processing – if members think there’s something wrong with the data being held about them, or they aren’t sure if we are complying with the rules, they can restrict any further use of that data until the problem is resolved
  • The right to data portability – this means that if members ask us we will have to share their data with them in a way that can be read digitally – such as a pdf. This makes it easier to share information with others
  • The right to object – members can object to the ways their data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.

Rights in relation to automated decision making and profiling – this protects members in cases where decisions are being made about them based entirely on automated processes rather than a human input.

In the first instance, please contact the Group’s Data Protection Lead or the Group Scout Leader for more information

Whether or not you exercise your new rights is up to the individual – the main thing to remember is that they’re there if needed.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

Breach Notification

We will notify our users of any breach of data via email within 72hrs of identifying the breach.

Website

www.dringhousesscouts.org.uk is used to provide information to parents, guardians or carers  and members about the how the Group is run and the activities that are provided.  Links to the Group’s policies and The Scout Association web site are provided as is access to Parents, via a link to Online Scout Manager (OSM).

The site also has several forms which are used for the collection of information related to new adult and youth members

Cookies

Cookies are in use with our website.  In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers

Contact Forms

There are several contact forms on the website, these all function in the same way:

Data entered into these forms and submitted is stored on the web site and emailed to a distribution list with a limited membership (for the processing of the request entered in the form).

Information collected by the form includes data which the individual submitting the form has not entered, this information is captured automatically and is required in the event of malicious posts, to enable the originator to be identified.

Name, email address, subject and message are all entered by the submitter of the form.

The form also captures, IP address of sender, link to domain information for the IP address of the sender, webpage that the form was submitted from.

Emails received from forms are deleted once actioned.

Google Analytics

Visitors to this website who have javascript enabled are tracked using Google Analytics. Google Analytics collects (but is not limited to) the following types of information from users:

  • Type of user agent (web browser) used, software manufacture and version number
  • Type of operating system
  • Screen colours (colour processing ability of the users screen)
  • Javascript support
  • Flash version
  • Screen resolution
  • Network location and IP address which can include:
    • country, city, state, region, county, or any other geographic data.
    • Hostname
    • Bandwidth (internet connection speed)
  • Time of visit
  • Pages visited
  • Time spent on each page of the website
  • Referring site statistics:
    • The website (URL) the user came through in order to arrive at this website (example: clicking on a hyperlink from Yahoo.com that took the user to this website)
    • Search engine query used (example: typing in a phrase into a search engine like Google, and clicking on a link from that search engine)

This data is only used to optimise our website for our visitors.  This data DOES NOT include any personalised identification information such as Names, Phone numbers, Email addresses, Mailing addresses, Bank account numbers, Credit card information.

Users can prevent their data from being used by Google Analytics by visiting the following link and installing the “Google Analytics Opt-out Browser Add-on

Photography and Social Media

Promoting Scouting is important to the Group, as such it is in the interest of all members to advertise the Movement through the use of appropriate positive images.

Social media is used as a means of promoting our brand and our activities. Leaders have undertaken specific training for handling these tools and guidance is available to them from The Scout Association. Our Public Facebook Page, Instagram, Twitter, YouTube and Google + accounts allow us to quickly share news and photos that we think are appropriate to a wider audience. As these are used as promotional tools neither is restricted or “closed” in any way.

When we are away at events, and even at our weekly meetings, it is common for a number of photos to be taken and published on out social media feeds.   While a selection of these photos may be posted to our social media channels, the majority will be stored securely on our Google Drive in a section only visible to registered users (who will have their accounts approved by the Group’s leadership team).

We embed videos from our official YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page.

The Group also has a closed Facebook page which all leaders, members of the Active Support Unit and parents, guardians or carers of current members can access.  This closed Group enables communication between all members of the Facebook Group and is used to share events, photos, questions and answers and information that is deemed useful and positive for our members.  The moderators of the Group ensure the content is pertinent to Scouting and is appropriate for the consumption of all.  The membership of the closed Facebook Group is reviewed quarterly and members removed if they are no longer active with the Scout Group

We will always endeavour to:

  • Never publish personal details with any photo/image/video that would make the subject of the photograph identifiable
  • Consider the content of all photo/image/video for good taste before publication
  • Only publish photos/images relating to Scouting
  • Remove any photo/image/video that breaches these guidelines as quickly as possible after it is brought to our attention – please use the contact form to inform administrators of any inappropriate content.

While we will endeavour to keep to the above guidelines we cannot control the legal right of third party photographers to take pictures taken in a public place and publish them to websites and other publications that are outside of our control.

Contact Details

To exercise all relevant rights, queries of complaints please in the first instance contact our Data Protection Lead at DataLead@DringhousesScouts.org.uk

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Reviewed:  19th May 2018.