Privacy Notice

The Norfolk County Scout Council

Privacy Notice v0.5 – unformatted, for approval

The Purpose of this privacy notice is to explain how The Norfolk County Scout Council,(“Norfolk Scouts” or “NS”) processes personal data to fulfil its data protection responsibilities. The scope of this statement covers the activities of the Norfolk Scouts Board of Trustees (“BoT”) and County Officers including those in sub-committees. Separate privacy notices will be issued for specific events when required and for NS employees.

The Role of NS in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the NS privacy manager (PM) to ensure that it is processed in accordance with UK’s data protection legislation. The PM can be contacted using hq@norfolkscouts.org.uk.

The personal data processed by NS will be basic contact information for the purposes of responding to general enquiries, administering staff/ officers, updating NS leaders’ qualifications and other relevant details as required, preparing contracts and paying routine staff claims. It may be necessary for NS to process your health-related data, but this is typically confined to dietary conditions prior to joining training events; this would only be done with your explicit consent. If NS is not given all the requested information, it may result in an incomplete service being provided or insufficient safeguarding measures being put in place.

It should be noted that NS has access to the Norfolk based leaders’ personal data for those personnel registered on the Scout Association’s national data base. When requested or necessary, an individual’s record will be updated by NS staff on their behalf to ensure that records of qualifications and other relevant to role details are accurate and up to date.

NS’s duty of confidentiality means thatNS will treat personal data with due respect and in confidence. NS expects the same duty of confidentiality of all third parties with whom it shares personal data. It will only be disclosed when lawful circumstances allow. When it is necessary to engage third parties to process personal data, for which NS is the data controller, a data processing agreement (or equivalent) between both parties will be put in place.

NS will process your personal data in the UK,which it is backed up locally and with a cloud service provider based in the UK. Email is processed using a reputable web-based provider. Email and mobile phone contacts are stored on office IT equipment and mobile phones, including those of the trustees. NS uses appropriate technical and organisational measures to ensure personal data is kept secure.

NS will routinely process your personal data against a lawful basis as described below:

  • To fulfil our contractual obligations, including contract preparation, when required
  • When processing is necessary for the purposes of our stated legitimate interests
  • To comply with our legal obligations, mainly but not exclusively set out in guidance published by the Charities Commission, the Charities Act 2022, Charities (Protection and Social Investment) Act 2016, the Trustees Act 1925 and the Trustees Act 2000.
  • When processing against a pre-defined purpose for which consent has been sought and recorded prior to that processing commencing; please note that consent can be withdrawn at any time by asking the privacy manager

In all cases the processing of personal data shall be done in accordance with the principles of data protection as set out in UK’s  data protection legislation.

NS will share your personal data, only when it is necessary, with some or all of the following third parties:

  • The Scout Association
  • District level Scout roles
  • The Inland Revenue (HMRC)
  • England & Wales – Disclosure and Barring Service
  • Administrative support where personnel are bound by a data processing agreement and/or contractual arrangements
  • Nominated bank to handle financial transactions when required
  • Nominated, auditors, suppliers and insurance companies

NS will retain different types of personal data for varying periods depending on content. A summary of the critical categories are shown below:

  • Routine correspondence for casual enquiries in hard copy or in emails will be stored for 7 years after the last interaction with NS
  • Event specific special category data, obtained by explicit consent, will be destroyed or deleted within one month of the end of that event
  • Contract related data will be retained throughout the life of the contract plus another 7 years following the conclusion of that contract
  • Contact data is stored indefinitely unless a valid request to erasure is received from the interested data subject
  • Financial records and invoices, which may include personal data, will be retained for 6 years following the end of the current tax year of processing

By exception, documentation that includes personal data may be retained by NS beyond the schedule, but only for a specific purpose and only when NS has a legitimate interest or a legal obligation to do so

At the end of the retention period, NS will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that NS allows up to 3 months after the end of the schedule to complete the action.

The NS website uses cookies but all of these are essential for running the website and do not require prior consent. The website links to other relevant websites; if these are used, please note that NS has no responsibility for the control, content, or handling of visitors’ personal data, by these websites.

The UK General Data Protection Regulation (GDPR) defines the rights although these do not apply in all situations. For convenience, these rights are shown below:

  • Right to be informed as to how personal data is being processed – this is done through this notice or specific to client privacy notices
  • Right to access personal data held by NS which is done by submitting a ‘Subject Access Request’ (SAR) to the privacy manager
  • Right to rectification of personal data if NS has collected it incorrectly or it needs to be updated
  • Right to erasure of personal data for which NS no longer has a legitimate purpose to process
  • Right to restrict processing under certain circumstances, during which time personal data will be put out of operational use until the related matter is resolved
  • Right to data portability of personal data in a machine-readable version, but this only applies to data provided with consent or under contract
  • Right to object to processing personal data for which NS does not have a legal or contractual obligation
  • Rights related to automated decision making and profiling, however NS does not use these techniques in its decision making

Further details on data subject rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

Raising concerns, exercising rights, or making queries about our processing of personal datacan be done by contacting the privacy manager. Please be aware that NS will need to verify a requesters/enquirer’s identity before responding fully. For that reason, you may be asked for proof of identification that, in context, will enable NS to confirm your identity. Alternatively, you may contact the ICO directly, using the details provided above.

June 2024