Know who is responsible for what
Your group executive committee, as charity trustees, have overall responsibility for ensuring that your scout group is meeting the GDPR requirement. However, all adult members will also have a responsibility to safeguard personal data and follow the processes that are agreed by your executive committee.
Data Controllers
A data controller determines the purposes and means of processing personal data.
Each level of scouting, (group, district, county, region, country/UK), has the responsibility for making sure that they keep the personal information they hold safe and comply with legal requirements. This means that the responsibility in your scout group fall to your group executive committee and are known as the ‘data controller’. data controllers are responsible for the compliance with the GDPR and must be able to demonstrate this if necessary.
The same applies to the scout association's national board of trustees who, as charity trustees, are responsible for ensuring that proper systems are in place for The Scout Association. All 'scout units' must comply with the GDPR when using the national membership system 'Compass'. The Scout Association (UKHQ), is the data controller for adult volunteer data which is collected on the Compass membership system.
This said, the duty of care for the security of the data you collect lies with everybody in your scout group that gathers, handles or receives that personal data and these people are known as ‘data processors’.
Data Processors
A data processor is responsible for processing personal data on behalf of a controller.
This means everyone in your scout group who deals with personal data on a day-to-day basis to help run the activities of your group. This will probably be the group scout leader, group administrators, group treasurer and the leaders in each of your sections.
This means if you have access to the personal data and you do something with it, such as host it in your system, or provide services to the data subject from this data set, you are the data processor. This data processor could also be a third-party system used for data storage, such as Online Scout Manager and EMS.
What is a third party processor?
A third party processor an entities that processes personal data on behalf of a data controller. It is the Executive Committee's responsibility to measure whether third party processors are compliant with the GDPR.
An obligation when aligning to the GDPR is that all third party processors you identify have been assessed for their alignment to the GDPR. This assessment requires them to be issued with a checklist of obligations and their response to be logged.
In the event that a third party processor does not acknowledge the checklist or can’t align to the controls within it, you as the responsible Executive Committee need to decide if you seek an alternative provider or accept, justify and document the risk in the Risk Register within the GDPR Framework.
Online Scout Manager/EMS act as third party processors as they are systems operated by organisations for the purposes of holding and processing personal data. There are obligations that third party processors need to adhere to to demonstrate their compliance with the GDPR, such as being able to delete all of a young person's personal data if requested to do so by their parent. Online Scout Manager (provided by Online Youth Manager Ltd.) has also issued a statement on the alignment of OSM.
The Scout Association Headquarters will be issuing a statement on the alignment of Compass to the GDPR to avoid you having to contact HQ individually (And we will publish a link to it here in due course).
Many large service providers, such as Microsoft and Google, have statements on their websites that address the controls in the checklist. These providers will not need to be approached. Examples are:
Google - google.com/cloud/security/gdpr/
Microsoft - docs.microsoft.com/en-us/office365/enterprise/office-365-info-protection-for-gdpr-overview
Click here to download our third party processor register and checklist
Does my Scout Group need to register as a Data Controller with the Information Commissioner Office?
As smaller 'not-for-profit' organisations, your scout group do not have to register provided you do not hold personal data about anyone other than members or others directly connected to your group.
However, you are still subject to the rules of the GDPR. As a larger organisation, The Scout Association national headquarters is registered as a data controller with the ICO.