1st Somerton Scout Group GDPR
Privacy and Information Storage Notice
1st Somerton Scout Group needs to keep records of your and your child’s details to operate safely, and we recognise our obligations to you under GDPR to do that responsibly and legally. We explain here the information we need from you, why we need it and how we use it, and our policies for keeping it secure and soon. Most of your information is held on OSM only, and most of those fields are directly editable by you, which we believe gives you the best control over your own information. This policy statement mostly concerns GDPR, but also touches on other privacy and information sharing issues. If you wish to ask questions or exercise any of your GDPR rights, please contact the Group Scout Leader (GSL) or the secretary of the executive committee.
The data subject is the person in question that we hold a record for. We talk about PII – personally identifiable information – as any record that can be linked to the data subject.
We seek and process most of your information under the”legitimate interest” basis. This basis doesn’t require your explicit consent and allows us to work with info clearly necessary for our main purpose of running scouts. It limits us from doing anything silly, like selling your information, which of course we would never do. If we ever want to do anything with your information that cannot be covered under “legitimate interest”, then we will seek your additional consent at that time.
From time to time, we will ask you for help with events. We have no paid staff and it is our judgement that the scout group is run by us, for our children and as such that those requests are core to our collective mission and therefore our legitimate interest.
We require your explicit consent for medical information,and we will include that you add your name in OSM to confirm or as a signature on paper form every time, we collect the information. If you provide medical information but do not include consent, we will be forced to delete it. If you include medical information on a paper form and we have online consent to retain it, then we may transcribe it if we consider it will be useful in future. If there is no online consent, then medical information will not be transcribed and thus will be lost after the event is over.
We require your explicit consent to send you email about third party events. We may seek that consent if this becomes sufficiently important. In the absence of that consent, we may choose to advertise third party events by paper leaflet distribution or articles on Facebook or other non-direct means.
Legal entities and Information Sharing
The 1st Somerton Scout Group is the single legal entity to which this policy applies. All members are also members of the Scout Association. Adults in the group are also registered with The Scout Association nationally; they have their own GDPR and policy arrangements which you can find on their website, scouts.org.uk. As our parent organization, we will share personal information with the Scout Association where appropriate for census, accident reporting, escalation and soon, but a determination should be made in each instance of the minimum information required to achieve the legitimate requirement.
The executive committee is considered to be the Data Controller; where a single individual is required, it is the GSL. We are not required to delegate a Data Protection Officer. OSM acts for us as a Data Processor.
What do we store where?
We use OSM for all week to week information. From the time when you book your child on an event, we may keep paper or other duplicate copies of information for convenience during the event. That duplicate will be destroyed according to the disposal policy We store children’s names and dates of birth. D0B is necessary for section moves and determining eligibility for some a
What we store
We store children’s names and dates of birth. D0B is necessary for section moves and determining eligibility for some activities.
We store multiple forms of adult contact info so that we can contact you reliably.
We may request and store mobile phone numbers for older children camping or hiking independently. This field in OSM is under your control and you may choose to remove that information between events.
We ask that you fill in medical information in OSM. It is always up to you to keep this up to date so that we have accurate information. Please review the section below about who has what access to information. If you are unhappy to provide certain information through the system, then please talk directly to your child’s Section Leader or the Group Scout Leader.
For financial transactions, we do not store any bank information directly—we simply store a reference number from the payment processor, GoCardless, contracted through OSM. OSM and GoCardless have their own GDPR policies which you can read. We will use the security facilities provided by OSM and GoCardless. Financial limits are set and you agree to them when you set up the direct debit mandate. Leaders with access to the financial aspects of the system are full members of the scout association and of 1st Somerton Scout Group and will use the multi factor authentication system as provided by OSM to secure access to that information. OSM enforces that direct debits taken with a given mandate can only go to the bank account that was set up by the group with the system and cannot later be directed elsewhere. As a charity, that bank account requires dual authorisation.
Who can see what
Specific access is granted on the basis of need and is granular. Most leaders cannot see financial aspects of a record; this is usually reserved for the leader in charge of each section, line manager and group secretary(s)/admin(s). Parent helpers (OH), who may have a DBS, but who are not members of the Association, will not be granted leader access to OSM.
We share information with the Scout Association so that authorised staff at Gilwell will be able to look at anonymous data in OSM, which isn’t personally identifiable. This will be general membership data (numbers, ages, postcodes, genders, groups) so they can report on national trends: not at local Group level. Authorised members of the Scout Association will have access through OSM to obtain contact information, which will only be as a last resort or emergency for a specific safeguarding cases.
The data controller will ensure that all adult members understand and accept their responsibilities for GDPR under this policy. Responsibilities as listed below are delegated insofar as the data controller can make that delegation.
Section leaders have a day to day responsibility for setting access for other leaders to their section information at an appropriate level.
All adult members have a responsibility to avoid sharing personal and GDPR controlled information beyond the scope of 1st Somerton Scouts without consent.
Where adults are using email or other online accounts dedicated to Scouting, but privately setup, password or recovery information will be logged with the secretary so as to allow us to re-establish control of those accounts.
3rd-party run events
Some camps, day trips and other events are run in collaboration with third parties, such as Scout Districts, Scout County, or campsites. In these cases, we will temporarily share appropriate and necessary information with those third parties for the running of those events. We will only do this where you have explicitly booked using OSM. Your information will be protected by the GDPR policies of those parties under the similarly cautious legitimate interest aspect of GDPR, which limits what they can do with it. If we believe that any aspect of sharing should require consent under GDPR (such as because they want to send marketing material), then we will indicate in the event invite, shown in email and on the OSM event page that clicking to booking constitutes that consent.
We conduct an annual census for the Scout Association which includes information about things like demographics and ethnic profiles of members. They use this to monitor inclusion. We use OSM to collect this,where we will invite you to enter this information directly. Some of your answers may constitute “sensitive data” under GDPR, so you will most likely be asked by OSM to explicitly consent. This is for their purposes, not ours. OSM provides us with a statistical output only and does not let us see individual responses. OSM retains this information from year to year but you can delete it yourself in the meantime if you wish. All the questions can, if you prefer, be answered with “do not want to say”. Whilst we cannot see this information, it is tied to your OSM record that we control, so when we delete your data (see disposal below), your census profile is also deleted.
Photos and social media
We store portrait photos on OSM records so that we can recognize children from outside our own section. These are treated along with all other contact info and not shared outside the database or beyond the life of the subject record.
Photos taken by leaders in “public places”, which covers almost everywhere we take the children, are considered personal and not subject to GDPR. We still want to have a policy that keeps everyone safe and confident, so we will take care with any photos where your child is recognizable, and will avoid ever distributing photos with a child’s full name. We want to make sure that no-one can find a photo by searching for your child’s name.We will seek permission before using a child’s photo for an advert or PR. We can’t control all taking of photos; we are not responsible for members of the public taking photos, and older children will often take their own photos on their phones. If, however, you have a specific reason that you need us to be careful and try to keep your child out of images, please let your section leader know and we will do our very best to enforce that.
We will not give your (as a parent) email address or other contact details back to other non-members (i.e. other parents) without your permission. We expect leaders either to use the email address supplied by us or to source an extra, dedicated address (from e.g.GMail). For the time being, leaders choosing to use personal addresses are considered to have consented to sharing those. Leaders may choose to share their personal mobile numbers, but we cannot require them to do so and don’t consider it prudent to supply mobiles, so please understand if a leader doesn’t wish to share their number. There are other reasonable means of contact.
Facebook is our best means of providing group discussion on a consent basis. We will (from this point on) not add you to a FB group without your consent. We will generally provide links in email, and if you choose to join that group, then you share your FB identity yourself at your discretion in doing so, and it is up to you to terminate that identity sharing yourself when you wish to terminate your involvement. We may provide other means of GDPR-compliant group chat in future.
For all Section and Group activities we use OSM rather than pieces of paper if we must produce hard copies of information, we keep these to an absolute minimum. Once an event is completed, we will destroy duplicate or paper copies of personal and medical information within one month. An event is considered completed when all issues are resolved, such as monies owed being received.
When your child leaves Scouting, we will remove contact info and full PII within six weeks (or sooner at your request), leaving us with just a badge progress record attached to their name. This enables us to have a retrievable record if they return or join another Group
If your child leaves our Scout Group through a managed transition to Explorers or to another Scout Group, we are able to transfer their record entirely to that other group using OSM, at which point we retain no information. It is unclear to us whether “legitimate interest” allows us to do this, so until and unless we are advised otherwise, this will only happen with the data subject or their guardian’s consent.When any adult member leaves the Scout Association, they understand that it is their immediate responsibility to delete or hand back any copies of GDPR controlled information that were in their private possession (such as paper copies). Where the individual held assets in a shared system, such as Google Docs or shared email system, the account will normally be transferred and the information retained by us.
Your rights are detailed on the Information Commissioner’s Office website.