Page 1 of 11 12345 ... LastLast
Results 1 to 15 of 165

Thread: Gdpr

  1. #1
    ADC Cubs abram_akela's Avatar
    Join Date
    Oct 2009
    Location
    Wigan
    Posts
    93
    Thanks
    0
    Thanked 4 Times in 3 Posts

    Gdpr

    Hi
    Cant see any posts about this but was just wondering if anyone has any concise information on exactly what this new legislation means to a scout group. I was hoping that I wont have to wade through the hundreds of pages of info about it myself and hoped that someone might have already done it.

    Any help much appreciated
    Abram Akela
    GNAS Archery Instructor
    GSL
    ADC Cubs

  2. #2
    AESL & AGSL shiftypete's Avatar
    Join Date
    Jul 2004
    Location
    Leeds
    Posts
    12,065
    Thanks
    3,119
    Thanked 1,057 Times in 697 Posts
    TSA issued this guidance on GDPR a couple of weeks ago http://scouts.org.uk/media/911448/Wh...Regulation.pdf

    Peter Andrews AESL of Headingley Pirates ESU, Assistant Group Scout Leader & Webmaster of Falkoner Scout Group
    www.falkonerscouts.org.uk

    Wike, North Leeds District Campsite - www.wikecampsite.org.uk
    www.leeds-solar.co.uk
    Please note all views expressed are my own and not those of any organisation I'm associated with

  3. #3
    Senior Member recneps's Avatar
    Join Date
    Aug 2005
    Location
    Bath and Bristol
    Posts
    8,735
    Thanks
    574
    Thanked 2,205 Times in 1,417 Posts
    TSA's guidance helpfully doesnt actually advise on any processes, it just gives some basic guidance.

    To an extent, a lot of what is required is stuff that we should already be doing anyway - its not unreasonable to expect that data is kept accurate, kept securely, and deleted when no longer required.
    Dan Spencer

    Group Scout Leader 66th Bath
    Deputy District Commissioner (Programme) - City of Bath District
    Nights Away Adviser and member of District Executive Committee - City of Bath District
    Member of Avon County Appointments Advisory Committee
    Event organiser "Be Prepared" Resilience Events
    Formerly CSL, SL, ASL and Jamboree Communications Lead

    Web designer


    It is not the mountain we conquer but ourselves

  4. #4
    Senior Member Bushfella's Avatar
    Join Date
    Mar 2006
    Location
    Huddersfield
    Posts
    15,136
    Thanks
    333
    Thanked 2,590 Times in 1,418 Posts
    Quote Originally Posted by recneps View Post
    TSA's guidance helpfully doesnt actually advise on any processes, it just gives some basic guidance.

    To an extent, a lot of what is required is stuff that we should already be doing anyway - its not unreasonable to expect that data is kept accurate, kept securely, and deleted when no longer required.

    Deleted when no longer required... I suspect that some people would say that should be when a member leaves. However, we need to keep track of our records for five years for tax purposes - if we claim Gift aid, then we need to have the Gift Aid records - which include membership details, for five years.

    Adult records - easy for Navs, just now, if we get rid of Dodgy George, then we all know and he will never get back in. But for a larger organisation, the "need" may be for a lifetime...
    Ewan Scott

    It seems that there are a lot of Nawyecka Comanch around....





    Nawyecka Comanch'": "Means roundabout--man says he's going one way, means to go t'other" Ethan Edwards - The Searchers



    www.upperdearnevalleynavigators.org.uk

  5. #5
    Senior Member recneps's Avatar
    Join Date
    Aug 2005
    Location
    Bath and Bristol
    Posts
    8,735
    Thanks
    574
    Thanked 2,205 Times in 1,417 Posts
    Quote Originally Posted by Bushfella View Post
    Deleted when no longer required... I suspect that some people would say that should be when a member leaves. However, we need to keep track of our records for five years for tax purposes - if we claim Gift aid, then we need to have the Gift Aid records - which include membership details, for five years.

    Adult records - easy for Navs, just now, if we get rid of Dodgy George, then we all know and he will never get back in. But for a larger organisation, the "need" may be for a lifetime...
    I suspect the issue lies around the need to partially delete data.

    How much data TSA store on adults is a matter that i'm assuming TSA will have looked into very carefully, or will be doing so. As a group, our adult data is kept on compass, basic info is kept on OSM, and any paper records are disposed of when the adult leaves. If an adult fills in a DBS form for processing that goes in the confidential waste as soon as its been processed.

    As for Gift Aid - yes we need membership details to be kept for 5 years, but they dont need to be accessible to everyone, they dont need to include medical details, etc. We essentially need the gift aid return with names, addresses and amoutn paid.

    A bigger concern for me here is how data is moved around / where it is saved. I am confident that Ed will ensure that OSM is GDPR compliant. My own pet hate is "Scouting" Data ending up on personal computers and in personal inboxes, as it means as a group we have no control over it, and if a leader leaves they still have the data. As a group, we now insist on leaders using group email addresses for all scouting stuff... We're trying to get to the point that scouting data is stored on the group's sharepoint/onedrive storage as well but that's taking longer.
    Dan Spencer

    Group Scout Leader 66th Bath
    Deputy District Commissioner (Programme) - City of Bath District
    Nights Away Adviser and member of District Executive Committee - City of Bath District
    Member of Avon County Appointments Advisory Committee
    Event organiser "Be Prepared" Resilience Events
    Formerly CSL, SL, ASL and Jamboree Communications Lead

    Web designer


    It is not the mountain we conquer but ourselves

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Location
    East Devon
    Posts
    1,119
    Thanks
    76
    Thanked 383 Times in 195 Posts
    Quote Originally Posted by recneps View Post
    TSA's guidance helpfully doesnt actually advise on any processes, it just gives some basic guidance.
    But it does say that a more detailed 'pack' is being produced and will be issued in March.
    John Russell
    ex-CSL now ACSL 1st Pinhoe Exeter Devon
    Cubs don't care how much you know, but they need to know how much you care.

  7. #7
    Senior Member
    Join Date
    Sep 2009
    Posts
    9,731
    Thanks
    2,528
    Thanked 1,862 Times in 1,179 Posts
    Quote Originally Posted by recneps View Post
    We're trying to get to the point that scouting data is stored on the group's sharepoint/onedrive storage as well but that's taking longer.
    That of course won't stop anyone installing the app and syncing it onto their computer. It's highly awkward to use otherwise.

    The only way you can *keep* data off personal machines is using a Citrix host or similar.

  8. The Following User Says Thank You to Neil Williams For This Useful Post:

    pstretch (09-03-2018)

  9. #8
    Senior Member big chris's Avatar
    Join Date
    Jan 2005
    Posts
    11,894
    Thanks
    1,621
    Thanked 3,069 Times in 1,291 Posts
    posted elsewhere by me: GDPR is turning out to be pretty simple. Only keep the info that you need. Get permission to keep and use it*. Tell the subject what will be done with it and how. Get rid of it when no longer needed and always think very carefully about how you are processing the data to keep it as secure as possible.

    *The SA should offer a very standard list of permissions that new joiners should complete and that should have been shared by now. We pay alot of money for that support and none has been forthcoming. We should also get specific advice on whether that permission needs to be got from existing members. Finally, we should be advised on how that permission should be stored.

  10. The Following 3 Users Say Thank You to big chris For This Useful Post:

    itchen (09-03-2018),scoutgamer (27-05-2018),shiftypete (09-03-2018)

  11. #9
    Senior Member
    Join Date
    Mar 2003
    Location
    East Devon
    Posts
    1,119
    Thanks
    76
    Thanked 383 Times in 195 Posts
    Quote Originally Posted by big chris View Post
    Get permission to keep and use it
    Also posted somewhere else where by me: The GDPR requires that we have a “lawful basis” for holding (processing) personal data, but there is more than one basis on which holding data might be lawful. I suggest that we shouldn’t leap into assuming that the only applicable basis is “consent”. I suggest that for almost all of the personal data that we hold the lawful basis is “legitimate interests”. According to the ICO, legitimate interests “is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”. Holding address, contact details of parents, date of birth, and so on is all stuff that parents would expect us to hold so that we can reach them if their child breaks a leg while in our care, and so that we can monitor their progress through the sections, all as the parent would reasonably expect. We don’t have to have explicit consent to hold data where the lawful basis for holding that data is legitimate interests.
    Last edited by JohnR; 09-03-2018 at 10:11 AM. Reason: wrong quote
    John Russell
    ex-CSL now ACSL 1st Pinhoe Exeter Devon
    Cubs don't care how much you know, but they need to know how much you care.

  12. The Following 4 Users Say Thank You to JohnR For This Useful Post:

    philbill (09-03-2018),pstretch (09-03-2018),Robin Hood (20-04-2018),scoutgamer (27-05-2018)

  13. #10
    CSL (In training)
    Join Date
    Jun 2014
    Posts
    2,512
    Thanks
    2,027
    Thanked 567 Times in 421 Posts
    Quote Originally Posted by big chris View Post
    *The SA should offer a very standard list of permissions that new joiners should complete and that should have been shared by now. We pay alot of money for that support and none has been forthcoming. We should also get specific advice on whether that permission needs to be got from existing members. Finally, we should be advised on how that permission should be stored.
    Especially when you bear in mind that this has been law for two years.... It's only the ICO's ability to fine you for none compliance that kicks in in May....

  14. #11
    Group Scout Leader
    Join Date
    Jan 2011
    Posts
    1,011
    Thanks
    534
    Thanked 368 Times in 190 Posts
    Quote Originally Posted by nevynxxx View Post
    Especially when you bear in mind that this has been law for two years.... It's only the ICO's ability to fine you for none compliance that kicks in in May....
    The Data Protection Bill (that will become the Data Protection Act 2018) and implements the GDPR requirements, is still going through Parliament (https://services.parliament.uk/bills...rotection.html) and is still subject to amendment.


    Paul

  15. The Following User Says Thank You to PaulArthurs For This Useful Post:

    shiftypete (09-03-2018)

  16. #12
    CSL (In training)
    Join Date
    Jun 2014
    Posts
    2,512
    Thanks
    2,027
    Thanked 567 Times in 421 Posts
    Look at the difference between a "Directive" and a "Regulation".... GDPR is the latter (it's in the name).

    I'm sure the Bill will fine tune and clarify some things as they pertain to other UK law.... But the GDPR was adopted 2 years ago, and becomes enforceable in May.

  17. #13
    Senior Member
    Join Date
    Sep 2009
    Posts
    9,731
    Thanks
    2,528
    Thanked 1,862 Times in 1,179 Posts
    Quote Originally Posted by nevynxxx View Post
    Look at the difference between a "Directive" and a "Regulation".... GDPR is the latter (it's in the name).

    I'm sure the Bill will fine tune and clarify some things as they pertain to other UK law.... But the GDPR was adopted 2 years ago, and becomes enforceable in May.
    In any meaningful sense a non-enforceable law is not a law.

  18. #14
    CSL (In training)
    Join Date
    Jun 2014
    Posts
    2,512
    Thanks
    2,027
    Thanked 567 Times in 421 Posts
    Quote Originally Posted by Neil Williams View Post
    In any meaningful sense a non-enforceable law is not a law.
    Well, that's an interesting ethical question....

    How enforceable is the scout law for example? <runs and hides>

  19. #15
    Group Scout Leader
    Join Date
    Oct 2007
    Location
    Stanstead Abbotts, Hertfordshire
    Posts
    597
    Thanks
    81
    Thanked 195 Times in 108 Posts
    Quote Originally Posted by JohnR View Post
    Also posted somewhere else where by me: The GDPR requires that we have a “lawful basis” for holding (processing) personal data, but there is more than one basis on which holding data might be lawful. I suggest that we shouldn’t leap into assuming that the only applicable basis is “consent”. I suggest that for almost all of the personal data that we hold the lawful basis is “legitimate interests”. According to the ICO, legitimate interests “is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”. Holding address, contact details of parents, date of birth, and so on is all stuff that parents would expect us to hold so that we can reach them if their child breaks a leg while in our care, and so that we can monitor their progress through the sections, all as the parent would reasonably expect. We don’t have to have explicit consent to hold data where the lawful basis for holding that data is legitimate interests.
    This is my view too. 'Consent' is the least convenient lawful basis to use and will create problems later. 'Legitimate interests' basis is far more appropriate for normal membership activities and far easier for us to work with. Consent should be kept for marketing activities which wont cause Groups mush of an issue anyway.

    My concern is that TSA get's sold the idea that consent is the gold standard and puts that into it processes and rules.

    IMHO the biggest issues for us (and all the other community endeavour type of organisations) is physical security of data / data destruction held on volunteers' personal equipment/accounts.

    - - - Updated - - -

    Quote Originally Posted by Neil Williams View Post
    That of course won't stop anyone installing the app and syncing it onto their computer. It's highly awkward to use otherwise.

    The only way you can *keep* data off personal machines is using a Citrix host or similar.
    Agreed. And Compass is so lacking in functionality that I frequently have to export data into Excel etc.

Page 1 of 11 12345 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •