Derbyshire Scouts Privacy Policy

What is this privacy policy?

This Data Privacy Policy describes the categories of personal data Derbyshire Scouts process and for what purposes.
Derbyshire Scouts are committed to collecting and using such data fairly and in accordance with the requirements of the General Data Protection Regulations (GDPR), the regulations set by the European Union, and Data Protection Act 2018 (DPA 2018), the UK law that encompasses the GDPR.

This Privacy Policy applies to members, parents/guardians of youth members, volunteers, employees, contractors, suppliers, supporters, donors and members of the public who will make contact with Derbyshire Scouts.

Who we are

Derbyshire Scouts are a registered charity with the Charity Commission for England & Wales; charity number 1019079.

The Data Controller for Derbyshire Scouts is the Executive Committee who are appointed at an Annual General Meeting and are Charity Trustees.
The Chair of the Charity Trustees is Nick Griffiths.

From this point on Derbyshire Scouts will be referred to as "we".

Being a small charity, we are not required to appoint a Data Protection Officer.

The data we may process

The majority of the personal information we hold, is provided to us directly by you or by the parents or legal guardians of youth members verbally or in paper form, digital form or via our online membership system Compass. In the case of adult members and volunteers, data may also be provided by third parties, such as the England & Wales - Disclosure and Barring Service (DBS).

Where a member is under the age of 18, this information will only be obtained from a parent or guardian and cannot be provided by the young person.

We may collect the following personal information:

The lawful basis we process your data by

We comply with our obligations under the GDPR and DPA 2018 by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

In most cases the lawful basis for processing will be through the performance of a contract for personal data and as legitimate interests for your sensitive data.

We use personal data for the following purposes:

We use personal sensitive data for the following purposes:

Our retention policy

We will keep certain types of information for different periods of time in line with our retention policy, as shown below:

Data Process Data Type Retention Justification
Incident - No medical intervention (*) Personal & Sensitive Until the young person is 21 or 3 years whichever is the greater Legal claims raised against the incident
Adult Information Form Personal & Sensitive
(special category)
12 months or until approval checks and interview and appointment are complete, whichever is the shortest Required to assist in the appointment process
Identity checking Form Personal Until ID data has been submitted to DBS/PVG and the vetting process is complete Required to verify that the identity has been checked.
Events Personal & Sensitive
(special category)
2 months after event (unless specific permission is given for it to be held longer) Required for enquiries on the event and responding to incidents
Safeguarding n/a. See TSA Safeguarding Policy The retention of safeguarding data is handled by the Scouts UK headquarters as part of the safeguarding procedures and no data should be retained locally.

This should be in line with the Scouts 'Young People First'; District Commissioner Procedures
Training records Personal 2 months after attendance at training events or as soon as compass is updated, whichever is the shortest. Required for course and record management
Appointments Advisory Committee notes Personal 18 months Required to review any training needs of adult volunteers
Individual Givers Personal 1 Year 1 Year
Gift aid declaration 6 Years after donation HMRC Tax Audit
Individuals/ organisations booking our facilities Personal 1 Year Required for enquiries on purchases and account
Transactional 6 Years after purchase or duration of warranty period, whichever is longest HMRC Tax Audit or warranty period

Where possible, personal and sensitive (special category) data should be anonymised as soon as appropriate if it is to be retained for analysis or statistical purposes.

(*) Any incidents that have required medical intervention should be reported to the Scouts Information Centre for alignment

Staff

Data Process Data Type Retention Justification
Income tax and NI records Personal 3 years from the end of financial year to which they relate The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631)
Payroll wage/salary records (also overtime, bonuses, expenses) 6 years from the end of the tax year to which they relate Taxes Management Act 1970
Retirement Benefits Schemes - records of notifiable events, for example, relating to incapacity 6 years from the end of the scheme year in which the event took place The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence 3 years after the end of the tax year in which the maternity period ends The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended
Working time records 2 years from date on which they were made The Working Time Regulations 1998 (SI 1998/1833)
Recruitment records 6 months after the candidate has not been successful To defend against tribunals or county or high court claim
Personnel files and training records (including formal disciplinary records) 6 years after employment ceases To assist in any formal grievance procedure

The Scout Association's Data Protection Policy can be found here and the Data Privacy Notice here

Sharing your information

Young people and other data subjects

We will normally only share personal information with adult volunteers holding an appointment in the Derbyshire Scouts.

Adult volunteers

We will normally only share personal information with adult volunteers holding appropriate appointments within the line management structure of The Scout Association for Derbyshire as well as with The Scout Association Headquarters as joint data controllers.

All data subjects

We will however share your personal information with others outside of Derbyshire Scouts where we need meet a legal obligation. This may include The Scout Association and its insurance subsidiary (Unity Insurance Services), local authority services and law enforcement. We will only share your personal information to the extent needed for those purposes. We will only share your data with third parties outside of the organisation where there is a legitimate reason to do so.

We will never sell your personal information to any third party.

Sometimes we may nominate a member for national awards, (such as Scouting awards or Duke of Edinburgh's awards) such nominations would require us to provide contact details to that organisation.

Where personal data is shared with third parties we will seek assurances that your personal data will be kept confidential and that the third party fully complies with the GDPR and DPA 2018.

How we store your personal data

We generally store personal information in the following ways:

In addition adult volunteers will hold some personal data on local spreadsheets/databases.

Printed records and data held while attending events - paper is sometimes used to capture and retain some data for example:

Paper records for events are used rather than relying on secure digital systems, as often the events are held where internet and digital access will not be available. We will minimise the use of paper to only what is required for the event.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

How we provide this privacy notice

A link to this website page is provided to those whose data is being processed by us. A printed version is also available on request.

Your rights

As a Data Subject, you have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete and restrict the personal information we use. In addition, you have a right to complain to us and to the Information Commissioners Office.

Unless subject to an exemption under the GDPR and DPA 2018, you have the following rights with respect to your personal data:

Website Cookies

Forms related cookies

When you submit data through a form such as those found on our contact pages or comment forms, cookies may be set to remember your user details for future correspondence.

Third Party Cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

Our sites use Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

For more information on Google Analytics cookies, see the official Google Privacy information page

We use session cookies, to provide core functionality to the site, but these do not store personal information outside of the current browser session

Who to contact

If you have any queries relating to this Privacy Notice or our use of your personal data, please contact our County Administrator