We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Member resources

GDPR Step 2: Who is responsible for what?

Version 1, September 2018

Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries are separate charities and The Scouts, as a national charity, is not accountable for the respective alignment of the GDPR of each individual charity.

Responsibility to be aligned with the GDPR rests with the respective Executive Committee, and it’s the Scouts’ intention to sign-post appropriate resources to support local Scout Groups, Districts, Counties/Area/Regions (Scotland) in fulfilling this important responsibility.

Each adult Member and Associate Member must also ensure that they comply with data protection law when handling any personal data.

Data Controllers

The data controller within the Movement is the Executive Committee. The data controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
 
This means if you decide what personal data it is you require to carry out local Scouting and determine how this data is used and protected, you are the data controller.

With regard to personal data stored on Compass, The Scout Association is a Data Controller in Common with Groups, Districts, Counties/Areas/Regions (Scotland) and Countries. Data Controllers in Common may each use and access a shared database but each remains responsible for the personal data within its own control and capacity. Accordingly, Scout Groups, Districts, Counties/Areas/Regions (Scotland) or Countries remain responsible for ensuring that their handling of personal data locally is in compliance with the GDPR and Policy, Organisation & Rules (POR) (which includes uploading and maintaining such data onto Compass) and the Scouts remains responsible for ensuring that its handling of personal data nationally is also in compliance with the GDPR and POR (including its particular responsibilities for data held on Compass).


Data Processors

It is likely that Sections Leaders and Group Scout Leaders will be the main data processor within local Scout Groups. A data processor is defined as a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. This means if you have access to the personal data and you do something with it, such as host it in your system, or provide services to the data subject from this data set, you are the data processor. This data processor could also be a third-party system used for data storage, such as Online Scout Manager.

In summary a Data Processor is responsible for processing personal data on behalf of a controller.

 

CEOP
© Copyright The Scout Association 2019. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW