1. Introduction
This document supplements the subject access request (SAR) provisions set out in Scouting Irelands Data Protection Policy and provides the process for individuals to use when making an access request, along with the protocols followed by Scouting Ireland when such a request is received.
Scouting Ireland needs to collect personal information to effectively and compliantly carry out our everyday business functions and services and in some circumstances, to comply with the requirements of the law and/or regulations.
As Scouting Ireland processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) and relevant data protection legislation to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the GDPR and its principles.
This policy applies to but is not limited to all members, parents / guardians of members, volunteers and staff whose personal data is collected about them at National level.
Definitions:
Data Controller: Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Data Protection Commission (DPC): The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
Data Protection Officer (DPO): A designated person responsible for helping an organisation comply with data protection law. The DPO advises on how personal data (such as information about youth members, volunteers, or staff) should be collected, stored, and shared safely and lawfully at National level. The DPO also monitors data protection practices, provides training and guidance, helps responds to data protection requests (like Subject Access Requests), and acts as a point of contact for the Data Protection Commission.
Data Subject: An identified or identifiable natural person, also referred to as an individual throughout the policy.
General Data Protection Regulation (GDPR): The GDPR is a European Union Regulation on information privacy that governs how personal data is processed and protected within the EU and the European Economic Area (EEA).
Subject Access Request (SAR) / Data Subject Access Request (DSAR): An individuals right to access and receive a copy of their personal data.
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
Scouting Ireland, National Office, Larch Hill, Dublin 16, Ireland. T: 01 4956300 www.scouts.ie
2. The
General Data Protection Regulation (GDPR)
The GDPR gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data. The GDPR is a standardised regulatory framework which ensures that personal information is obtained, handled and disposed of properly.
As Scouting Ireland are obligated under the GDPR and Irish data protection laws, we abide by the Regulations’ principles, which ensure that personal information shall be:
a. Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)
b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
c. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
e. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
The Regulation also requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the GDPR principles’ (accountability). Scouting Ireland have adequate and effective measures, controls and procedures in place, that protect and secure your personal information and guarantee that it is only ever obtained, processed and disclosed in accordance with the relevant data protection laws and regulations.
3. What is Personal Information?
Information protected under the GDPR is known as “personal data” and is defined as:
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
Scouting Ireland, National Office, Larch Hill, Dublin 16, Ireland. T: 01 4956300 www.scouts.ie
Further information on what constitutes personal information and your rights under the data protection regulation and laws can be found at www.dataprotection.ie
4. The Right of Access
Under Article 15 of the GDPR, an individual has the right to obtain from the controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information.
Where requested, we will provide the following information:
• The purposes of the processing
• The categories of personal data concerned
• The recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed
• If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used)
• The envisaged period for which the personal data will be stored (or the criteria used to determine that period)
• Where the personal data was not collected directly from the individual, any available information as to its source
5. How to make a Subject Access Request
A subject access request (SAR) is a request for access to the personal information that Scouting Ireland holds about an individual, which we are required to provide under the GDPR Article 15 (unless an exemption applies). A parent / guardian can make a request on behalf of their child. You can make this request in the following ways:
• Writing to the DPO located in Scouting Ireland National office. See Address in section 8 below.
• Emailing the DPO (dataprotection@scouts.ie)
• Via the Subject Access Request form located on www.Scouts.ie/legal/data-protection
• Verbally to the DPO via 01 495 6300
• All of the above methods can also go through a member of staff or volunteer who will forward on to the DPO.
• Please note Scout Groups may hold personal data at group level, please make the request for this information to the Group Leader / Designee. If you are not able to do so please reach out to the DPO (dataprotection@scouts.ie) who can forward on your request.
Regardless of the method used, Scouting Ireland should acknowledge and action the Subject Access Request as required.
Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
5.1 What happens when a Subject Access Request is made
Identity Verification:
Subject Access Requests (SAR) are passed to the DPO as soon as received, and a record of the request is made. The DPO will acknowledge the request and ask the individual for information to help confirm their ID against the Membership database. Usually this is a request for the data subjects Scout Group, Name, Date of Birth, email address, phone number and emergency contact name. The purpose of this is to ensure that personal data is released to the appropriate person.
If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning any request.
Information Gathering:
Once you’ve provided enough details in your Subject Access Request (SAR), the DPO will begin by gathering all personal information we hold about you and ensure it is shared in a clear and accessible format.
If we don’t have sufficient information to locate your records, we may get in touch to ask for more details. This will be done as quickly as possible and always within the timeframe outlined below.
The more specific you can be in your request, the more accurate and meaningful the results will be.
Depending on the nature of the request, the Data Protection Officer (DPO) will carry out a range of searches to locate any personal data held.
These may include, but are not limited to the following:
• Using Microsoft Purview to search across all Scouts.ie email accounts, SharePoint sites and OneDrive files.
• Contact relevant staff members in departments such as Safeguarding to identify any personal data they may hold.
• Reaching out to volunteers at National levels (e.g. County Commissioners, Provincial Commissioners, event teams etc.) who may also hold relevant personal data.
• Search the Membership Management System for any associated records.
These steps help to ensure a thorough and accurate response to your request.
Information Provision
Once all personal data relating to you and your request has been gathered and processed in accordance with Section 7, the data will be shared with you via your preferred method of delivery.
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
Scouting Ireland, National Office, Larch Hill, Dublin 16, Ireland. T: 01 4956300 www.scouts.ie
In most cases, this will be done electronically by creating a secure SharePoint folder. Access to this folder will be restricted to you (using your personal email address provided at the time of your request) and the Data Protection Officer (DPO). The folder will remain available for four weeks in which you can download your data, after which it will be permanently deleted.
If you have requested to receive your data by post, it will be sent via registered mail to ensure secure delivery.
An internal copy of each Subject Access Request (SAR), including all related correspondence between the requestor and the Data Protection Officer (DPO), will be securely stored in a restricted SharePoint location accessible only by the DPO. This information will be retained for a period of two (2) years from the data the request is fully resolved, after which it will be permanently deleted. This will allow time for complaints to be made and resolved.
In certain circumstances, such as when the SAR is associated with an ongoing complaint, legal proceedings, or regulatory investigation, the retention period may be extended as necessary to comply with legal or regulatory obligations.
6. Fees and Timeframes
As per GDPR Article 12(3), data controllers must respond to Subject access requests within 1 month of receipt of request (once the data subject's ID has been verified) That period may be extended by two further months where necessary, considering the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
As per GDPR Article 12(5) any communications and any actions taken under Article 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
A) Charge a reasonable fee considering the administrative costs of providing information or communication or taking the action requested; or
B) Refuse to act on the request.
In cases where the request results in a high yield of data and / or is a resource consuming request, we may request the data subject to provide limits to the search to help narrow the search and provide meaningful data to the requestor.
If the data subject does not agree to limit the search, and in some other circumstances, it will be necessary to charge a reasonable fee to the data subject to cover administrative charges where the request involves the gathering of large amounts of data.
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
Scouting Ireland, National Office, Larch Hill, Dublin 16, Ireland. T: 01 4956300
7. Redactions and Exclusions
When responding to a Subject Access Request Scouting Ireland is committed to providing individuals with access to their personal data in accordance with data protection legislation. However, certain information may be redacted or withheld from disclosure where necessary and lawful.
Redactions
Redactions are applied to ensure the protection of the rights and freedoms of others. The following types of information may be redacted from documents in response to a SAR; this is not an exhaustive list.
• Personal data of other individuals: Where a document contains personal information relating to someone other than the requestor (e.g. another youth member, parent / guardian, volunteer or staff member), that information will be redacted unless the third party has provided consent, or it is reasonable to disclose the data without their consent. Reasonable to disclose means if the other individuals' rights and freedoms are not affected.
• Confidential References: Information provided in a confidential reference (e.g. for employment or volunteering) may be exempt from disclosure. This would be reviewed on a case-by-case basis.
• Safeguarding Information: Where the disclosure of data could compromise ongoing Safeguarding processes or put individuals at risk, the relevant information may be withheld in line with our safeguarding policies and legal obligations.
• Legally Privileged Information: Any data protected by legal professional privilege, including legal advice communications, will be withheld.
• Content that does not relate to the data subject, for example meeting minutes, may contain reference to the data subject, but only this section of the minutes may be disclosed to the requestor.
Exclusions:
Under data protection law, not all information is required to be disclosed under a SAR. The following are examples of (but not limited to) information that falls outside of the scope of a SAR.
• Non-personal data such as Scouting Ireland policies, procedures or general operational documents that do not relate specifically to the requestor.
• Duplicate records: Where the same information appears multiple times across different documents. We may consolidate or limit duplicate copies to avoid unnecessary duplication in the response.
• Anonymised data where individuals cannot be identified.
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
Scouting Ireland, National Office, Larch Hill, Dublin 16, Ireland. T: 01 4956300 www.scouts.ie
Scouting Ireland takes care to balance the rights of the data subject with the protection of others, and all redactions or exclusions will be applied with reference to the principles of fairness, transparency, and necessity. Where data is withheld or redacted, this will be clearly indicated, and an explanation will be provided where appropriate.
8. Contacting the Data Protection Officer (DPO)
Scouting Irelands DPO can be contacted via the following:
Email: dataprotection@scouts.ie
Address:
FAO: Data Protection Officer
Scouting Ireland National Office Larch Hill Dublin 16 D16 PO23
Phone: 014956300
9. Right to make a complaint
Any concerns or complaints about the processing of a Subject Access Request can be directed to Scouting Irelands Data Protection Officer as per the details in Section 8 above.
If, however you remain dissatisfied with the actions taken, you have the right to lodge a complaint with the Irish Data Protection Supervisory Authority. The Office of the Data Protection Commissioner can be contacted via the following, please note this applies to members residing in Northern Ireland also as the DPC are Scouting Irelands lead supervisory authority:
Postal Address:
Data Protection Commission
6 Pembroke
Dublin 2
D02 X963
Ireland
Website: www.dataprotection.ie
Email: info@dataprotection.ie
Phone: 01 765 0100 or LoCall 1800 437 737
Reg. No. 397094, Charity No. CHY3507, Reg. Office - National Office, Larch Hill, Dublin 16. Scouting Ireland is a company Limited by guarantee exempt from using the word "Limited".
