Data retention and privacy policy

This policy explains what personal data we keep, why we keep it, how long we keep it, who we share it with, and how we delete it. It applies to young people, parents and carers, adult volunteers, donors, supporters, funders and partners. Under POR, each local Scout Group is an independent data controller and must keep its data protection and retention policies up to date.

We are 2nd South Petherton Scout Group. We run Scouting in our local community. Our mission is to actively engage and support young people in their personal development, empowering them to make a positive contribution to society. For the data we collect and use locally, we are the data controller. The Scout Association (UKHQ) is a separate controller for national systems and records.

We only use personal data when we have a lawful basis under UK GDPR. Depending on the task, we rely on:

• legitimate interests – to run safe, effective Scouting and manage membership

• legal obligation – where the law requires us to act (for example, Gift Aid records and incident records)

• vital interests – to protect life, especially at events and in emergencies

• public task – where we deliver recognised youth services in the public interest

• consent – only for optional things (for example, photos and publicity)

When we process special category data (such as health information) we also rely on an Article 9 condition, usually not‑for‑profit bodies (Art. 9(2)(d)), vital interests (Art. 9(2)(c)) or legal claims (Art. 9(2)(f)).

We do not keep safeguarding case records locally. The Scout Association holds and manages safeguarding records centrally. We follow national policy and POR.

We use secure systems approved within Scouting, including the national membership platform, Online Scout Manager (OSM) and Microsoft. Where we use third‑party systems, they act on our instructions as processors and must meet GDPR standards. We share data only when needed and lawful (for example with The Scout Association, DBS via Atlantic Data, emergency services, and grant funders).

Use of Artificial Intelligence

We only use AI tools that keep data secure and that do not use personal information to train public AI models. This protects young people, parents and carers, volunteers and the wider community.

We only use AI tools that meet UK GDPR requirements and that operate within our secure Microsoft 365 environment or Online Scout Manager environment. These tools keep content inside our organisation, apply enterprise‑level security, and do not use our data to train external AI models.

Volunteers may use MS365 Copilot or Online Scout Manager’s Gilbert (or other approved tools) to:

• draft activity plans

• summarise non‑personal text

• create template documents

• prepare meeting notes

• produce anonymised resources

• edit photos

All content must be anonymised unless being used within protected MS365 or OSM systems.

We keep personal data only as long as needed and follow national Scouts policy. HQ may keep a reduced dataset for longer for safeguarding and evidence; locally we keep only what we need for local purposes. Where we still need statistics, we anonymise data as soon as possible.

Find out more in our retention schedule tables.

Safeguarding records are handled centrally by The Scout Association. We do not keep local copies. Any incidents that have required medical intervention are reported to The Scout Association for alignment to an incident category and to manage the process. Records for these are retained centrally by HQ for an extended period (in line with legal, insurance, and learning requirements), and that record should be treated as the primary record. There may be a need to retain essential information locally but be destroyed once that purpose has passed and instructed no longer needed by The Scout Association.

Privacy notice for young people and parents

We collect and use personal data to run Scouting safely and well. We do this under UK GDPR using legitimate interests, vital interests, legal obligation and public task, depending on the activity. We collect contact and health details, event consents and attendance. We share data only when needed with Scout systems, activity providers, DBS, emergency services and (if relevant) grant funders. We do not use your personal data to train AI systems. We only use AI tools that operate within our secure environment and do not share data externally. We keep data only as long as needed (see our retention schedule). You have rights to see, correct or delete your data, to object to some uses, and to complain to the ICO.

Privacy notice for adult volunteers
 

We use your data to manage your role, training and safety. Our lawful bases are legitimate interests, public task, legal obligation and vital interests. DBS checks are handled through The Scout Association’s provider; any local paper ID forms are destroyed once entered. We share data only where necessary and keep it only as long as needed. You have the same rights listed above.
 
Privacy notice for donors and supporters
 

We keep donor contact details to manage gifts and say thank you. For Gift Aid we keep declarations for 6 years after the relevant accounting period. We only send optional updates with your consent, and you can stop these at any time. You have the same data rights listed above.

We share data across the Scouting Movement under the Movement’s Data Sharing Agreement, and with DBS for vetting, always on a lawful basis. We minimise what we share, doing so only where there is a legitimate reason to do so, and use aggregated or anonymised data wherever possible. We sometimes share data with grant funders to meet due‑diligence, monitoring and audit requirements, and keep only what the funder requires for the period set out in our schedule. Where we use third‑party systems (for example Online Scout Manager), they act on our instructions as processors and must meet GDPR standards.

2nd South Petherton Scout Group employs the services of the following third-party data processors:

The Scout Association via its adult membership system which is used to record the personal information of adult members and parents who have undergone a Disclosure and Barring Service (DBS) check (www.scouts.org.uk/privacy-policy).

Online Scout Manager: used to administer the group’s programme, events, attendance register, payments, badge records, personal details and emergency contacts (https://www.onlinescoutmanager.co.uk/privacy)

HMRC: used for processing Gift Aid claims (www.gov.uk/government/publications/data-protection-act-dpa-information-hm-revenue-and-customs-hold-about-you/data-protection-act-dpa-information-hm-revenue-and-customs-hold-about-you).

Lloyds Bank: used for processing receipt of donations and payment of expenses (www.lloydsbank.com/help-guidance/legal-information/privacy/data-privacy-notice.html).

MS 365: used to administer the group’s email system which may occasionally be used for secure transfer of limited personal information for events, and storage of photo library and administration notes (www.microsoft.com/en-gb/privacy/privacystatement).

Jot Form: used to collect personal information to administer services to our members, such as joint event registration (www.jotform.com/privacy).

Wix: we use wix.com to host our website and the contact form collects personal information from members of the public that are interested in joining, volunteering, or hiring the hut (www.wix.com/manage/privacy-security-hub).

Square: we use square to process chip and pin card payments and online payments (https://squareup.com/gb/en/legal/general/privacy)

Spark a change: we use sparkachange.org.uk to advertise our volunteering vacancies and collect personal information from members of the public that are interested in volunteering with us (www.sparkachange.org.uk/privacy).

GoVo: we use govo.org to advertise our volunteering vacancies and collect personal information from members of the public that are interested in volunteering with us (https://govo.org/privacy-notice).

thescouts.disclosures.co.uk: we use thescouts.disclosures.co.uk to administer Disclosure and Barring Service criminal records checks (https://thescouts.disclosures.co.uk/secure/PrivacyStatement.pdf).

Facebook: we have a facebook page and closed facebook group to help us communicate with our members and the general public (www.facebook.com/policy.php).

WhatsApp: we use a whatsapp community to help us communicate with our members (www.whatsapp.com/legal/privacy-policy).

We ensure third parties we contract with to store personal data comply with the principles of this policy, have an information security policy in place and ideally hold an information security standard (such as ISO 27001).

Leaders must not store personal data, including photos and videos, on personal devices, social media apps or personal cloud storage. Unless necessary for immediate short‑term use (for example, during an event), and they must transfer and delete them promptly. All data must remain within systems approved by the Group, District or The Scout Association. Public file‑sharing services (e.g., Dropbox personal accounts, Google Drive personal accounts, WhatsApp backups) must not be used for long‑term storage.

We protect data with access controls, secure systems and good housekeeping. We securely delete digital files and shred paper records when the retention period ends. Where we still need statistics, we anonymise data as soon as practical.

You can:

• ask us for a copy of your personal data

• ask us to correct it if it is wrong

• ask us to delete it when we no longer need it

• limit or object to some uses

We will explain when we must keep data (for example, by law or for safety). You can also complain to the Information Commissioner’s Office (ICO).

Our Trustee Board is responsible for this policy under POR. We review it annually or sooner if guidance changes. We keep simple logs of what we delete and when. Leaders receive data protection guidance through national training and follow national policy. Group Lead Volunteer is the Data Protection Lead responsible for ensuring that the policy is being operationally adhered to.

Data queries and rights: glv@spscouts.co.uk. If you are unhappy with our response, you can contact the ICO.

Version 3.0, 24 April 2026: Full rewrite aligned to UK GDPR and updated POR; added lawful bases per activity; privacy notices; grants/third‑party sharing; security and deletions.

Version 2.1, 2 June 2020.