Privacy & Cookies Notice
Bield Housing & Care (“Bield”, “we”, “us” or “our”) are fully committed to the safeguarding of your privacy. We take the issue of data protection seriously and strictly adhere to the guidelines published in the General Data Protection Regulation (EU) 2016/679 (GDPR) and Data Protection Act 2018 (DPA 2018).
This privacy notice explains how we will manage your personal information when you make contact with us or use one of our services. The webpage has a layered format so you can easily navigate to the information specific to you by clicking on the headers below.
Bield Housing & Care (Scottish Charity Number SC006878) is a registered society under the Co-operative and Community Benefit Societies Act 2014 with Registered Number 1692R (S) and having their registered office at: 79 Hopetoun Street, Edinburgh, EH7 4QF.
Bield Housing & Care will be the ‘Data Controller’ for all personal information we obtain about you, unless otherwise specified. The data controller is accountable for your personal data and determines what personal information is collected and how it will be used. We are registered with the Information Commissioner’s Office under registration number Z5643453.
We have an appointed Data Protection Officer who is responsible for overseeing data protection within Bield.
Data Protection Officer: | John Malone |
Address: | 79 Hopetoun Street, Edinburgh, EH7 4QF |
Email: | dataprotection@bield.co.uk |
Telephone: | 0131 273 4000 |
During the course of our activities, it will be necessary for us to process your personal information in a lawful, fair and transparent manner. When you apply for housing and services, we will be the data controller of your personal information and will determine how your data is collected and used.
When do we collect your personal information?
We collect personal information from you when you:
- apply for housing with us, become a tenant, request services (e.g. care services, repairs) or enter into factoring agreement with us;
- become a member;
- use our online services to apply for housing, to report tenancy/factor related issues or to make a complaint;
- make a payment to us.
Depending on the services you apply for, we may collect the following personal information about you:
- Your name
- Your contact details eg phone numbers, postal address and email address
- Gender
- Ethnicity
- Date of birth
- Nationality
- National Insurance numbers
- Next of kin, emergency contacts and power of attorney
- Disability details
- Health, wellbeing and support details
- Housing benefit reference number
- Identifiable imagery e.g. CCTV
- Language
We may receive the following personal information about you from third parties:
- Benefits information, housing benefit awards and universal credit.
- Payments made by you to us.
- Complaints or other communications regarding behaviour or other alleged breaches of the terms of your contract with us, including information obtained from Police Scotland.
- Reports about your conduct or condition of your tenancy, including references from previous tenancies and complaints of anti-social behaviour.
- If you require a medical adaption (e.g. access ramps, hand rails, hoists), we may receive personal details of the person requiring the adaptation, confirmation of eligibility and reasons for adaption.
- Other agencies working with you to whom you have given consent.
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you apply for housing and the relevant processing activity.
Lawful basis/ processing condition | Meaning | Our processing activity |
Consent |
The individual has given clear consent for us to process their personal data for a specific purpose. When we use this lawful basis, you have the right to withdraw your consent at any time and request us to stop processing your personal information. |
|
Contract | Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract. |
|
Legal Obligations | Processing is necessary for you to comply with the law (not including) contractual obligations). |
|
Legitimate Interests |
Processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
How long we will keep your personal information
If your application for housing is unsuccessful or cancelled, we will retain your personal information for 1 month. If your application is successful and we enter into a contract or agreement with you, your personal information will become part of the tenancy record. We retain all tenancy records for the life of tenancy/contract plus 6 years, unless otherwise specified by law.
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
When you become a Bield Response 24 Monitoring Service (BR24) customer, we will collect and process your personal information so we can provide you with the services you have requested. We will be the data controller for the processing of your personal information and determine what personal information is collected and how it will be used.
BR24 may be contracted by local authorities, other housing associations and private landlords (data controllers) to provide you with monitoring services on their behalf. In these circumstances, we will be data processor for the processing of your personal data. The data processor will only process your personal information as instructed by the data controller.
What personal information do we collect?
When you become a BR24 customer, we may collect the following information about you:
- Your name
- Your contact details eg phone numbers, postal address and email addresses
- Date of birth
- Spouse details
- GP details
- Next of kin, emergency contacts and power of attorney
- Disability details
- Medical history
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you become a BR24 customer and the relevant processing activity.
Lawful basis/ processing condition | Meaning | Our processing activity |
Contract | Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract. |
|
Legitimate Interests |
Processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
We may share your information with
Depending on the nature of the emergency, we may share your personal information with the emergency services (e.g. fire, police, ambulance), contractors, utility companies, and external agencies such as local authority social work departments. If we need to contact your emergency contact, key holder, power of attorney or next of kin we may disclose your personal information to this person.
How long we will keep your personal information
BR24 retain all client records for the life of the service agreement and will be deleted once the service agreement expires. We retain all voice recordings for 1 year for quality, training and audit purposes.
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
Our selling agents, Rettie & Co and Thorntons Law LLP, are responsible for the marketing and sales of our properties at The Walled Gardens. When you submit an enquiry through our website, we may share your details with either selling agent who will contact you on our behalf to discuss your enquiry. If you contact our selling agents directly, they may share your personal information with us. Retties & Co manage the Marketing & Sales Suite at our St Andrews development, and they may share any personal information they collect about you during your visit with us.
When you enquire about a property at The Walled Gardens, we or our selling agents may collect the following information about you:
- Your name
- Your contact details e.g. phone number, postal address, email address
We will be the data controller of any personal information we collect directly from you or from our selling agents when you make an enquiry about our properties. The data controller determines what personal information is collected and how it will be used. Please note - our selling agents may also be data controllers for your personal information, please read their Privacy Notices when using their services.
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you enquire about property at The Walled Gardens and the relevant processing activity.
Lawful basis/ processing condition | Meaning | Our processing activity |
Contract | Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract. |
|
Legitimate Interests |
The processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
How long we will keep your personal information:
When you make an enquiry about our properties, we will retain your personal information for 2 years after which it will be destroyed. All records related to house purchases will be retained for 12 years after settlement of issues.
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
When you make a payment to us either online or by telephone, you will be redirected to our payment providers who will process the payment on our behalf. We will not collect any additional information from you when you make a payment. Once payment has been received, our payment providers will notify us of your name, amount and account number and we will update your account accordingly.
We will be the data controller of any personal information we receive from our payment providers about your payments. The data controller determines what personal information is collected and how it will be used. Please note - our payment providers will also be data controllers of your personal information when you use their services to make a payment, please read their Privacy Notices when using their services.
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you make a payment to us.
Lawful basis/processing condition | Meaning | Our processing activity |
Contract | Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract. | It is necessary for us to collect and process your personal information, in order to update your account with your payment details. |
How long we will keep your personal information
We retain all tenancy records for the life of tenancy/contract plus 6 years, unless otherwise specified by law.
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and proteced against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
Anyone can make a complaint - either in person, by telephone, by e-mail or in writing. Once received, all complaints are recorded and managed through our complaints handling system. When you make a complaint, we may collect the following information about you:
- Your name
- Your contact details e.g. phone number, postal address, email address
When you make a complaint, we will be the data controller for the processing of your personal information.
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you make a complaint.
Lawful basis/ processing condition | Meaning | Our processing activity |
Legitimate Interests |
Processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
Who we may share your information with:
In the event you are not happy with the outcome of our complaint or you have contacted one of the third parties listed below about a complaint, we may be required to share your personal information with:
- The Scottish Public Services Ombudsman
- The First-tier Tribunal for Scotland (Housing and Property Chamber)
- Care inspectorate
- Local authorities
We will occasionally conduct an internal audit of our complaint handling process, and our auditors may contact you to ask for your views of your complaints handling experience.
How long we will keep your personal information
We will retain all records related to your complaints for 5 years after the complaint has been resolved, after which your personal information will be deleted.
Storage and Security
Our complaints handling system is hosted by a third party supplier and any personal information entered into the system will be stored on their servers. We have a data protection contract in place with the provider of our complaints handling system, to ensure they will only process your personal information in accordance with our instructions and will not share your information with any other organisation. Furthermore, they will store your information securely within the UK and EEA, and only retain the data for a period instructed by us.
When you apply for employment or casual work with us, we will collect and use your personal information in order to assess your suitability to work for us. As part of the recruitment process we may collect and process the following personal information:
- Your name
- Your contact details e.g. phone numbers, postal address and e-mail address.
- Details of your qualifications, skills, experience and employment history.
- Information about your current level of remuneration including benefit entitlements.
- Whether or not you have a disability that we need to make reasonable adjustments for during the recruitment process.
- Information about your entitlement to work in the UK and information about criminal convictions and offences.
- Information about your registration or membership of professional or regulatory bodies.
- Details of any disciplinary or performance related warnings in your previous employment.
- Equal opportunities monitoring information, including information about your gender, age, ethnic origin, sexual orientation, health and religion or belief.
When you give us your information we take steps to make sure that your personal information is kept secure and safe.
We will be the data controller for the processing of your personal information when you apply for employment with us, unless otherwise specified. The data controller determines what personal information is collected and how it will be used.
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you apply for employment with us and the relevant processing activity.
Lawful basis/ processing condition | Meaning | Our processing activity |
Consent |
The individual has given clear consent for you to process their personal data for a specific purpose. When we use this lawful basis, you have the right to withdraw your consent at any time or request we stop processing your personal information. |
|
Legitimate Interests |
Processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
Who we may share your information with
We will not disclose or share personal information about you with third parties, unless your application is successful and we make an offer of employment.
If you are successful in your application, we will share your personal information for the purposes set out in this notice, or for purposes approved by you, including the following:
- To obtain pre-employment references from former employers, character references and necessary Disclosure or Protection of Vulnerable Group checks from Disclosure Scotland.
- If we have offered you a role which requires you to work overnight then we would also provide your personal information to our occupational health partners to enable a Night Worker Health Assessment to be undertaken, which is a legal requirement.
How long we will keep your personal information
We review our retention periods regularly and will only hold your personal information for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of personal information), or as set out in any relevant contract we have with you.
If your application for employment or casual work is unsuccessful we will hold your personal information on file for 12 months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your personal information is deleted or destroyed.
If your application is successful, personal information gathered during the recruitment process will be transferred to your personnel record and retained during your employment. You will be provided with a fair processing notice for employees and casual workers at this time.
What if you do not provide personal information?
You are under no statutory or contractual obligation to provide personal information during the recruitment process. However, if you do not provide the personal information, we may be unable to process your application properly or at all.
You are under no obligation to provide personal information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
When you apply to volunteer for us, we will collect and use your personal information in order to assess your suitability to volunteer for us. The type of personal information we collect during the recruitment process includes:
- Your name
- Your contact details e.g. postal address, phone numbers and email address.
- Whether or not you have a disability that we need to make reasonable adjustments for during the recruitment process.
- Information about criminal convictions and offences.
- Equal opportunities monitoring information: gender, age, ethnic origin, sexual orientation, health and religion or belief.
Bield will be the ‘Data Controller’ for the processing of your personal information when you apply to volunteer with us, unless otherwise specified. The data controller determines what personal information is collected and how it will be used.
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you apply to volunteer with us.
Lawful basis/ processing condition | Meaning | Our processing activity |
Consent |
The individual has given clear consent for you to process their personal data for a specific purpose. When we use this lawful basis, you have the right to withdraw your consent at any time and request us to stop processing your personal information. |
9(2)(a) - Explicit consent of data subject. You have the right to withdraw your consent for the processing of your disability information at any time.
9(2)(b) processing is necessary for carrying out obligations under employment, social security or social protection law or a collective agreement.
9(2)(a) - Explicit consent of data subject. You have the right to withdraw your consent for the processing of your equality information at any time. |
Who we may share your information with
We will not disclose or share personal information about you with third parties, unless your application is successful and we make an offer of volunteering. If you are successful, we will share your personal information for the purposes set out in this privacy notice, or for purposes approved by you, including:
- Obtain pre-volunteering character references
- Any necessary Protection of Vulnerable Groups; checks from Disclosure Scotland and Volunteer Scotland Disclosure Services.
How long we will keep your personal information
If your application is successful, personal data gathered during the recruitment process will be transferred to your volunteer record and retained during your volunteering. You will be provided with a 'Fair Processing Notice for Registered Volunteers' at this time.
If your application for volunteering is unsuccessful or you decide to withdraw from the recruitment process, we will hold your personal information on file for 12 months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your personal information is deleted or destroyed.
We review our retention periods regularly and will only hold your personal information for as long as is necessary for the relevant activity.
What if you do not provide personal information?
You are under no statutory or contractual obligation to provide personal information during the recruitment process. However, if you do not provide the personal information, we may be unable to process your application properly or at all.
You are under no obligation to provide personal information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
We operate CCTV surveillance systems across a large number of our properties for 24 hours a day, all year round. We operate two types of CCTV surveillance systems - image only CCTV from fixed location cameras and live capture for emergency lift calls and main door entry systems. In all locations, signs are displayed notifying individuals when CCTV is in operation.
CCTV systems are installed and operated by us for the following purposes:
Lawful basis/ processing condition | Meaning | Purpose |
Legitimate Interests | Processing is necessary for our legitimate interests.
This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
When operating CCTV systems we will:
- Comply with the GDPR and DPA 2018 and other relevant obligations such as the implications of the European Convention on Human Rights, Article 8 (the right to respect for private and family life, home and correspondence).
- Ensure appropriate installation and operation of CCTV systems.
- Ensure information captured is usable and meets the purposes of the installation.
- Ensure individuals who may be captured in images are reassured that their privacy is being respected and their information handled appropriately.
For the purposes of the GDPR and DPA 2018, Bield is the data controller and legally responsible for the management and maintenance of any CCTV systems operating in our properties. We handle all recorded images in accordance with our Data Protection Policy, CCTV Procedure and CCTV code of practice.
Disclosing CCTV Images
If we are requested by Police Scotland to provide access to CCTV images in the event of an incident or crime being committed, they will be given access by viewing the data at the development office, BR24 Alarm Receiving Centre or by issuing a copy of the CCTV images.
Before disclosing CCTV images to the police, we have to be satisfied that disclosure is necessary for one or more of the following purposes:
- The prevention or detection of crime;
- the apprehension or prosecution of offenders; and
- withholding the personal data would be likely to prejudice the purpose cited.
All other requests for the release of CCTV images by a third party will need to be received in writing. Each request will be dealt with individually and CCTV images will only be released with the appropriate authorisation within Bield and/or from our Data Protection Officer. If there are any concerns about a request, we have the right to refuse the request unless there is an overriding legal obligation e.g. a court order or a subject access request.
Security and Storage
All CCTV equipment will be located in secure and restricted offices with any CCTV monitors switched off. Access is strictly limited to relevant employees and CCTV Contractors.
Retention
CCTV images will be retained only for as long as necessary to fulfil the required purpose for recording information and in accordance with our Retention Schedule.
This privacy notice details how we manage your personal information when you visit the following Bield websites:
What personal information we may collect
Please refer to the relevant sections of this Privacy Notice to find out what personal information we may collect about you when you use our websites for the following:
- Enquiring about renting or purchasing a property
- enquiring about day and evening services
- applying for employment or volunteering roles
- making a complaint
- making a payment
- making a donation.
We may also collect the following personal information about you when you browse and use our webpages, or when you submit a general enquiry using the ‘Contact Us’ button.
- Your name
- Your contact details eg postal address, phone numbers and email address
- IP address
Why we need to collect your personal information
It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you use our websites.
Lawful basis/ processing condition | Meaning | Our processing activity |
Legitimate Interests |
Processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
|
Third party suppliers
We use a third party supplier for the design, storage and functionality of our websites. When you use our website, we are the ‘Data Controller’ for the processing of your personal information and the website provider is the ‘Data Processor’. The data controller determines what personal information is collected and how it will be used; and the data processor processes the personal information as instructed by the data controller.
Security, Storage and Retention
Our website provider manages the design, storage and functionality of our websites. Any personal information submitted or captured during the use of our websites will be stored on their servers.
We have contracts in place with our website provider to ensure they only process your personal information in accordance with our instruction and will not share your information with any other organisation. They will only store your information securely within the UK and EEA, and only for a period instructed by us.
1. About Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently (e.g. remembering your preferences) and for providing website usage information (e.g. counting the number of people browsing a website or webpage).
Our use of cookies is in compliance with The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the General Data Protection Regulation.
2. What Cookies we use and how you can manage them
Cookie | Name | What they are used for | How they can be managed |
Google Analytics |
_gid |
|
|
1P_JAR |
|
||
CONSENT |
|
||
HSID |
|
||
NID |
|
||
SIDCC |
|
||
APISID |
|
||
SSID |
|
||
SID |
|
||
You Tube |
LOGIN_INFO |
|
|
SSID |
|
||
DSID IDE |
|
||
ShareThis | _stid |
|
|
Drupal | has_js |
|
|
DrupalModuleFilter hide_swipe_message |
|
||
Drupal.tableDrag.showWeight |
|
3. Do we need to get your permission to download Cookies?
Yes - if the cookie captures personal information (such as IP addresses) or monitors users behaviour, we need to obtain your Consent to store a cookie on your device.
4. How to find out more about Cookies?
A number of websites provide detailed information on cookies including www.alllaboutcookies.org and www.AboutCookies.org.
More information about cookies can be found on the ICO website: https://ico.org.uk/your-data-matters/online/cookies/
Under data protection law, you have rights we need to make you aware of. These rights enable you to have more control over how we process and manage your personal information. The rights available to you will depend on our reason for processing your personal information. To find out more about your data protection rights, visit the ICO website: https://ico.org.uk/your-data-matters/
Your Data Protection Rights | |
Right to be informed |
|
Right of access |
|
Right to rectification |
|
Right to erasure |
|
Right to restrict processing |
|
Right to data portability |
|
Right to object |
|
Your rights in relation to automated decision making and profiling |
|
The GDPR entitles all individuals the right to find out what personal information we hold on them and request a copy of that information. Individuals can exercise this right by submitting a Subject Access Request (SAR).
When submitting a SAR, we will ask you complete a subject access request form to ensure we have all the necessary information to conduct the search and be able to respond to your request in a more timely and efficient manner. We will make reasonable adjustments for anyone with a disability that makes it difficult for them to complete the SAR form.
We will require proof of identification from you to help us confirm your identity or proof of authority if applicable, to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Once we have received a completed SAR form together with a copy of proof of identity or proof of authority, we will respond to the individual within one calendar month. The timeline for a SAR response will not commence until we have received all the necessary information and confirmed proof of identity.
If we find any personal information about you, we will provide you with either an electronic or hard copy of the personal data, unless any exemption to the provision of that data is applied by law. If the personal data includes data relating to any other persons then reasonable steps will be taken to protect this data. Furthermore, if we do not hold personal data sought by the individual then we will advise them as soon as possible and within one calendar month.
We can legally extend the period of compliance by a further two calendar months where requests are considerable and complex. If this is the case, we will inform the individual within one calendar month and explain why the extension is necessary.
If we find the request to be manifestly unfounded or excessive, particularly if it is repetitive, we can charge a ‘reasonable fee’ or refuse the request. If this is the case, we will inform the individual in writing, within one calendar month, and explain our decision.
More information about how to submit a subject access request can be found in the ICO website: https://ico.org.uk/your-data-matters/your-right-of-access/
If you would like to submit a subject access request, please contact dataprotection@bield.co.uk or 0131 273 4000.
Under the legislations detailed below, you can request access to information we hold.
- General Data Protection Regulation (EU) 2016/679
- Environmental Information (Scotland) Regulations 2004
- Freedom of Information (Scotland) Act 2002
Openness & Confidentiality Policy.
Please note – We are currently not listed as a public body under the Freedom of Information (Scotland) Act 2002 although we will consider reasonable requests for access to information under ourWhen you send us a request for information, it will be necessary for us to use your personal information so we can review and process your request. We will collect the following personal information:
- Your name
- Your contact details e.g. postal address, phone numbers and email address.
- Details of anyone authorised to act on your behalf.
- Identifiable imagery e.g. photographs for CCTV requests
- Proof of ID
Bield will be the ‘Data Controller’ for any personal information we collect and process when you submit an information request.
Why we need to collect your personal information
It is a requirement of the GDPR to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you submit an access to information request to us.
Lawful basis/ processing condition | Meaning | Our processing activity |
Legal Obligation | Processing is necessary for you to comply with the law (not including) contractual obligations). | Processing your personal information is necessary for the compliance with our legal obligations under General Data Protection Regulation (EU) 2016/679 and Environmental Information (Scotland) Regulations 2004. |
Legitimate Interests |
Processing is necessary for our legitimate interests. This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. |
We are currently not listed as a public body under the Freedom of Information (Scotland) Act 2002 although we will consider reasonable requests under our Openness & Confidentiality Policy. If you make a request under FOISA then it will be necessary for us to process your personal information so we can respond to your request. |
Who we may share your information with
If you make a complaint or appeal against our decisions, we may be required to share your personal details with the Information Commissioners Office or the Scottish Information Commissioner.
How long we will keep your personal information
When you submit a request for information, we will transfer your request and any submitted personal information into a case file. We will retain the case file for the periods listed below:
- SAR, EIR & FOI(S)A case records: 3 years from close of request
- SAR, EIR & FOI(S)A case not records not actioned: 3 years from last correspondence
- Appeals to ICO or SIC: 5 years from close of investigation
- Proof of ID: Destroyed immediately after confirmation of identity
Security and Storage
We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.
Your information will only be stored within the UK and EEA.
If you are unhappy with how we handle your personal information, you have the right to complain to the Information Commissioner’s Office. Their details are:
The Information Commissioner’s Office – Scotland
45 Melville Street,
Edinburgh
EH3 7HL
Telephone: 0303 123 1115
Email: Scotland@ico.org.uk
Our privacy notice is regularly updated. This version was last updated on 28/10/19.