Midlothian District Scout Council
This document describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulation (GDPR)
Who are we?
Midlothian District Scout Council is a Registered Scottish Charity No SC041302. Our mission is to engage and support young people in their personal development, empowering them to make a positive contribution to society. We are under the governance of the Policy, Organisation and Rules of the Scout Association, as empowered by Royal Charter.
Every year in September /October we hold an annual general meeting where members of the Group Executive Committee (our trustees) are elected. Our District Executive Committee is the data controller.
Any personal data that we collect will only be in relation to the work we do with our members and through our relationships with supporters, donors and funders.
Personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in our Scout District’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (“the GDPR”).
How we gather personal information
The majority of the personal information we hold is provided to us directly by adult volunteers, parents (or guardians) in either paper form or via our online membership systems.
How we process personal data
We comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We process the data to have the ability to contact the member, parents and guardians, to inform them of meetings, events that the group itself may be running or attending.
We use personal data for the following purposes:
- we collect personal, medical and dietary information for the protection of that person whilst in the care of the Scout District
- to administer membership records
- to fundraise and promote the interests of the Scout Distict
- to manage our volunteers
- to maintain our own accounts and records (including the processing of Gift Aid applications)
- to inform you of news and activities relevant to Midlothian District Scout Council.
The legal basis for processing personal data
We only use your personal information where that is permitted by the laws that protect your privacy rights
We only use personal information where:
- We need to use the information to comply with our legal obligations
- We need to use the information to contact with you, regarding meetings, events, collection of membership fees etc, (i.e. for the day to day running of the District)
- it is fair to use the personal information in your interests, where there is no disadvantage to you – this can include where it is in our interests to contact you about products or services within Scouting.
- The processing is necessary for the persons legitimate interests or the legitimate interests of our Scout District unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
How we store personal data
We are committed to the protection of personal information.
We generally store personal information in one of two secure digital online database systems where access to that data is restricted and controlled.
Compass is the online membership system of The Scout Association. This system is used for the collection and storage of adult personal data.
Online Scout Manager (including MyScout) is an online membership system run by Online Youth Manager Ltd. This is a secure membership database where we store the personal information of adults and youth members for the day to day running of the District.
Our team use their own (and their employers’) computers, tablets and mobile phones to access Compass and Online Scout Manager .
When attending a large-scale Scouting event we are sometimes required to share personal information to event organisers via their own online systems. Examples include the Scottish International Patrol Jamborette (Blair Atholl), or National Camps.
Printed records and event data
Some data is collected and stored on paper. For example:
- Personal and Medical Form.
- Gift Aid forms.
- Events coordination with event organisers.
- Award notifications/nominations
Gift Aid forms will be held by the District to aid in the collection of Gift Aid for monthly membership fees. We have a legal obligation to retain this information for 7 years after our last claim.
To ensure that we have timely access to emergency data during camps and activities, printouts of personal contacts and medical information may be used. We will minimise the use of paper to only what is required for the event/camp, and take care that paperwork is handled appropriately once it is no longer needed, securely destroyed.
Sometimes we may nominate a member for an award. Such nominations would require we provide contact details to the awarding organisation.
Sharing and transferring personal information
We will only normally share personal information amongst appointed leaders and office-holders within our District.
We will however share personal information where we need to meet or enforce a legal obligation.
This may include Scout Groups within Midlothian District, South East Scotland Scout Council, The Scout Association and our insurance company Unity, local authority services and law enforcement agencies. We will only share your personal information to the extent needed for those purposes.
If a youth member or adult volunteer moves from Midlothian District to another District or Explorer Scout Unit we may transfer personal information to them.
We will never sell your personal information to any third party for the purposes of marketing.
Sometimes we may nominate a member for an external award; such nominations would require we provide contact details to that organisation.
Your personal data will be treated as strictly confidential. We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so. We will take steps to anonymise the data we provide (i.e. collective reporting on gender, ethnicity, age, etc.). If identifiable data is to be shared we will seek your consent.
Third Party Data Processors
Midlothian District Scout Council employs the services of the following third-party data processors:
- The Scout Association via its adult membership system Compass which is used to record the personal information of leaders, adults and parents who have undergone a Disclosure Scotland check (PVG).
- Online Youth Manager Ltd (Online Scout Manager / MyScout) which is used to record personal information, badge records, event and attendance records etc. We have a data processing agreement in place with OYM. More information is available at https://www.onlinescoutmanager.co.uk/security.php
- Dropbox is occasionally used for secure transfer of limited personal information for events.
- Google is occasionally used for secure transfer of limited personal information for events.
- Facebook is used for Closed Group for Parents / Guardians and members.
- Bank of Scotland – Our bank accounts will have some personal identifiable data, from parents making payments, these records are only stored for up to 7 years, then destroyed.
Transfers outside the UK
When Midlothian District Scout Council members participate in international Scouting events, data may be transferred outside the UK.
Protection of personal data
We take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for as long as necessary for the purpose for which it is obtained.
Retention of personal data
We will retain your personal information throughout the time you/your child(ren) are a member of the Midlothian District Scout Council.
We will retain your full personal information for a period of one year after you have left Midlothian District Scout Council and in a much more limited form (just name, badge and attendance records) for a period of up to 15 years (or until the age 21) to fulfil our legal obligations for insurance and legal claims.
We will also keep any Gift Aid claim information for seven years as required by HMRC.
Your rights and your personal data
You have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete and restrict the personal information we use. In addition, you have a right to complain to us and to the data protection regulator.
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
- The right to be informed – you have a right to know how your data will be used by our Scout Group.
- The right to access your personal data – you can ask us to share with you the data they have about you!
- The right to rectification – this means you can update your data if it’s inaccurate or if something is missing. In some sections, parents can view and edit personal information on My.SCOUT (part of Online Scout Manager) and adult volunteers can update their own details on Compass.
- The right to erasure – this means that you have the right to request that we delete any personal data they have about you. There are some exceptions. For example, some information can be held for legal reasons.
- The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure if we are complying to rules, you can restrict any further use of your data until the problem is resolved.
- The right to data portability – this means that if you ask us we will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with others.
- The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.
- Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.
- Please contact your child(ren)’s leader, our District Commissioner or our Data Protection Officer for more information in the first instance.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Data Subject Access Requests
Should a member of Midlothian Scouts or a member of the public request a copy of any personal information which Midlothian District Scout Council holds, then the following process should be followed:
- The individual should write to the Data Protection Officer email@example.com outlining the personal data they are seeking to obtain.
- Data Protection Officer shall acknowledge the request by email.
- The Data Protection Officer shall seek to verify the identity of the individual and that they are lawfully entitled to request a copy of the personal data. This may involve asking for information such as a membership number, date of birth, address, or documentary evidence.
- The Data Protection Officer will collate the data requested, noting that we cannot provide data held by other organisations such as the Scout Association, Region or Groups. The data should be carefully analysed to ensure it does not refer to any other individuals, in which case it should be redacted.
- Within 30 days of the receiving the request, the Data Protection Officer will provide the data to the individual. This will normally be by email.
- There will be no charge.
To exercise all relevant rights, to raise queries or make a complaint, please in the first instance contact our Data Protection Officer via firstname.lastname@example.org