Privacy guide

The ways in which people’s personal information are protected are known as data protection. The General Data Protection Regulation (GDPR) is a European Union Law that sets out how personal information is protected and used by organisations. It also provides rights for individuals on how their personal information is used.

This is a guide to how we use people’s personal information to do the work that we do. It explains:

  • the types of personal information our office collects, and how we use it,
  • how we keep your personal information safe, 
  • how long we keep your personal information for,
  • what your rights are, and
  • who you can talk to if you are unhappy about the way we use your personal information.

If you prefer you can download this guide below or contact us on 0131 346 5350 or email [email protected] to ask for a hard copy to be sent to you.

Privacy Guide (PDF)

This Privacy Guide was last updated on 24 May 2018. It is important to us that you are able to use and understand this guide. If you have any ideas about how we can make the guide better, please contact us with your suggestions.

But what is personal information?

Your personal information is any information that can be identified as being about you.

For example, imagine we sent out a form that asked you to tell us your name, which school you went to and your opinion about something.

There probably isn’t anyone else at your school who has the same name as you, so we’d be able to work out that you personally had given us that opinion.

That would make your name and the school you went to personal information, because we could use it to identify you. It also means the opinion you put down on the form is your personal information. 

Some personal information is called special category data

Special category information is particularly sensitive personal information. Because it’s more open to misuse than other personal information, there are extra protections around it.

It includes information about someone’s:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (when used to identify someone)
  • Health
  • Sex life
  • Sexual orientation

Sometimes we will need special category data to help us resolve issues that affect the rights of individual or groups of children and young people in Scotland.

We also ask people to share some of this information with us to help us meet our equalities duties.

Data protection principles

It is important to us that we use your personal information in line with the six principles of the GDPR.

  1. Handle your personal information lawfully, fairly and in a transparent way.
  2. Collect your personal information only for valid purposes that we have explained to you, and not use it in another way that is at odds with those purposes.
  3. Make sure that the personal information we hold about you is relevant to the purposes we have told you about.
  4. Make sure that your personal information is accurate and kept up to date.
  5. Keep your personal information only as long as it is needed for the purpose we have told you about.
  6. Keep your personal information safe and secure

We must also demonstrate how we comply with the six data protection principles.

Our lawful basis for using personal information

Data protection law requires us to have a lawful reason for using your personal information. Most commonly, we will use your personal information when:

  1. We have been given an important function or job by law and need to use your personal information to fulfil that job or function.
  2. We have been given responsibility and duties by law and we need to use your personal information to comply with those duties.
  3. It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not overide those interests.
  4. When we have your consent to do so.
  5. Where we need to protect your vital interests or the vital interests of someone else.

We will only use special category information when we have an additional lawful reason for doing so. Most commonly this will be because:

  1. There is a substantial public interest in us fulfilling our legal duties and responsibilities.
  2. There is a substantial public interest in us protecting an individual child who is at risk.
  3. We need to comply with employment or social security law.
  4. We need to protect your vital interests or the vital interests of someone else.
  5. We need the information for archiving or for undertaking research, but we will only do so where we have measures in place to protect your rights.

What personal information we collect and how we use it

We collect and use personal information from you in several ways:

Advice and Investigations

  • When you contact us to ask for information, advice or to tell us about a children's rights issue we use the personal information you provide to allow us to respond to you.
  • Sometimes we might need to contact another organisation about a problem you have raised with us but we will only do this if we have your consent to do so.
  • One of our jobs is to consider and carry out investigations of organisations who have not upheld children's rights. To help us do this job we may need more information from you, the organisation or someone else who has the information we need. Sometimes this information will be about you.

Complaints to us

  • When you bring a complaint to us about the Commissioner, one of his employee's or about how we are doing our job we will use the personal information you provide to allow us to respond to you.

Contacting and visiting us

  • When you are requesting or attending a meeting with us we use the personal information you provide to allow us to manage the meeting.
  • When you contact us, we will use the personal informaton you provide to allow us to respond to you.

Supply of products or services

  • When we agree to an annual contract for a product or service that you or your company provide we may use the personal information you provide to allow us to manage that contract.
  • When we purchase a product or service from you or your company we may use your personal information to allow us to pay for it.

Data protection and freedom of information requests

  • When you send us a request to access your personal information that we hold we will use your personal information to allow us to respond to you.
  • When you send us a freedom of information request or request for a review we will use your personal information to allow us to respond to you.
  • When you send us an environmental request or request for a review we will use your personal information to allow us to respond to you.

Events

  • When we are hosting an event we may use your contact details to allow us to invite you to the event.
  • When you register to attend one of our events we will use your contact details and other information that you have provided (e.g dietary requirements, emergency contact details) to help us manage the event.

Recruitment

  • When you submit a job application to us we will use the personal information you provide to allow us to recruit the most suitable candidate for the job.
  • When you are interviewed for a job with us we will use interview evaluations and external references about you to allow us to recruit the most suitable candidate for the job.

Research

  • When you ask to be added to our list of research contacts we will use the personal information you provide to let you know about our research calls.

Survey responses

  • We need information to allow us to do the job the Scottish Parliament has given us to promote and safeguard the rights of children and young people. Surveys can be a useful way for us to gather this information. When you respond to one of our surveys we will collect and analyse the response you give us. We will not keep your response after the work has been completed. We will use a third-party to manage our survey. 

Using our website and our social media

  • When you opt-in to our online news we will ask for and keep the contact details you provide to send this to you. We use Mailchimp to manage our online news.
  • When you use our website, we collect information to help us understand how our website is being used. You can find out more about how and why we do this in our website and cookies privacy notice.
  • When you send us a direct message via social media we will use the personal infomation you provide so we can respond to you.
  • When you send a message using the contact us form on our website we will use the personal information you provide so we can respond to you.

Sharing your personal information

There are times when we will need to share your personal information with someone outside the Commissioner’s office.

We have listed when and why we would need to do this.

Your health and safety

We may share your personal information if we're worried about your health or safety, or the safety of someone close to you. This might involve us contacting:

  • your local social work office
  • the Children's Reporter
  • the police

Legal requirement

We have to release your personal information if a court or law requires us to.

Translation

We may share your personal information with a translation service if we need it in another language. We use Language Line Solutions to do this.

It is important to an organisation for their work

We can disclose personal information to the following organisations when this information is important to their work.

These organisations are named by law, and the law also names the reasons we can disclose information with them:

Companies that provide us with services

We use companies to provide us with services and they may need to process personal information to do this. This may include people or organisations that provide us with:

  • IT services,
  • Human resource management services,
  • Legal services,
  • Confidential waste services,
  • Professional advisers and consultants,
  • Survey management services.

How people use our website

We share anonymised information about how people use our website with the Scottish Government as part of their scheme to help them improve digital public services.

Opting in to recieving certain cookies on our website involves consenting to passing personal information on to other organisations. You can find out about this on our web privacy and cookies page.

How long we keep your personal information for

We’ll only keep your personal information for as long as necessary to fulfil the purposes we collected it for.

To help us determine how long we need to keep your personal information for, we look at:

  • the amount, type and sensitivity of the information,
  • the potential risk of harm from unauthorised use or disclosure,
  • the purpose for which we process it and whether we can achieve those purposes by other means, and
  • whether there are legal reasons we need to keep it for a certain amount of time.

Where we process your personal information

We won’t transfer your personal information outside the European Economic Area (EEA) without your consent, except where we can ensure that your personal information will receive an adequate level of protection that is consistent with EU and UK laws on data protection.

Keeping your personal information safe

We have a responsibility to make sure that the personal information we hold about you is safe and secure. We have taken the following steps to protect the information given to us:

Security measures

We have appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Limits to access

Access to your personal information is limited to employees and other third parties who have an appropriate business requirement. They only handle your personal information on our instructions and all are subject to a duty of confidentiality.

Third parties are required by us to keep your personal information secure.

Measures to deal with breaches

We have measures to deal with any suspected personal information breaches.

We will notify you promptly and the Information Commissioner’s Office within 72 hours in the unfortunate event of a breach of your personal information which might expose you to serious risk.

Personal information and your rights

As part of the General Data Protection Regulations you have several rights in relation to the personal information we hold about you. 

  • Your right to be provided with information about how and when we are collecting and using your personal information,
  • Your right to request access to your personal information that we hold,
  • Your right to have your personal information corrected by us if it is not accurate, complete or up to date,
  • Your right to have your personal information erased (destroyed) in certain circumstances,
  • Your right to restrict us processing your personal information in certain circumstances,
  • Your right to have your personal information transferred to you or another organisation in certain circumstances,
  • Your right to object to us using your personal information,
  • Your rights related to automated decision making including profiling, and
  • Your right to withdraw your consent at any time to us using your personal information.

If you would like to know more about your rights and how you can exercise them you can contact us or our data protection officer. Further information is also available from the Information Commissioner's Office.

Any questions - contact us

If you have any questions about our Privacy Guide and how we look after your personal information, you can contact us in several ways:

Children and Young People’s Commissioner Scotland 
Rosebery House 
9 Haymarket Terrace 
Edinburgh 
EH10 5LJ

Phone: 0131 346 5350

Young peoples freephone: 0800 019 1179

Email: [email protected]

Twitter: @cypcs

Facebook: facebook.com/cypcs

Contact our data protection officer

If you have any concerns about how your personal information has been used by us or you want to know about your rightsregarding your personal information you can contact our data protection officer.

This person is independent of the Commissioner’s Office, which means they are free from our influence and control.

Email: [email protected]

Phone: 0131 348 6080

Contact hours: Monday-Thursday 8.30am to 5pm and Friday 8.30am to 4.30pm

Making a complaint

You also have the right to make a complaint about how we handle your personal information to the Information Commissioner’s Office.

Customer Contact, Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF

Online: https://ico.org.uk/concerns/handling/

Helpline: 0303 123 1113