The Whistleblower Page

Navigation

Information

The Essentials in Summary

Between August and November 2025, The Scout Association, one of the UK’s largest youth charities, is alleged to have had multiple compliance and governance concerns arise, which I have reported to the Charity Commission and the Information Commissioner’s Office (ICO) for review. These concerns may involve trustees, senior leaders, and multiple departments. This site sets out my personal account and analysis as a whistleblower, based on contemporaneous emails, screenshots, and documents in the ZIP archive. Where I refer to ‘breaches’ of law or guidance, these are my allegations and interpretations unless and until a regulator or court reaches a formal conclusion.

What Happened?

  • I allege my ASD diagnosis was published in a national blog post and on social media without valid, explicit consent, and I have asked the ICO to review the lawful basis and any special category conditions relied upon.
  • In my view, the interview process was poorly designed for neurodivergent candidates and did not proactively address reasonable adjustments, despite my disability being recorded in their systems.
  • In my view, when I raised internal concerns, my disclosure was handled as a standard complaint on two occasions rather than being treated as a systemic governance matter.
  • I repeatedly requested internal resolution and did not receive the level of engagement I expected from the Association and its trustees; in my view, this represents a serious governance concern.
  • I allege my Subject Access Request was effectively blocked by disproportionate ID demands.
  • I did not receive any direct written response from the DPO, and I am not aware of who the DPO individual is.
  • I am concerned that if Data Protection processes were managed by Legal Services (for example, Legal Services managing data subject access requests), this may affect perceived independence, but this is for regulators to assess.
  • I am concerned that the Association’s public representations to the press and/or regulators may not align with the documentary timeline, and I have provided relevant materials for review.
  • Trustees were informed by email, and I have raised concerns about potential conflicts of interest in how some roles were involved.
  • I allege that the blog and social posts were removed after I notified the Association that I would escalate to regulators; I have asked regulators to consider whether appropriate records and decision trails exist.
  • I am concerned that the whistleblower and complaints processes, as applied in my case, may not provide sufficient independence at senior level, but this is for regulators to decide.
  • I allege the blog post was publicly accessible to 500,000+ people, and I am concerned that removal was not prompt after my warning; I have provided the timeline for regulator review.

Legal & Regulatory Breaches

UK GDPR

I allege that UK GDPR requirements may have been engaged, including:

  • Principles and lawful basis/special category conditions: Concerns about consent and/or other conditions relied upon for processing and publishing my diagnosis as special category data, and concerns about inconsistent explanations given.
  • Transparency and subject access: Concerns about subject access handling and whether ID requirements were proportionate.
  • Security and incident consideration: Concerns about public accessibility of special category data and whether any assessment or notification duties were considered.
  • Accountability documentation: I have not been provided with records of decision-making, any DPIA, or detailed input from the DPO, and I have asked the regulator to assess whether appropriate accountability records exist.
Charity Commission Guidance

Alleged issues under CC3, CC20, CC26, CC27 and CC29:

  • I allege that trustee oversight and handling of my disclosure raise governance concerns.
  • To my knowledge, no serious incident report was filed.
  • In my view, reputational risk, potential conflicts of interest, and data management concerns were not addressed to a standard I would expect.
  • I am concerned there may have been ineffective whistleblowing handling and weak risk oversight.
Equality Act 2010 (or poor process)
  • Sections 20–21: In my view, no reasonable adjustments were offered during the selection process despite my disability being on record, which I consider poor practice and reflective of organisational culture.
  • Section 27: In my view, aspects of the timeline and my experience of the subject access request may raise concerns that a court or tribunal could consider relevant, although only a court or tribunal could decide whether any unlawful victimisation occurred.

Who is Involved?

Listing an external organisation, department, or role below means that I emailed or copied that area in my correspondence. It is not a statement that any specific individual holding that role has broken the law; these are the roles I believe regulators may wish to scrutinise.

External Organisations
  • Black Penny Consulting Ltd (06607756) (Active Data Protection Officer for The Scout Association)
Departments
  • Governance
  • Legal Services
  • Whistleblowing
  • Safeguarding
  • Media Relations
  • Communications & PR
  • Brand & Content
  • Data Protection
  • Executive Leadership
Individuals (roles)
  • [REDACTED] - Board of Trustees/Executive Leadership Team
  • [REDACTED] - Executive Leadership Team
  • [REDACTED] - Executive Leadership Team
  • [REDACTED] - Board of Trustees/UK Leadership Team
  • [REDACTED] - Board of Trustees/UK Youth Team/UK Leadership Team
  • [REDACTED] - UK Leadership Team
  • [REDACTED] - Board of Trustees
  • [REDACTED] - Board of Trustees
  • [REDACTED] - Brand and Content Team
  • [REDACTED] - Resolution Team
  • [REDACTED] - Legal Team
  • [REDACTED] - Governance Team
  • [REDACTED] - Brand and Content Team/Employee Forum Team
  • [REDACTED] - UK Youth Team

Why It Matters

  • Sensitive youth data may have been mishandled, which could engage high-risk data protection considerations.
  • Trustees are legally bound to run the charity in line with UK law; in this case, I allege concerns about whether appropriate governance and oversight occurred.
  • Charity staff and trustees, in my view, responded in ways that appeared to prioritise other factors over legal duty, which may create a perception problem and is for regulators to assess.
  • In my view, the number of alleged issues affecting a single person over a short period is highly unusual.
  • If a national charity is ultimately found by regulators to have failed in charity governance and/or data protection obligations, that can harm its relationship with key partners.
  • Significant regulatory action could occur depending on regulator findings.
  • National programmes, international events, and partner trust are at stake.
  • If functions lack independence in handling (for example, Legal Services and Data Protection processes being closely aligned), this may highlight systemic issues, but that is for regulators to decide.
  • In serious cases, regulators have powers to intervene in a charity’s governance, including measures affecting trustees. If allegations are upheld, there could be consequences for national leadership.
  • In my view, these alleged issues may reflect concern at The Scout Association toward resolving serious issues.