We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Member resources

GDPR Step 4: Understanding data subjects

Version 1, September 2018

Data subjects have the right to object to how you process their personal information.  They also have the right to access, correct, sometimes delete and restrict the personal information you use.  In addition, they have a right to complain to you and to the Information Commissioner’s Office (ICO).

Unless subject to an exemption under the GDPR and DPA 2018, a data subject has the following rights with respect to their personal data:
The right to be informed – they have the right to know how their data will be used by you.
The right to access their personal data – they can ask you to share with them the data you have about them. This is a Subject Access Request and is explored further on this page.
The right to rectification – this just means they can update their data if it’s inaccurate or if something is missing.  Adult members will be able to edit and update some information directly on the Compass membership system.
The right to erasure – this means that they have the right to request that you delete any personal data you have about them. There are some exceptions, for example, some information will be held by The Scout Association for legal reasons.
The right to restrict processing – if they think that you are not processing their data in line with your privacy notice then they have the right to restrict any further use of that data until the issue is resolved.
The right to data portability – this means that if they ask you to export their personal data then you will do so in a way that can be read digitally – such as a pdf. This makes it easier to share information with others.
The right to object – they can object to the ways their data is being used.
Rights in relation to automated decision making and profiling – this protects the data subject in cases where decisions are being made about them based entirely on automated processes rather than a human input, it’s highly unlikely that this will be used by local scouting.

Subject access requests

With these extensive rights available to data subjects it is important that you have a process for responding to a request from the data subject on any of the above, this is known as a subject access request (SAR). The response to the data subject needs to be within 1 month post receiving the request. This can be extended by a further month, followed by 1 more month, if the request cannot be completed in time but notice must be given to the data subject on the extension and the reason why.

The following process can be used as guidance to manage such requests;

  1.  Application - Data subject to provide request scope or complete SAR Request Form.
  2. Identity Evidence - The data subject must provide evidence as to identity. This could be in the form of a current passport/driving license (signature to be cross checked) for example.
  3. Request Logged - The date by which the identification checks and the specification of the data sought must be recorded in a SAR Register.
  4. Discovery - The Executive Committee discovers all instances where the data subjects personal data is present, the Data Inventory will help guide this.
  5. Response - Executive Committee to respond to data subject in electronic format and response logged.

Discovery

Discovery will entail either:
• Collecting the data specified by the data subject, or
• Searching all databases and all relevant filing systems (manual files) in the Scout Group, District or County/Area/Region (Scotland), including all readily available back up and archived files.

It is suggested that the Executive Committee maintains a Data Inventory that identifies where all data within the Scout Group, District or County/Area/Region (Scotland) is stored to make it easier and quicker when undertaking searches.

Responding to a Subject Access Request (SAR)

The Executive Committee is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either omitting or redacting identifying third party information from the documentation or obtaining written consent from the third party for their identity to be revealed.

If the requested data falls under one of the following exemptions, it does not have to be provided:
• Crime prevention and detection
• Negotiations with the requester
• Information used for research, historical or statistical purposes
• Information covered by legal professional privilege

The information will be provided to the data subject in electronic format unless otherwise requested and all the items provided are listed on a schedule that shows the data subject’s name and the date on which the information is delivered.

In all cases care should be taken to redact all personal data or confidential information that the data subject should not see.

To assist in maintaining a log of the SAR’s received and manage their progress, the SAR Register is available to download.

In addition to the register the SAR Form can be downloaded here and used to formalise the SAR with the data subject.

 

CEOP
© Copyright The Scout Association 2019. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW