Charity law is changing. Click here to find out how the changes will affect your charity.
Print This Page
Print This Page

Privacy Notice and Data Protection

Contact details:

Data Controller - The Scottish Charity Regulator 
Data Protection Officer - Mandy Downie tel: 0131 376 3605

Email: info@oscr.org.uk with 'Subject Access Request' in the subject.
OR write to OSCR, 2nd floor Quadrant House, 9 Riverside Drive, Dundee, DD1 4NY

Information Commissioner's Office Registration Number - Z9409201

1. Introduction

The Scottish Charity Regulator (OSCR) is a Non-Ministerial Department of the Scottish Government. This notice tells you what to expect when OSCR collects personal information. Any personal information collected by OSCR will be used in accordance with the Data Protection Act 2018 and our Data Protection Policy.  

We are committed to respecting your privacy and protecting your personal information in line with the requirements of the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (GDPR) (together the data protection legislation).

In this notice we help you understand what steps we take with respect to the collection, use and disclosure of personal information collected about you. 

2. What is personal data?

Personal data is any information about you from which you can be identified. The DPA 2018 provides that personal data means any information which relates to a real, living person from which that person can or could be identified. Typical identifiers can include:  a name, identification number, address or other location data, an online identifier such as email address, login or profile data, ‘cookies’ or an IP address.

Other things which could allow a person to be identified include: genetic make-up (your DNA), health, economic circumstance or social, cultural, religious or political identity.

Your personal information does not include personal data where identifiers that associate that data with you have been removed. This is called anonymous data. OSCR may use anonymised data to inform research into the charity sector in Scotland.

OSCR collects, uses and shares aggregated data such as statistical or demographic data. Aggregated data could be derived from personal data that we hold but it is not considered personal data in terms of the DPA 2018 as this information will not directly or indirectly reveal your identity.

3. Why do we need your personal data?

OSCR needs to collect the personal details of all people who are proposing to act as charity trustees.  We also need a nominated Principal Contact for the charity, to whom we can send important information relating to the running of the charity, or useful information such as news about OSCR policies or events we are running.

Charities can have up to three registered charity users on OSCR’s online system which is used to complete annual returns and submit accounts, update charity trustee details.  We hold personal data in relation to these charity users.

Changes to charity law following the Charities (Regulation and Administration) (Scotland) Act 2023 mean that from 30 June 2025, OSCR will require charities to submit the following details for each charity trustee: name, home address, email address, telephone number, date of birth and date of appointment as a charity trustee.

The first and last name of each charity trustee will be published on the Scottish Charity Register from the end of 2025. This will enhance transparency and public trust, allowing donors, funders, and the public to see who is responsible for governing each charity. Individual trustees will be able to apply for their name not to be published. On application OSCR may grant an exemption to individuals where OSCR is satisfied that the publication of their name is likely to jeopardise the safety or security of any person or premises.

OSCR is the national registrar and regulator of all Scottish charities and is required to collect this information by law.  Without these details we would be unable to consider an application for charitable status or carry out our other regulatory tasks including making inquiries into charities. The following article of the GDPR is relevant to this requirement for your data:

Article 6(1)(e) –  Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. Do we share your information?

OSCR may share information including personal data with another public body or office-holder to enable us to carry out our regulatory functions or to enable or assist another public body or office-holder to exercise any functions. The sharing of information with other public bodies or office-holders is permitted by section 24 of the Charities and Trustee Investment (Scotland) Act 2025 (the 2005 Act).

We do not share any of your information with other organisations unless we have an agreement in place and sharing is relevant to our regulatory interests. For instance, we may share a charity’s information with HMRC for tax purposes, although personal information is not shared as a matter of course.

We also have Memoranda of Understanding in place with a number of other regulators and organisations where our interests overlap, such as the Charity Commission for England and Wales, the Big Lottery Fund and a few others.

Any information shared with these organisations is done so in compliance with data protection legislation, the Human Rights Act 1998, the 2005 Act and the Freedom of Information (Scotland) Act 2002 as appropriate.

5. Information displayed on the Scottish Charity Register

Section 3 of the 2005 Act requires OSCR to keep a public register of charities, review it from time to time, and keep it up to date. The information to be recorded and shown on the public Register is:

  • the name of the charity
  • the name of each of its charity trustees (from early 2026)
  • the principal office address or, if the charity does not have a principal office, the name and address of one of the charity trustees as a Principal contact
  • the charity's purposes
  • certain other information (including whether it is a designated religious charity or national collector).

Under section 3(4) of the 2005 Act a charity [or any of its charity trustees]  can apply to ask us not to publish [their name], its principal office or where a charity does not have a principal office the name and  address of a charity trustees on the publicly available Scottish Charity Register. We can only exclude the information from the Register if publishing this information is likely to jeopardise the safety or security of any person or premises.

If you consider that a charity address [or the name of a charity trustee] should not be displayed on the public Register, please apply to us requesting that information is excluded.  

6. Ways we collect information

We collect information in a number of ways:

  • when you visit our website (see the Cookies section below)
  • when you submit Annual returns
  • when you apply on behalf of an organisation to become a charity
  • when you apply for consent to make changes or to wind-up your charity
  • when you raise a concern about a charity
  • when you make a complaint or enquiry
  • when making inquiries about charities or investigating potential misconduct, mismanagement or misrepresentation
  • when you subscribe to the OSCR newsletter or request information from us.

Information is used by us for the following purposes:

  • to determine whether bodies are charities
  • to keep a public register of charities
  • to regulate charities in Scotland
  • to inform investigations into allegations of misconduct, mismanagement or misrepresentation
  • to develop a regime of proactive monitoring
  • to encourage and facilitate compliance and best practice within charities
  • to inform research into the charity sector in Scotland.

7. Will my data be secure?

We are required by legislation to ensure the ‘Integrity and Confidentiality’ of data.  This means that we must process personal data with suitable security to stop any unauthorised access to the data; making sure it’s safe from accidental loss or damage by ensuring we have sufficient technical safeguards and codes of conduct for our staff in place.    

We take security very seriously in OSCR:

  • all staff complete Data Protection training annually
  • we have regular cyber security checks
  • we have strong security covering our systems from all points of access  
  • where we have contracts with external suppliers, which mean they have access to our data, the responsibilities of OSCR and the suppliers in relation to the use and security of data are clearly stated in the contracts
  • all our IT equipment including individual laptops, tablets and mobile phones are encrypted to stop any unauthorised access, particularly if they are lost or stolen
  • we only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.

8. Do I need to give consent to the use of my information?

Generally, we do not rely on consent as a legal basis for processing your personal information except where applicable law requires this – for example some marketing activities. Where you have given consent, this can be withdrawn at any time by contacting us.

We need the personal information of charity trustees as part of a legal requirement to complete the Charitable Status Application Process and OSCR’s duty to keep the Scottish Charity Register - see sections 1(6), 3 and 4 of the 2005 Act.

We will hold the personal information for charity trustees within our online account system (OSCR Online).  The information held for each charity trustee includes:

  • first and last name
  • known as name (if applicable)
  • address
  • email address
  • phone number
  • date of birth
  • date of appointment and resignation (where applicable)

We also hold the principal contact details (name, address, telephone number and email address) in OSCR Online.  Where the principal contact is a person, (some bodies use business advisors, such as Accountants as their contacts), the contact will only be sent information or news items directly related to the charity’s operational or statutory obligations.

We keep details of charity users in OSCR Online. The information held is the users name and email address.  

[From early 2026, the accounts which are submitted from every Scottish charity will appear next to the charity’s entry on the public Scottish Charity Register. Each set of accounts will be visible for 5 years. These documents will be published in exactly the same format as they have been submitted by the charity. Some personal data is included in a charity’s accounts as required by the 2005 Act as amended, such as the names of charity trustees (unless an exemption has been granted by OSCR).]

From early 2026 the charity trustee first and last names will be published on the charity’s register entry on the Scottish Charity Register, unless an exemption has been granted by OSCR.

We carry out some research using information provided by charities, however personal information is not generally relevant to the research. Were any personal information to be used, research findings would be anonymised before being shared.

We create relevant and specific Privacy Notices for certain individual processes as appropriate and publish these on our website.

9. Cookies

Cookies are small text files placed on your computer to store data used by the websites that you visit. When you use our website for the first time you will be advised that we use ‘Cookies’ to track website use.  We use cookies to measure which parts of our site are used most or least, as part of our continual website improvement.  Website visitors are given the option to opt in to cookies on that first access and can amend their cookie preferences at any point by clicking on the cog in the bottom left of any page - if you do not opt in this does not stop you using the website.

See our Cookie Policy for more information on what we collect.

10. Do you send out marketing emails?

We publish and email out the OSCR newsletter to anyone who has opted in and signed up to receive this and we occasionally send other emails to those people relating to pertinent issues or upcoming events.  Those registered as principal contacts for a charity will also receive email alerts and reminders relating to the charity trustee duties such as submission of Annual accounts and any changes in processes, regulation or other useful information related to the charity.

We will never sell your information to any third party. For further guidance on these types of emails which come under Privacy and Electronic Communications Regulations (PECR) see the links at the end of this document.

11. What happens to my data when you have finished with it?

If you have provided your information in paper form, then we scan this into our electronic system before securely shredding the paper copy.  When we have scanned the information, or if we have received it electronically, we keep it until the agreed retention period for the information is reached.  We carry out regular checks to ensure that we do not keep information for longer than we need it.

12. If my information is not correct can it be fixed? 

If you find the information we hold about you is not correct, then you can tell us and ask us to correct it.  We must do this as soon as possible and in any case within a month. (Exceptionally, if the correction is complicated, there is scope for us to get an additional two months to correct it – where this is the case, we will always tell you.)

If we decide not to correct it as you ask, we will tell you why and tell you what your next steps will be if you disagree with our decision. We might add a note to explain the difference in the information and we can restrict access to the information while we investigate the accuracy of it.

13. What if I don’t want you to use or hold my information anymore?

Often called the ‘Right to be forgotten’ there are a number of reasons that you can ask for the information we hold about you to be erased.  These are

(a) We no longer need the information,

(b) You have withdrawn consent and our legal grounds are no longer relevant,

(c) You have successfully objected under Article 21

(d) The processing was unlawful

(e) We have a legal obligation to erase it

(f) The information was processed online with parental consent.

We may not always need to comply with your request. For instance, when we still have official authority to keep the data or we are holding the information because you are bringing a legal action against us, and we need to retain it to defend the action.

When we receive a request we consider it carefully and during that time we will make your information ‘unavailable’ for use until we have made a decision. We will keep your contact details (name, address, telephone number and email address) on a Suppression List to ensure that you are not contacted by us in the future.  This file will be kept securely in our electronic records management system with limited accessibility.   

14. Getting a copy of my information - Making a Subject Access Request (SAR)

Under GDPR individuals have a Right of Access to their personal Data. If you wish to exercise this right you can do this by making a Subject Access Request (SAR).

When making a SAR it is important for you to be aware of the following:

  1. The request must be in writing to the Data Protection Officer at the address at the beginning of this guide.  A SAR can also be submitted by email to info@oscr.org.uk, text or social media and we must respond within one month of receiving your request.  
  2. Subject Access Requests will normally be free to the person asking for them. There are some circumstances when we might charge or even refuse to provide the information these are: a) the request is something which has no basis (for instance there is no reason to believe that we hold the information) or we have responded before to the same request. b) The request involves a large amount of work to check for the data and then respond to it.
  3. Occasionally we might ask to you to reduce the amount of searching or data we need to look at to fit your needs.  If we refuse to provide the data we need to be able to explain to you why we refused.
  4. You do not need to tell us why you are making the request, but it may be helpful for you to do so.

Before considering your request, we will ask you to confirm your identity, by providing some kind of proof, such as a copy of your passport or photo driving licence and some official letter with your address on it. If you are making a request, you may want to submit this information along with your request, to save time later.

Anyone, including children, can make a Subject Access Request under GDPR, as long as it is considered that they have capacity to make the request. We will make an informed view on any SAR’s submitted by children, considering each request on a case by case basis. Although there is no rule on this, a young person aged 12 or more is usually deemed to have capacity under Scots Law.

5. Someone else such as a solicitor may submit a SAR on your behalf, but we will only respond to a third party request once we are satisfied that the third party has authority to act on your behalf. This is likely to involve the third party or you being contacted by us, and asked to provide evidence of written authority for them to act for you. Since SAR’s relate to personal data, a vital part of the response process for OSCR is satisfying itself that the request is legitimate, not to do so could result in the release of personal information inappropriately, which would be in breach of the regulation and could involve OSCR being fined.

6. It might well be that some of your personal data is held in a record which includes personal data relating to other people. Where this is the case, the personal data relating to other people will not normally be given to you and any copies of documents you receive from us in our response may contain areas where the names of other people have been blanked out. Alternatively, we may extract your personal data to create a summary document we can send to you.

There are some situations when personal data about others may be included, but in general terms where third party information is involved its release will be considered on a case by case basis.

7. If your SAR is submitted electronically e.g. by email, then the response issued to you will also be sent electronically.

8. A single copy of any information held will be supplied. We may charge you for any further copies requested.

15. General information about SARs

You have the right to know if your personal data is being processed or used and our reasons for processing it. You will find what we use your information for in the sections ‘Why do we need your personal data?’ and ‘What do we do with the information?’ sections above.

OSCR does not make automated decisions about you or use personal information as part of profiling activity, if we did we will tell you about it and our reasons for doing so.

In most cases we will give you the information you ask for, or if we do withhold it we will explain why. 

OSCR as the regulator of Scottish charities we can get reports of alleged criminality and other information which may lead to the apprehension or prosecution of offenders. Any information we hold which is in these categories is covered by exemptions, meaning that if we do hold it the way we deal with it is different and we do not have to disclose it or even tell you that we have it, in response to a request.

16. Can I get a digital copy of my information? 

We will always try to provide the information electronically unless you have asked for it in another format, such as paper. This does not include the right to data portability automatically as not all data held will be included in that right, we may simply hold copies of paper forms and other letters or emails which cannot be converted into the portable formats talked about in the next section.

17. What is data portability?

This means that we must be able to give you your personal data you request in a way which can be automatically read by a machine or computer. These formats must be freely available to everyone.  Data Portability only applies:-

  1. to personal data an individual has provided to a controller
  2. where the processing is based on the individual’s consent or for the performance of a contract; and
  3. when processing is carried out by automated means.

If we do not hold your information in that format then this rule does not apply to us – meaning that if we only receive paper forms with you information on and do not do anything else with the information then we would not have to convert it later just for you.

18. What happens if you lose my information?

All organisations which process data are required to report any losses or incidents to the relevant authority, in the case of the UK this is the Information Commissioner, if you need more information about what they do, the website is here at; https://ico.org.uk/. The report must be made within 72 hours of us finding out about the loss or incident.  Depending on the circumstances of the incident a Civil Monetary Penalty (fine) could be given to the organisation responsible for the incident.

19. Can I complain to the ICO if I think you are using my information illegally?

Yes, you can complain to the Information Commissioner about us if you believe that we are not using the information we hold about you properly or have breached your rights.  You can find information about that at their website https://ico.org.uk/concerns.

20. Will I get Compensation if my data is lost or misused?

The Data Protection Act 2018 allows a person to seek compensation if they “suffer financial loss, distress and other adverse effects”. Generally, this would be more likely to happen if we had committed an offence under the 2018 Act  or had been reckless in our approach to data security. 

21. Privacy Notices

The Online Charitable Status Application Privacy notice can be found here.

The OSCR Online Privacy Notice can be found here.

Useful Links

Data Protection Act 2018 – http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted 

The General Data Protection Regulation -  http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

Definitions used in the regulations - https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/ 

 The Information Commissioner’s website - https://ico.org.uk/

ICO Guide to Personal Rights under GDPR - individual rights

ICO Guide to PECR https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/ 

Scottish Charity law - Charities and Trustee Investment (Scotland) Act 2005 - http://www.legislation.gov.uk/asp/2005/10/contents  

Other websites

This website contains links to other sites. OSCR cannot be held responsible for the contents of any pages referenced by an external link. Please be aware that OSCR is not responsible for the privacy practices or use of cookies on other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every website that collects personal information.

This privacy policy applies solely to information collected by OSCR.

Changes to this policy

Our policy was last updated on 20 June 2025.

Scroll to top