Data protection & access security

Groups and Units should agree a simple policy stating who should be granted access to their Sections data in OSM. In doing so, the need to protect personal information stored on the platform about our members and their parents should be taken into account.

All access to OSM is controlled at Section level. There is no concept of Group / Oversight access to all Sections within a Group - access is granted per user, per section, per function in use.

Go to OSM's Security & GDPR information

Section access

A typical Beaver, Cub or Scout section might have the following volunteers with access...

Notice how each volunteer is using their Volunteer ID to access OSM. Based on their role, each volunteer is granted Least Privilege for the role and tasks they will be undertaking. There are two volunteers with "full administration" to the section, as required.

Access for Waiting List sections

IMPORTANT: District OSM always requires minimum Read privilege to Personal Details and Flexi-Records for the Waiting List (or Register of Interest) section.
This is essential to support automated reporting on Portsmouth Scouts waiting lists.

Access for Group Admin (Incl. Adults) Sections

NOTES: The nature of "Adults Sections" means they are rarely used by Volunteers. Rather, they offer a may to communicate with Volunteers; to manage common risks and share those across the Group; is a natural place of Accountancy Tools to be added (Accountancy Tools are added once per Group, they are NOT added per Section).

Access control / level of privilege

Portsmouth Scouts expects access to OSM to be governed by the principle of Least Privilege. The principle states that an individual should be given only those privileges needed to perform their role. If an individual does not need an access right, they should not have that right ('just in case they need it' is not a valid reason).

OSM generally provides 3 levels of privilege (access) and none on a per function basis. Consider carefully what level of access any individual is given, it should always be "least privilege".

Every OSM Section should have TWO administrator IDs with Read and write permission to all functions.

The user ID that originally creates the Section will have Read and write permission to all Sections. Take care to reassign permissions if this user leaves scouting.

At all times there must be two trusted users with Read and write permissions to all functions. This prevents a situation where all access is lost, or privileges can not be updated. Remember - the highest level of permission a user can give to another is their own highest. eg A user with Read access to a function, may only grant Read access to another user. Not Read and Write.

Data protection and record management

Data protection is a key responsibility for anybody that has access to the personal data of individuals. It can be a daunting and apparently complex area for volunteers to get involved with. The Scout Association provides extensive guidance that has been designed to help everyone understand the legislation applicable for data protection and provide tooling for alignment to the legislation.

Portsmouth Scouts strongly recommends every Group appoint a dedicated Data protection and record management lead, someone who can be familiar with law, policy and guidance and advise the Group Executive Committee on how best to meet requirements. The GDPR Toolkit (linked above) provides extensive information and resources to assist.

Access The Scout Association GDPR guidance here

REMEMBER: While data protection and record management is a key responsibility - most obligations can be met with common sense, simple local policies and easy to understand protocols or processes. Try not to overcomplicate things unnecessarily. Use the Resources provided by The Scout Association - for example Step 10: Publish your stance in the GDPR Toolkit includes a template data privacy notice and policy for Groups to adopt and adapt. Saving Groups the time of creating their own.

Page updated

Report abuse