About Crawley District Scout Council
We are part of the hierarchy of The Scout association, www.scouts.org.uk, and are governed by them. They are incorporated by Royal Charter. We are regulated by the charities commission and our registration number is 305875. We are part of a Scout County, West Sussex, and have Groups who belong to our district we are responsible for and help to coordinate. We do not have a single headquarters, however, can be contacted through our advertised social media sites, websites, emails, and telephone numbers. The district executive committee is the data controller for the information you give to us. The information we collect, and store will only be in relation to their membership and discharging our responsibilities in record keeping in respect of our membership organisation.
This Data Privacy Notice/Policy describes the categories of personal data Crawley District Scout Council (CDSC) process and for what purposes. CDSC is committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR). This Privacy Notice/Policy applies to members, parents/guardians of youth members, volunteers, employees, contractors, suppliers, supporters, donors, and members of the public who will contact CDSC.
The data we may process
Most of the personal information we hold, is provided to us directly by you or by the parents or legal guardians of youth members. This can be provided and stored through electronic systems as follows:
- District Joining Web System
- Online Scout Manager (Youth Membership Database)
- Compass (Adult Membership Database)
- District Web Contact Forms
- Paper Joining Forms
- Telephone Calls
- District Notification Forms (NAN, CSA Awards) – All facilitated through our digital platform
In the case of adult members and volunteers, data may also be provided by third parties, such as the England & Wales – Disclosure and Baring Service (DBS).
Where a member is under the age of 18, this information will only be obtained from a parent or guardian and cannot be provided by the young person.
We may collect the following personal information:
- Personal contact details such as name, title, address, telephone numbers and personal email address – so that we can contact you.
- Date of birth – so that we can ensure young people are allocated to the appropriate Section for their age and that adults are old enough to take on an appointment with Scouting.
- Gender – so that we can address individuals correctly and accommodate for any specific needs.
- Emergency contact information – so that we can contact someone in the event of an emergency.
- Government identification numbers e.g., national insurance, driving licence, passport – to be able to process volunteer criminal record checks.
- Tax status information – so that we can collect gift aid from HMRC where donations are made.
- Training records – so that members can track their progression through the Scout programme or adult training scheme.
- Race or ethnic origin – so that we can make suitable arrangements based on members cultural needs.
- Health records – so that we can make suitable arrangements based on members medical needs.
- Criminal records checks – to ensure Scouting is a safe space for young people and adults.
Lawful data processing
We comply with our obligations under the GDPR and DPA 2018 by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access, and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
In most cases the lawful basis for processing will be through the performance of a contract for personal data of our adult volunteers and legitimate interest for personal data of our youth members. Sensitive (special category) data for both adult volunteers and our youth members will mostly align to the lawful basis of legitimate activities of an association. Explicit consent is requested from parents/guardians to take photographs of our members. On occasion we may use legitimate interest to process photographs where it is not practical to gather and maintain consent such as large-scale events. On such occasions we will make it clear that this activity will take place and give individuals the opportunity to exercise their data subject rights.
We use personal data for the following purposes:
- to provide information about Scout meetings, activities, training courses and events to our members and other volunteers in CDSC
- to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution
- to administer membership records of both youth and adult members including requests to join scouting from adults and youth members
- to fundraise and promote the interests of Scouting
- to manage our volunteers
- to maintain our own accounts and records (including the processing of gift aid applications)
- to inform you of news, events, activities, and services being run or attended by CDSC and wider scouting organisations
- to ensure and evidence your suitability if volunteering for a role in Scouting
- to contact your next of kin in the event of an emergency
- to ensure you have and maintain the correct qualifications and skill
We use personal sensitive (special) data for the following purposes:
- for the protection of a person’s health and safety whilst in the care of CDSC
- to respect a person’s religious beliefs with regards to activities, food, and holidays
- for equal opportunity monitoring and reporting
Sharing your information
Young people and other data subjects
We will normally only share personal information with adult volunteers holding an appointment in Crawley Scouts or CDSC. We will share the personal data of youth members and their parents/guardians with The Scout Association Headquarters for the purpose of managing safeguarding cases (this is done by encrypted email). We may also share data if required to facilitate running a district event. We will never send out youth data via personal emails or insecure methods such as Messenger or Facebook
We will normally only share personal information with adult volunteers holding appropriate appointments within the line management structure of The Scout Association for the CDSC as well as with The Scout Association Headquarters as data controllers in common. We may also share data if required to facilitate running a district event.
All data subjects
We will however share your personal information with others outside of CDSC where we need meet a legal obligation. This may include The Scout Association and its insurance subsidiary (Unity Insurance Services), local authority services and law enforcement. We will only share your personal information to the extent needed for those purposes. We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so. We will never sell your personal information to any third party. Sometimes we may nominate a member for national awards, (such as Scouting awards or Duke of Edinburgh awards). Such nominations would require us to provide contact details to that organisation. Where personal data is shared with third parties, we will seek assurances that your personal data will be kept confidential and that the third party fully complies with the GDPR.
How we store your personal data
We generally store personal information in the following ways:
Compass – is the online membership system of The Scout Association, this system is used for the collection and storage of adult volunteer personal data.
Online Scout Manager – is the online membership system of Online Youth Manager, this system is used for the collection and storage of youth member personal data.
Local Documents – adult volunteers will hold some personal data on local spreadsheets/databases. This could include:
- Gift Aid administration
- Event registration
- Health and contact records forms (for events)
- Events coordination with event organisers – Paper records for events are sometimes used rather than relying on secure digital systems, as often the events are held where internet and digital access will not be available. We will minimise the use of paper to only what is required for the event.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
As a Data Subject, you have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete, and restrict the personal information we use. In addition, you have a right to complain to us and to the Information Commissioner’s Office (www.ico.org.uk).
Unless subject to an exemption under the GDPR and DPA 2018, you have the following rights with respect to your personal data:
- The right to be informed – you have a right to know how your data will be used by us.
- The right to access your personal data – you can ask us to share with you the data we have about you. This is a Data Subject Access Request.
- The right to rectification – this just means you can update your data if it is inaccurate or if something is missing. Adult members will be able to edit and update some information directly on The Scout Association’s Compass membership system.
- The right to erasure – this means that you have the right to request that we delete any personal data we have about you. There are some exceptions, for example, some information will be held by The Scout Association for legal reasons.
- The right to restrict processing – if you think that we are not processing your data in line with this privacy notice then you have the right to restrict any further use of that data until the issue is resolved.
- The right to data portability – this means that if you ask us, we will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with others.
- The right to object – you can object to the ways your data is being used.
- Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input, it is highly unlikely that this will be used by us.
Due to our size and charitable status, we are exempt from appointing a DPO however if you have any questions regarding our policy above, please email [email protected].
CDSC digital services are hosted by Microsoft Azure in the UK South Region.
Microsoft designs, builds, and operates datacentres in a way that strictly controls physical access to the areas where data is stored. Microsoft takes a layered approach to physical security, to reduce the risk of unauthorized users gaining physical access to data and the datacentre resources. Datacentres managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacentre floor. Layers of physical security are:
- Access request and approval.
- Facility’s perimeter.
- Building entrance.
- Inside the building. After you enter the building, you must pass two-factor authentication with biometrics to continue moving through the datacentre
- Datacentre floor. You are only allowed onto the floor that you are approved to enter. You are required to pass a full body metal detection screening.
Microsoft requires visitors to surrender badges upon departure from any Microsoft facility.
CDSC use Office365 for Email, File Storage and Collaboration. All users are bound by a fair use policy enforced by signing a disclaimer on first login and every 720 days thereafter.
Compass is the Scout Association Members system which is used to store all personal data for adult members across the UK. Details on how this system is compliant can be found here.
Online Scout Manager (OSM)
The privacy and security notice for OSM can be found here.
Subject Access Requests
The processors of the data we hold are mainly adults holding a leadership role, however it could also be other adults supporting the delivery of Scouting, Skills Instructors and Administrators such as the Treasurer processing payments. Since 2018 every adult holding a formal role in Scouting has been required to undertake training in the new General Data Protection regulation, and they undertake to only use compliant systems, online and offline depending on need, follow best practice for use, processing, security, and retention. When Adults stop volunteering or change roles, we undertake a process to ensure any data is no longer accessible by the retiring adult.
To comply with GDPR, members of Crawley District Scouts or the public can send Subject Access Requests to Crawley District Scout Council to provide a record of any personal data held regarding them. Crawley District Scout Council have 30 days to respond and acknowledge this request. All Subject Access Requests should be emailed to [email protected] where they will be triaged and managed in our Support Helpdesk.
Please note, SARS relating to each Scout Group in Crawley should be sent directly to them – all Scout Groups operate as independent charities therefore we are not liable for providing details on information they hold about their members.
|Data Description||Personal Data Included||System & Retention||Duration||Justification|
|Want to Join||Youth Member / Adult Volunteer Joining DetailsContact Details / AddressJoining Preferences||District Joining System Online Scout Manager District Email System||2 Years (Application Logs) 1 year after enquiry or until member joins, whichever is shorter 5 Years (Email Retention Policy)||To keep them informed of their joining status|
|Joining – including the role and dates of joining||Personal and Sensitive data (special category)Contact Details / AddressSpecial Requirements||Online Scout Manager Compass District Email System Local Training Files||10 years after leaving the data will be reduced to only include name, date of birth, awards, training records, events attended, roles and permits held and any complaints in summary format. This remaining data will be retained for 100 years.||The 10-year retention of all data is required to provide tenure and service records in the event an individual wants to re-join. The 100 years retention of data is required for evidence requests from statutory agencies|
|Award Registrations / Completion and Activity Permits||Personal and Sensitive data (special category)Contact Details / AddressSpecial Requirements||Online Scout Manager Compass District Email System Local Training Files||Retained whilst a current member. A subset of data is retained. when a membership ceases to support the vetting policy should the person reapply for membership||To provide continuity of awards and permits if members wish to re-join in future.|
|Information about safeguarding issues / complaints||Contact information and further information regarding the nature of any allegation, the status and outcome of the investigation||District Email System District OneDrive||10 Years 100 Years||The 100 years retention of data is required for evidence requests from statutory agencies|
|Information about accidents and near misses||Contact details and nature of accident||District Email System District OneDrive District Web Form||10 Years 7 years after incident, or 7 years after alleged victim turns 18 if later 5 Years||Fight a case – Limitation act 1980|
|Information about our event attendees||Personal and Sensitive data (special category)Contact Details / AddressSpecial Requirements||District Email System District OneDrive District Web Form / Booking System||5 years after event for personal data, 2 months after event for sensitive data (special category). Scouting Young People attendance records will be retained for 100 years||To re-invite the guests to the same event at the next cycle, which are every 4 years. The 100 years retention of data is required for evidence requests from statutory agencies|
|Nights Away Notifications||Camp DetailsPermit Holders and Adults Attending||District NAN Online Form||2 years from submission date||For reporting and audit purposes in case of future investigatory requirements.|
|General Enquiries||General Enquiry and contact details||District Web Form District Email||2 Years (Application Logs) 10 Years – Automated Retention Policy||For audit purposes and district knowledge management|
|Vetting||Personal Data – Disclosure Certificate||District Email Compass||Retained whilst a current member. A subset of data is retained. when a membership ceases to support the vetting policy should the person reapply for membership||For reporting and audit purposes in case of future investigatory requirements.|
|Donations||Gift Aid (Plus donor details)Grants (Grant Application Contact Details)Donations (Donor Details)||District Email District OneDrive Local Treasurer Files||7 Years||Financial Audit Requirements|
|Finances||Finance – purchase ledgers, record of payments made, invoices, bank paying in counterfoils, bank statements, remittance advices, correspondence regarding donations, bank reconciliation.||District Email District OneDrive Local Treasurer Files||7 Years||Financial Audit Requirements|
|District Digital Newsletter||NameEmail AddressScout Role and Group||Mailchimp||Retained whilst a current member or for any party who opts in. Removal is up to member opting out post leaving||To keep current and previous members informed about Crawley Scout activities.|
|Website Statistics||Web Usage Profile and IP addresses||Matomo – Self Hosted||Detailed logs retained for one year. Aggregated data retained for 50 years||To monitor and track usage of our digital systems.|