The 2018 Data Protection Legislation
r - The Scottish Charity Regulator Data Protection Officer
- David Adamson tel: 01382 220446
with 'Subject Access Request' in the subject.
OR write to OSCR, 2nd floor Quadrant House, 9 Riverside Drive, Dundee, DD1 4NYInformation Commissioner's Office Registration Number
We are committed to protecting your privacy in line with the requirements of the Data Protection Act 2018 (DPA 2018) which came into force on 25 May 2018 following on from the General Data Protection Regulation (GDPR) and bringing it into UK law. The DPA 2018 updates and supersedes in most cases the Data Protection Act 1998. The new Act sets out how we can process and handle our customers' information (or personal data).
In this guide we aim to help you understand what steps we take to protect your privacy and your personal data. In particular, we will:
I. Tell you what personal data we collect about you; why we need it and what we do with it
II. Help you understand what your personal data rights are, and how you can use them
III. Tell you what to do if you are unhappy with how we use and protect your personal data.
In order that our customers and partners are able to understand the changes the current Data Protection Legislation, we at the Scottish Charity Regulator (OSCR, we, our or us) are publishing this guide based on our use of data and what your rights are under the new legislation.
Your rights under the Data Protection Act 2018
Under DPA 2018 there are 8 specific rights which an individual can expect in respect of their personal data:
1. The right to be informed
2. The right of Access
3. The right to rectification
4. The right to erasure (the right to be forgotten)
5. The right to restriction of processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making, including profiling.
These Rights are at the core of the DPA 2018 and GDPR, and we will explain in this policy how they apply to the personal data OSCR collects and holds.
2. What is personal data?
For the purposes of DPA 2018, this is any information which relates to a real, living person from which that person (or data subject) can or could be identified. Typical identifiers include: a name, identification number, address or other location data, an online identifier such as email address, ‘cookies’ or an IP address (the unique identifying code used by a specific computer or other device to access the internet).
Other things which could allow a person to be identified include: genetic make-up (your DNA), health, economic circumstance or social, cultural, religious or political identity.
3. Why do we need your personal data?
As a part of our application process, OSCR needs to collect the personal details of all people who are proposing to act as charity trustees. We also need a nominated Principal Contact for the charity, to whom we can send important information relating to the running of the charity, or useful information such as news about OSCR policies or events we are running.
We are the national registrar and regulator of all Scottish charities and are required to collect this information by law. Without these details we would be unable to consider an application. We also carry out our other regulatory tasks including making inquiries into charities that may require us to obtain the personal details of persons involved in those charities (see also section 7 for other ways we collect information).
We use this information to ensure that people applying to be in charge of charities are fit and proper and are not disqualified from serving on a board of trustees or directors.
The following articles of the GDPR are relevant to this requirement for your data:
Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. What we do with your information?
When we receive your application, we check the personal information against a number of sources such as Companies House, the Accountant in Bankruptcy, The Charity Commission of England and Wales register of disqualified trustees and the same for the Charity Commission of Northern Ireland. We then store the information securely within our electronic management records system (as an application file).
If your application is successful we will close and destroy the application file after 3 years. This also happens to unsuccessful or withdrawn applications. If we believe a new charity needs a monitoring period we may not close the file until we are sure we no longer need it, although this is an unusual step for us.
We need charities to keep their nominated Principal Contact information up to date to allow us to accurately maintain the Scottish Charity Register (see section 6) and also to allow us to contact the charity as and when required.
During the course of an application for charitable status or during an inquiry we may also check social media, such as Facebook or Twitter. Any personal information will only be used for that purpose such as confirming charitable activity is taking place and deleted in line with our retention policy.
5. Do we share your information?
We do not share any of your information with other organisations unless we have an agreement in place relevant to our regulatory interests. For instance, we share the Charity’s information with HMRC for tax purposes, although personal information is not shared as a matter of course.
We also have Memoranda of Understanding in place with a number of other regulators and organisations where our interests overlap, such as the Charity Commission for England and Wales, the Big Lottery Fund and a few others.
Any information shared with these organisations is shared in a manner that is efficient, proportionate and fully in compliance with the Human Rights Act 1998, the Data Protection Acts 1998 and 2018, the GDPR and the Freedom of Information (Scotland) Act 2002.
6. Information displayed on the Scottish Charity Register
Section 3 of the Charities and Trustee Investment (Scotland) Act 2005 (the 2005 Act) requires OSCR to keep a public register of charities, review it from time to time, and keep it up to date. The information to be recorded is:
- the name of the charity
- the principal office address or, if the charity does not have a principal office, the name and address of one of the charity trustees as a Principal contact
- the charity's purposes
- certain other information (including whether it is a designated religious charity or national collector).
* If a charity trustee's name and address are given, the name and address will be shown on the public Register (available at www.oscr.org.uk).
7. Ways we collect information
Under section 3(4) of the 2005 Act an organisation has the right to ask us not to publish its principal office or trustee's name and address on the publicly available Scottish Charity Register. We can only exclude the details from the Register if we believe that publishing this information is likely to jeopardise the safety or security of any person or premises.
If you consider that the address should not be displayed on the Register, please write to us and explain why.
We collect information in a number of ways:
- when you visit our website (see the Cookies section below)
- when you submit Annual returns
- when you apply to become a charity
- when you make changes to your charity
- when you make a complaint or enquiry
- when investigating potential misconduct, mismanagement or misrepresentation
- when you subscribe to our newsletter or request information from us.
Information is used by us for the following purposes:
8. Will my data be secure?
- to regulate charities in Scotland
- to inform investigations into allegations of misconduct, mismanagement or misrepresentation
- to develop a regime of proactive monitoring
- to encourage and facilitate compliance and best practice within charities
- to inform research into the charity sector in Scotland.
We are required by legislation to ensure the ‘Integrity and Confidentiality’ of data. This means that we must process personal data with suitable security to stop any unauthorised access to the data; making sure it’s safe from accidental loss or damage by ensuring we have sufficient technical safeguards and codes of conduct for our staff in place.
We take security very seriously in OSCR.
- All staff take annual Data Protection training;
- we have regular cyber security checks and
- we have strong security covering our systems from all points of access.
- where we have contracts with external suppliers, which mean they have access to our data, the responsibilities of OSCR and the suppliers in relation to the use and security of data are clearly stated in the contracts.
- All our work Laptops, tablets and mobile phones are encrypted to stop any unauthorised access, particularly if they are lost or stolen.
9. Do I need to give consent to the use of my information?
We need the personal information of proposed Trustees for our checks as part of a legal requirement to complete the Charitable Status Application Process – see s.1 (6) of the 2005 Act, which gives OSCR the power to do certain things to carry out its’ functions. For Trustee information this relates to s.69 - Disqualification from being a Charity Trustee (for this Charity Trustees are the people in overall control and management of a charity). Since official authority for data collection is given in the act, no consent is needed from the applicants. When we have completed our checks we normally only keep the information until the retention period for the Status Application File is complete, at which point it is securely destroyed.
We keep the principal contact details (name, address, telephone number and email address) in our online account system (OSCR Online) – no other personal information is stored here. Where the principal contact is a person, (some bodies use business advisors, such as Accountants as their contacts), the contact will only be sent information or news items directly related to the charity’s operational or statutory obligations.
Charities Annual Returns also list office bearers of the relevant charity (names, no other personal detail), these are stored in our electronic records management system. Annual Report we publish are redacted, unless another regulator is the responsible authority for example Companies House and a website link, over which we have no control, is supplied.
We carry out some research using information provided by charities, however personal information is not generally relevant to the research. Were any personal information to be used, research findings would be anonymised before being shared.
We will create relevant and specific Privacy Notices on appropriate pages of our website and in our Online Status Application, so that you will be able to understand what we are doing with your data at all times.
11. Do you send out marketing emails?
We publish and email out a newsletter to anyone who has opted in and signed up to receive this and we occasionally send other emails to those people relating to pertinent issues or upcoming events. Those registered as principal contacts for a charity will also receive email alerts and reminders relating to the charity trustees duties such as submission of Annual accounts and any changes in processes, regulation or other useful information related to the charity.
We will never sell your information to any third party. For further guidance on these types of emails which come under Privacy and Electronic Communications Regulations (PECR) see the links at the end of this document.
12. What happens to my data when you have finished with it?
If you have provided your information in paper form then we scan this in to our electronic system before securely shredding the paper copy. When we have scanned the information, or if we have received it electronically we keep it until the agreed retention period for the information is reached. We carry out regular checks to ensure that we do not keep information for longer than we need it.
13. If my information is not correct can it be fixed?
If you find the information we hold about you is not correct then you can tell us and ask us to correct it. We must do this as soon as possible and in any case within a month. (Exceptionally, if the correction is complicated, there is scope for us to get an additional two months to correct it – where this is the case, we will always tell you.)
If we decide not to correct it as you ask, we will tell you why and also tell you what your next steps will be if you disagree with our decision. We might add a note to explain the difference in the information and we can restrict access to the information while we investigate the accuracy of it.
14. What if I don’t want you to use or hold my information anymore?
Often called the ‘Right to be forgotten’ there are a number of reasons that you can ask for the information we hold about you to be erased. These are
(a) We no longer need the information,
(b) You have withdrawn consent and our legal grounds are no longer relevant,
(c) You have successfully objected under Article 21
(d) The processing was unlawful
(e) We have a legal obligation to erase it
(f) The information was processed online with parental consent.
We may not always need to comply with your request. For instance, when we still have official authority to keep the data or we are holding the information because you are bringing a legal action against us, and we need to retain it to defend the action.
When we receive a request we consider it carefully and during that time we will make your information ‘unavailable’ for use until we have made a decision. We will keep your contact details (name, address, telephone number and email address) on a Suppression List to ensure that you are not contacted by us in the future. This file will be kept securely in our electronic records management system with limited accessibility.
15. Getting a copy of my information - Making a Subject Access Request (SAR)
Under GDPR individuals have a Right of Access to their personal Data. If you wish to exercise this right you can do this by making a Subject Access Request (SAR).
When making a SAR it is important for you to be aware of the following:
- The request must be in writing to the Data Protection Officer at the address at the beginning of this guide. A SAR can also be submitted by email to email@example.com, text or social media and we must respond within one month of receiving your request.
- Subject Access Requests will normally be free to the person asking for them. There are some circumstances when we might charge or even refuse to provide the information these are: a) the request is something which has no basis (for instance there is no reason to believe that we hold the information) or we have responded before to the same request. b) The request involves a large amount of work to check for the data and then respond to it.
- Occasionally we might ask to you to reduce the amount of searching or data we need to look at to fit your needs. If we refuse to provide the data we need to be able to explain to you why we refused.
- You do not need to tell us why you are making the request, but it may be helpful for you to do so.
Before considering your request, we will ask you to confirm your identity, by providing some kind of proof, such as a copy of your passport or photo driving licence and some official letter with your address on it. If you are making a request, you may want to submit this information along with your request, to save time later.
Anyone, including children, can make a Subject Access Request under GDPR, as long as it is considered that they have capacity to make the request. We will make an informed view on any SAR’s submitted by children, considering each request on a case by case basis. Although there is no rule on this, a young person aged 12 or more is usually deemed to have capacity under Scots Law.
5. Someone else such as a solicitor may submit a SAR on your behalf, but we will only respond to a third party request once we are satisfied that the third party has authority to act on your behalf. This is likely to involve the third party or you being contacted by us, and asked to provide evidence of written authority for them to act for you. Since SAR’s relate to personal data, a vital part of the response process for OSCR is satisfying itself that the request is legitimate, not to do so could result in the release of personal information inappropriately, which would be in breach of the regulation and could involve OSCR being fined.
6. It might well be that some of your personal data is held in a record which includes personal data relating to other people. Where this is the case, the personal data relating to other people will not normally be given to you and any copies of documents you receive from us in our response may contain areas where the names of other people have been blanked out. Alternatively, we may extract your personal data to create a summary document we can send to you.
There are some situations when personal data about others may be included, but in general terms where third party information is involved its release will be considered on a case by case basis.
7. If your SAR is submitted electronically e.g. by email, then the response issued to you will also be sent electronically.
8. A single copy of any information held will be supplied. We may charge you for any further copies requested.
16. General information about SARs
You have the right to know if your personal data is being processed or used and our reasons for processing it. You will find what we use your information for in the sections ‘Why do we need your personal data?’ and ‘What do we do with the information?’ sections above.
OSCR does not make automated decisions about you or use personal information as part of profiling activity, if we did we will tell you about it and our reasons for doing so.
In most cases we will give you the information you ask for, or if we do withhold it we will explain why.
As the regulator we get reports of alleged criminality and other information which may lead to the apprehension or prosecution of offenders. Any information we hold which is in these categories is covered by exemptions, meaning that if we do hold it the way we deal with it is different and we do not have to disclose it or even tell you that we have it, in response to a request.
17. Can I get a digital copy of my information?
We will always try to provide the information electronically unless you have asked for it in another format, such as paper. This doesn’t include the right to data portability automatically as not all data held will be included in that right, we may simply hold copies of paper forms and other letters or emails which cannot be converted into the portable formats talked about in the next section.
18. What is data portability?
This means that we have to be able to give you your personal data you request in a way which can be automatically read by a machine or computer. These formats must be freely available to everyone. Data Portability only applies;
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
If we don’t hold your information in that format then this rule doesn’t apply to us – meaning that if we only receive paper forms with you information on and don’t do anything else with the information then we wouldn’t have to convert it later just for you.
19. What happens if you lose my information?
All organisations which process data are required to report any losses or incidents to the relevant authority, in the case of the UK this is the Information Commissioner, if you need more information about what they do, the website is here at; https://ico.org.uk/. The report must be made within 72 hours of us finding out about the loss or incident. Depending on the circumstances of the incident a Civil Monetary Penalty (fine) could be given to the organisation responsible for the incident.
20. Can I complain to the ICO if I think you are using my information illegally?
Yes, you can complain to the Information Commissioner about us if you believe that we are not using the information we hold about you properly or have breached your rights. You can find information about that at their website https://ico.org.uk/concerns/.
21. Will I get Compensation if my data is lost or misused?
The new Data Protection Act will allow a person to sue for compensation if they “suffer financial loss, distress and other adverse effects”. Generally this would be more likely to happen if we had committed an offence under the new act or had been reckless in our approach to data security.
22. Privacy Notices
The Online Charitable Status Application Privacy notice can be found here - https://www.oscr.org.uk/media/3201/2018-05-15-privacy-notice-pdf.pdf
The OSCR Online Privacy Notice can be found here: https://www.oscr.org.uk/media/3292/2018-07-12-oscr-online-privacy-notice-pdf.pdf
Data Protection Act 2018 – http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
The General Data Protection Regulation - http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
Definitions used in the regulations - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
The Information Commissioner’s website - https://ico.org.uk/
ICO Guide to Personal Rights under GDPR - individual rights
ICO Guide to PECR https://ico.org.uk/for-organisations/guide-to-pecr/
Scottish Charity Main legislation - http://www.legislation.gov.uk/asp/2005/10/contents
Changes to this policy
Our policy was last updated on 09 Oct 2018.