Compass

The Scout Association's Board of Trustees who, as charity trustees, are responsible for ensuring that proper systems are in place regarding the personal data stored on Compass, The Scout Association is a Data Controller in Common with Groups, Districts, Counties and Countries. Data Controller's in Common may each use and access a shared database but each remains responsible for the personal data within its own control and capacity. Accordingly, Scout Units (Groups, Districts, Counties or Countries) remain responsible for ensuring that their handling of personal data locally is in compliance with the GDPR and POR (which includes uploading and maintaining such data onto Compass) and The Scout Association remains responsible for ensuring that its handling of personal data nationally is also in compliance with the GDPR and POR (including its particular responsibilities for data held on Compass). 

Whilst the general data protection responsibilities of both parties towards the data it handles are similar in nature, there are differences according to the level of control each has over the data e.g. whilst The Scout Association will not be responsible for how personal data is handled locally, likewise, Groups, Districts, Counties or Countries will not be responsible for the technical or security aspects of Compass which are not within their control. 

What precautions should I take when using Compass in different places e.g. in a public place, the office, at home or at a campsite?

Compass is a web-based membership system. It is therefore possible to access the system at any location with an internet connection. The following guidance highlights some simple security points that must be followed when accessing Compass:

Image
Compass mindfulness table

 

Frequently asked questions...

What is the data held on Compass used for?

The data held on Compass will be used for membership of Scouting purposes only. It will enable the local Scout Units (Groups, Districts, Counties) to manage scouting and will also enable an annual census to be undertaken which and can be used both locally by Groups, Districts, Counties/Areas /Regions as well as nationally to look at trends, and to identify areas for development locally and nationally. 

Compass has been developed to save you time and help make all your Scout administration easier to manage, it has also been developed to help you keep your Scout records and data held on young people, parents and adults safe, and is compliant with the GDPR.

How can Members manage the marketing and communications they receive?

Members can manage how their personal information is used for certain communications from The Scout Association. They can control what communications content they receive by logging into their account via the Compass website and selecting the Communications Preferences section on their Profile.

This ability to manage how their personal information is used only applies to marketing-led content. The Scout Association and a Member's local Scout unit will send Members communications about Scouting relevant to their role or association with Scouting. The communication will contain essential information and will not contain marketing content.

Who is responsible for the accuracy of information held on Compass?

Adult members are responsible for maintaining their own data e.g. name, address, contact details either directly or via a nominated individual. Certain other data may only be updated/maintained by authorised persons e.g. roles, training records, permits etc. All membership data should be checked as regularly as possible to ensure it is correct and factually accurate and must, in any event, be checked on an annual basis. 

Will The Scout Association perform data quality cleansing on Compass at HQ?

In addition to a Member's responsibility to keep their own data for which they are responsible up-to-date, The Scout Association will annually run a set of general data cleansing routines dealing with issues such as duplication, addressing search returns which indicate that a member is 'no longer at' or has 'gone away' from the recorded address etc. 

Does the Adult Information Form need to be signed before we can upload that information on Compass?

There are two methods of uploading the information onto Compass: directly online with the applicant present or by transferring information from the paper form onto Compass. The paper forms should be filled out with the applicant present. Whilst these paper forms are not intended to be retained, the member's signature provides surety to the person inputting the information onto Compass (which may be a different person to who helped member who helped the new adult complete the form), that the information has been provided by the new adult and of their understanding that the information will be uploaded onto Compass. In all cases, the person uploading the information onto Compass must make sure the applicant understands everything on the form and what is being asked.

Do we need to keep the Adult Information Forms after the information has been uploaded onto Compass?

No, the forms are not intended to be retained. They should be kept securely at all times whilst being used and also securely disposed of/destroyed (shredded), after use. 

Is there any training available for leaders before they have to use Compass?

Compass has been designed to provide technical controls in line with the requirements of the GDPR and all users are provided with guidance on how to use the controls and functionality of Compass which also deliver data protection compliance and can be found at: https://compasssupport.scouts.org.uk/  

The Scout Association is and will continue to regularly review member needs and provide necessary further guidance and one area that is currently being assessed is the need and development of a suitable toolkit for local scout units to help them self-assess their current approach. These measures are in addition to the general data protection training covered as part of the administration training along with all the many other administrative matters. 

Additional specific, stand-alone, data protection training is not therefore necessary in order to use Compass.

Executive Committees have always have been and will remain responsible for ensuring that proper systems are in place locally for GDPR compliance - which includes ensuring that their personnel are reliable in handling personal data and are aware of their responsibilities. 

Who has access to view or download a Group's data once loaded onto Compass?

Only members with suitable authorisation have access to member data which is relevant to their role in Scouting. For example, a Section leader only sees the data for the adults in their section and a District Commissioner will only see the data for adults within the District etc. At HQ, only authorised staff have access to membership data as required by their role for HQ administration purpose. 

Are there any special circumstances where access to Member data can be restricted e.g. vulnerable adults, or those who may be involved in cases of domestic violence or others who have good reason to keep their details private?

Compass allows for exceptions to be made e.g. adult members who are suspended, in which case their personal details will be visible only to a very small select group of people with special roles, e.g. the safeguarding team. Other exceptions may also be possible dependent on the circumstances. These restrictions can be set by speaking with The Scout Association HQ to discuss the situation. 

Am I allowed to download the personal details of members for taking to a camp or for any other purpose and what should I do to comply with data protection requirements?

Provided you have the relevant authorisation, you can download details of members for taking to camp etc. 

You must then follow GDPR, guidance or processes established by your Scout Unit to handle the downloaded information in accordance with the Data Protection Act. For example, the information should only be kept for the required purpose and time, after which it must be securely destroyed i.e. after the end of the camp or event. 

Can a Member's data be shared with third parties in an emergency such as a doctor or hospital i.e. providing address, date of birth, GP's name and any medical information?

The GDP enables the sharing of sensitive personal information in the event of an emergency - i.e. where the sharing is necessary in order to protect the 'vital interests' of the person. 

You must follow any data protection requirements, guidance or processes established by your Scout Unit to ensure such sharing is done in accordance with the Data Protection Act. For example, the sharing must be done securely, and only share the information required to assist with the emergency. 

Where is the data on Compass held?

The data is held in the UK.

Is data on Compass secure?

The Scout Association treats the safety and security of its member data as a main priority. For these reasons The Scout Association has spent considerable time and funds designing and testing Compass to ensure that data is held securely in accordance with the GDPR and industry standards. The two external companies contracted to host Compass both comply with international data security standards and, where applicable, are certified by the BSI (British Standards Institute) and have all achieved International Organization for Standardisation (ISO) certification status. The Scout Association has also employed highly regarded contractors to ensure compliance with data protection legislation, and also ensures that the system undergoes regular security testing. 

The system has been designed to restrict access at different levels of the database to those that have authorisation to use it. The hierarchy of Scouting is reflected in the authorisation matrix and we have an inbuilt audit trail for all transactions so that users and their use can be identified. Every adult with a leadership role, and hence with access authorisation rights within Compass, would have gone through a stringent appointment process and will be subject to the Policy, Organisation and Rules (POR) of the organisation which lay down strict guidelines in respect of use of their use of system and their duty to ensure compliance with data protection.

What if there's a data breach?

The Information Commissioner office (ICO), which regulates data protection in the UK, provides guidance as to the procedures in the event of a security breach which will be followed by The Scout Association. 

To ensure consistency, any actual or potential data breach concerning the use of Compass should be reported to The Scout Association HQ.

How long is personal data to be retained?

In line with GDPR requirements, The Scout Association will only retain personal data for as long as it is required for membership purposes. The retention period will need to take into consideration any official statutory guideline/requirements deemed applicable.

At present and especially in light of general safeguarding concerns, The Scout Association is in the process of consulting with a number of agencies with regard to the relevant guidelines in order to finalise its retention policy in this regard. However, it is important to note that when a person's membership ends, their role will be closed on Compass and their data archived so that it will no longer be accessible online. This data will only be accessible by a few authorised members of staff.

If a person re-joins Scouting in the future, their membership data will be reactivated and again be accessible in accordance with the hierarchy settings set on Compass.