Like all organisations in the United Kingdom, Young Scot must comply with the principles of the Data Protection Act 2018. This ensures that we adhere to best practice in the collection and use of individuals data. The Data Protection Act 2018 states that data must comply with the following six principles:
YOUNG SCOT POLICY ON THE SIX PRINCIPLES OF DATA PROTECTION
When creating surveys, forms, etc, only sufficient personal information must be asked for that is necessary to complete the task, and no more.
All personal data must be securely destroyed once the purpose for which it was collected has passed, and so long as there is no legal reason to retain the data any further (eg, PAYE audits, etc). The data retention / destruction timescales for the different areas of Young Scot’s work affected by the DPA are outlined below.
Consent
Data protection often requires obtaining informed consent from individuals before collecting or processing their personal data. Individuals have the right to know how their data will be used and to have the option to opt out. We use consent forms for collection data from young people and legitimate interest for collection data from our staff. We currently get informed consent for all young people and for all young people under the age of 16 we get parent/carer consent
All materials that require a young person to submit personal data should have the following statement appended: “The information gathered will be used by Young Scot in accordance with the Data Protection Act 2018.”.
Data security
Data must be secured against accidental loss, destruction or damage and against unauthorised or unlawful processing - this applies to you even if your business uses a third party to process personal information on your behalf: We have a robust system in place to protect our data, this includes measures to secure data against unauthorised access or breaches. This involves using encryption, access controls, firewalls, and other security technologies to prevent data breaches. We no longer store data in paper format.
Data integrity
We have key controls in place to ensure we maintain the integrity of our data, which means that data should not be tampered with or altered in an unauthorised manner.
Data availability
We make sure that staff can access data when needed. We backup to the cloud and have a disaster recovery plan in place to ensure that data can be restored in the event of data loss or system failures within 24 hours.
Young Scot maintains a system of secure password/two factor access to its IT systems and takes best efforts to ensure that all data held by it is adequately backed-up to prevent accidental deletion.
Data confidentiality
We ensure data confidentiality means that only authorised individuals have access to certain data. This is achieved through user authentication, access permissions, and encryption.
Data sharing
Young Scot does not ordinarily pass personal data on to any other organisation, and if the need arose to do so, it must inform the data subject about this as a part of the screen / form the information is gathered through.
Data retention
We have retention policies for how long data will be retained and should be deleted or anonymise data when it is no longer needed for its original purpose. These can be in line with legislation or legitimate business needs. The data retention / destruction timescales for the different areas of Young Scot’s work affected by the DPA are outlined in the below section.
International data transfers
Our default is to have our information stored with the UK/EEA We assess all suppliers to ensure that their storage facilities comply with GDPR and if they are out with the UK we check if they are covered under UK ‘adequacy to ensure that it is adequately protected, as different countries may have varying data protection laws.
What does the UK-US data bridge mean for us transferring personal data to the United States?
The UK-US data bridge enables frictionless transfers of personal data to the US. Organisations that are currently relying upon the ICO's international data transfer agreement (IDTA) or the EU standard contractual clauses (SCCs) and UK addendum for US data transfers may wish to consider using the UK-US data bridge instead.
As the UK considers that the US provides an adequate level of protection for personal data when using the UK-US data bridge, organisations relying on the data bridge will not need to carry out a transfer risk assessment or consider whether supplementary measures are necessary.
The UK-US data bridge will therefore substantially simplify the process of entering into new transfer arrangements, avoiding the time and expense incurred in carrying out transfer risk assessments and putting in place IDTAs or SCCs.
We need to ensure that the data importer in the US is certified by the US Department of Commerce under the Data Privacy Framework. If we wish to use the UK-US data bridge for intra-group transfers of personal data or to a service provider located in the US, then we need to ensure that the US entity is certified.
If the US entity is not certified then exporters will need to continue to use the the IDTA or SCCs and UK addendum for the transfer. However, we should take into account the existence of the new measures introduced by the US when carrying out their transfer risk assessment.
If we enter into contracts with data processors will want to consider the extent to which they may still wish to approve a transfer by the processor to a US sub-processor.
We should also think about how their contracts would deal with any successful challenge the lawfulness of the data bridge, as happened with Safe Harbor and Privacy Shield.
When does the UK-US data bridge come into force?
When we are exporting personal data to the US will be able to rely upon the Data Bridge for transfers to US organisations that have certified under the EU US Data Privacy Framework.
Training and awareness
We carry out annual refresher Data Protection Training with all staff to ensure they are aware of data protection policies and best practices to minimise the risk of data breaches due to human error.
Monitor
We review and monitor our data protection through our quarterly checking system. This has staff review and update their policies for service specific areas to ensure continued compliance with Data Protection Policy on accuracy, retention and purpose of data held.
The act also covers individual rights and what they are:
Rights for individuals:
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
You must provide privacy information to individuals at the time you collect their personal data from them.
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
User testing is a good way to get feedback on how effective the delivery of your privacy information is.
You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people but getting it wrong can leave you open to fines and lead to reputational damage.
PRIVACY INFORMATION
What privacy information we must provide
When to provide it
How to provide it
We have to provide the information in a way that is:
What privacy information should we provide to individuals?
The table below summarises the information that we must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.
What information do we need to provide?
Personal data collected from individuals Personal data obtained from other sources
The name and contact details of your organisation ✓ ✓
The name and contact details of your representative ✓ ✓
The contact details of your data protection officer ✓ ✓
The purposes of the processing ✓ ✓
The lawful basis for the processing ✓ ✓
The legitimate interests for the processing ✓ ✓
The categories of personal data obtained ✓
The recipients or categories of recipients of the personal data ✓ ✓
The details of transfers of the personal data to any third countries or international organisations ✓ ✓
The retention periods for the personal data ✓ ✓
The rights available to individuals in respect of the processing ✓ ✓
The right to withdraw consent ✓ ✓
The right to lodge a complaint with a supervisory authority ✓ ✓
The source of the personal data ✓
The details of whether individuals are under a statutory or contractual obligation to provide the personal data ✓
The details of the existence of automated decision-making, including profiling ✓
When should we provide privacy information to individuals?
When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:
When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:
There are several techniques we will use to provide people with the required privacy information. We will use:
If we think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, we must carry out a DPIA to find ways to mitigate the risks of the processing.
We still have to provide people with privacy information, unless we are relying on an exception or an exemption.
If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, we must carry out a DPIA to find ways to mitigate the risks of the processing.
Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources.
Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month.
If you apply Artificial Intelligence (AI) to personal data:
Be upfront about it and explain your purposes for using AI.
If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update our privacy information and actively communicate this to people.
Inform people about any new uses of personal data before you actually start the processing.
If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information we use, why it is relevant and what the likely impact is going to be.
We will consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data.
If we plan to use personal data for any new purposes, we must update your privacy information and proactively bring any changes to people’s attention.
ACCESS REQUESTS
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
What is an individual entitled to?
Individuals have the right to obtain the following from you:
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data.
Other information
In addition to a copy of their personal data, you also have to provide individuals with the following information:
We are providing much of this information already in our privacy notice. But best practise to check if it’s a new information collection.
How do we recognise a request?
An individual can make a subject access request to us verbally or in writing. It can also be made to any part of Young Scot (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
We have a legal responsibility to identify that an individual has made a request to us and to handle it accordingly. Therefore, we have provided staff training to help to identify a subject access request. We have also set up a dedicated email address to support young people to make a request
How should we provide the data to individuals?
If an individual makes a request electronically, we will provide the information in a commonly used electronic format, unless the individual requests otherwise.
We have received a request but need to amend the data before sending out the response.
Should we send out the “old” version?
GDPR states that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while we are dealing with the request. So it would be reasonable for us to supply information we hold when we send out a response, even if this is different to that held when we received the request.
However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DP Bill, it is an offence to make any amendment with the intention of preventing its disclosure.
Do we have to explain the contents of the information we send to the individual?
We are required to ensure that the information we provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child.
At its most basic, this means that the additional information we provide in response to a request (see the ‘Other information’ section above) should be capable of being understood by the average person (or child). However, we are not required to ensure that that the information is provided in a form that can be understood by the particular individual making the request.
How long do we have to comply?
We must act on the subject access request without undue delay and at the latest within one month of receipt.
We should calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. We can extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:
it is manifestly unfounded or excessive; an exemption applies; or you are requesting proof of identity before considering the request.
Can we ask an individual for ID?
If you have doubts about the identity of the person making the request, you can ask for more information. However, it is important that we only request information that is necessary to confirm who they are. The key to this is proportionality.
We need to let the individual know as soon as possible that we need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.
Young Scot does not transfer personal data outside the EEA. When required to pass survey / consultation results to clients, it deletes identifying personal data, leaving only sufficient data to allow demographic and geographic cross-tabulation to be carried out.
Young Scot does not ordinarily pass personal data on to any other organisation, and if the need arose to do so, it must inform the data subject about this as a part of the screen / form the information is gathered through.
WHAT DATA DO WE HOLD?
Young Scot is registered with the Information Commission to process data for various purposes, including those of maintaining membership records, mailing lists and personnel records.
The Corporate Services Manager of Young Scot is the registered Data Controller for Young Scot, responsible for compliance with the Data Protection Act 2018(DPA 2018).
There are five main areas of work within Young Scot that require the DPA 2018 to be taken into consideration.
Human Resources
The Corporate Serivces and Finance Director, Finance Manager Corporate Services Manager and Corporate Services Assistant are responsible for ensuring that data held in the Human Resources files is accurate and complete, and that electronic and paper records of former staff are destroyed after the required period, as set out by HMRC and other bodies. All electronic data is password protected and paper records are held in a secure area accessible only by authorised personnel.
Young Scot Rewards Registrations
Young Scot members may voluntarily register their cards and limited personal data on the Young Scot Rewards portal, to participate in activities, such as to take part in surveys and claim rewards such as the ability to enter prize draws etc.
The member may maintain their original registration beyond the expiry of their card by registering another valid card with a longer expiry date at any time.
The data related to these registrations must be deleted six months after the member’s last card has expired, to give them time to reactivate their registration with a new card.
This is the responsibility of Information Services Manager, with assistance Digital Smart Tech Directorate and Storm ID.
Social Media
Young people (both members and, in some cases, non-members of Young Scot) may engage through Social Media. Depending on the engagement and the digital tools used we must ensure that we don’t breach any of the principles by not posting any sensitive data that can identify an individual or put them at risk. We must not store any data after we have carried out the task that the engagement has been undertaken for.
We do not ask for any personal data to be sent over social media (age, address etc). We ask any users who have sent us their personal data to remove it immediately as we cannot delete it ourselves.
Participation and Engagement Projects and Surveys
Young people (again, both members and non-members depending on the nature of the participation and engagement project) may take part in Young Scot #YSHive (codesign) projects and surveys, either face-to-face, online or in paper format.
Young Scot collects and stores young people’s data as part of their involvement in codesign projects. At the beginning of co-design projects, the Participation and Engagement Team explains to the young people what data is collected about them and the purpose for this and how it will be used. This data will be stored securely and password protected as per Young Scot’s IT systems all documentations is held electronically and destroyed within the specified timeframe for the project.
Survey entries will be retained for so long as they remain useful for historical, statistical or research purposes and to allow for any further cross-checking of the data. Any personal data associated with these entries should only be retained for a period of six months following completion of the report of the findings, after which all paper based and electronic data will be securely destroyed.
The Participation and Engagement Managers are responsible for carrying out this policy, with assistance from, the other directorates within Young Scot.
Insights Service is responsible for the collection of data and the use of this data to prepare statistical reports for Young Scot and external stakeholders. We collect this data from primary and secondary sources. Where we use primary data for our own sources we always work in accordance with the data protection act and the policies and procedures around the primary source e.g. Rewards data is stored and used under their policy.
Test, review and update our data held
We carry out quarterly compliance checks with each directorate to ensure that we are still complying with the above, they ask them to confirm that:-
Whilst individual members of staff have been assigned responsibility for carrying out data protection tasks related to their own areas of work, it is the overall responsibility of Young Scot’s Data Controller to ensure that these tasks have indeed been carried out to the correct standard.
Data protection is a critical consideration for us as an organisation working with young people and their data, as data breaches can have serious consequences, including financial losses, damage to reputation, and legal liabilities. Complying with data protection regulations and implementing robust data protection measures is essential to maintain trust and security in an increasingly data-driven world.
Reviewed June 2025