We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Member resources

GDPR Step 5: Gathering data

Version 1.1, October 2018

In Scouting, there will be occasions where information from young people and their parents/guardians and adult volunteers will be required.  Usually these will be ahead of events, camps or day trips or when a new member joins the Scouts.  This page aims to provide you with some good practice guidance if you need to gather information.

Why do we need additional information?

Before collecting any data on an individual, we need to remember the 6 principles of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA);
  1. Lawfulness, fairness and transparency – Explain to the data subject why you ask for the information and show what you intend to do with for a lawful reason.
  2. Purpose limitation – Ensure the data collected for the reason you need it is only used for that purpose.
  3. Data minimisation – Only collect the information you actually need for your lawful purpose.
  4. Accuracy – Make sure the data you collect can be kept up to date and accurate.
  5. Storage Limitation – Do only keep the data for the length of time you actually need it.
  6. Integrity and confidentiality – Keep the data you collect safe and secure.

As part of the second principle, it’s good to think about the information you may have already collected from young people and their parents/guardians before asking for more.  It’s likely that you’ll already hold a lot of information from when the young person or adult volunteer joined Scouting and therefore you can save time by using this information when planning your events.  You’ll then only be asking for limited information for each event.  That said you have a valid reason for asking for some information again as it is an obligation of your Executive Committee that the data held is accurate and it may have changed or be very specific for that event and– for example an emergency contact may be a grandparent rather than the parent because the parents may be going away at the same time as your week-long summer camp.

Parent/Guardian consent must be given for young people’s data (under the age of 18) to be collected and processed within Scouting.

Keep things to a minimum

When designing your form, try to avoid collecting unnecessary data.  For example you do not need to know if the young person can swim, if your event will not include any water activities in its programme.


Layout of the form

Often forms will be designed based on the need of the event or as you think of things to include on the form.  It’s worth just taking a moment to think about the information you are collecting so that you can order and maybe batch different kinds of information together.  For example, keeping names and contact details together.  Keeping sensitive (special category) data together such as medical details, will help you align with GDPR as it’ll be clear to the person completing the form which section(s) they will be consenting too. It’s good practice to put your privacy statement at the beginning of the form.


Privacy Statement

Forms will need a data protection privacy statement which must include some basic information.  This statement must include details of the type of data being collected, why the information is being collected, where the information will be stored, details of who will have access to the information and a time period for when you will destroying the information.  This information will need to align and be linked back to the data protection policy and policy agreed by the Executive Committee for your Scout Group/District/County/Area/Region (Scotland).  The statement must be written in clear and simple language so that it is easy to understand by the individual completing your form.

A tool to help you create your privacy statement can be found here.


Consent

There will be certain information which requires specific consent to be given.  This will include, but is not limited to, sensitive personal data where it is passed to a third party.  The data subject will need to tick a box or sign their name to provide their consent as implied or pre-filled boxes are not allowed.  Asking for consent for other information does come with the risk that consent can be retracted at any point, possibly making the organisation of the event harder.



Adult and young people data – is there any difference?

Fundamentally, there is no difference between adult and young people data.  However Parent/Guardian consent must be given for young people’s data (under the age of 18) to be collected and processed within Scouting.  While a data breach or loss of any data is serious, a breach or loss of young people’s data comes with greater reputational damage which could jeopardise the future of scouting not just locally but nationally as well.


What you do with the information when collected?

When your completed form is returned you need to think about where the information is stored and who will have access to it.  If your form is on paper, will you transfer the information to a spreadsheet?  Make sure you transfer the data accurately.  Think where this electronic spreadsheet is then saved and if you need to password protect it.  You may feel the need to print off the spreadsheet to take with you on the event.  You’ll need to consider how many copies you print off and who will have access to them – keep this to a minimum where possible.  If you’re sharing the sheets with other Leaders ensure you know how many copies you have made and that you are able to collect these back in at the end of the event.

If you’re using an electronic collection method, where will the data actually be stored? Is this within the UK or within Europe?  If not, you may wish to think about the provider you are using as data stored outside of Europe may mean additional consent is needed.  Most electronic companies will provide this information on their website, such as Google  and Online Scout Manager, however you may need to look or actually contact the company to ask them before using their service.

Like the paper copies you’ll also need to ensure there’s a privacy statement on the form and that you are able to delete the data when it’s no longer required.  Paper forms will need to be securely destroyed when not needed anymore.  One way would be to shred the paper forms before recycling.


Retention Period

The period of time that you will need to keep the information following the event will vary depending on the type of data you have collected, and the possible reasons for keeping it.  You will also need to refer back the retention policy set by your Executive Committee.
 
It is good practice to delete data when not required any further, even if this falls inside your retention period set. In some cases, data may need to be kept longer than the retention period for analytical or statistical purposes, in most cases this won’t require the personal data to be present and should be anonymised as soon as possible.

The Scout Association's retention policy can be found here and there is an example retention policy to help Scout Groups, Districts and Counties/Areas/Regions (Scotland) form their own here.

 

CEOP
© Copyright The Scout Association 2019. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW