What your rights are

• By using this website, you agree to our Terms and Conditions. If you do not agree with them, please stop using this website immediately

• If you believe that any of our online content is owned by your or infringes your copyright, please let us know

• Our terms and conditions are under the Scottish law, so if you have any legal disputes with us about our terms and conditions, they will be brought to the Scottish courts.

What we are responsible for

• While we will try our best to keep the website up to date and accurate, there is no obligation and no guarantee that it is

• We are not responsible to you if our website is unavailable – due to technical issues for example

• The content on our website (including its copyright and other intellectual property rights) belongs to us, or the people who have given us permission to use it

• We are not responsible for the external websites that you can access from our website. If you have any issues with their content, you should get in touch with them instead.

• We are not responsible for any loss or damage that you suffer as a result of using our website or the information on our website

• If we decide to sell or transfer our website to someone else, we might also transfer the website’s rights and responsibilities to them. We can do this without telling you

• If we make any changes to the terms and conditions, we are responsible for making it available on our website. The updated terms will take effect immediately after it has been uploaded.

How the website can be used by you

• You must only use this website following our Terms and Conditions

• The website is available to you for free

• The online content on our website is for your personal and professional use only. You are welcome to use small segments of this site and multimedia for your work to discuss Young Scot. We ask you to speak to Communications before using pictures as often the copyright belongs to third parties. We appreciate a link or a mention on social media when you use our content. However, you also cannot make money from our content (e.g. by selling or renting it).

• The information on our website is for general information only, please do not take it as advice or rely on it

• You are responsible for making sure your computer system is technically capable of accessing and using our website. You are also responsible for protecting your system from viruses and infection.

• Just because you agree to our terms and conditions, it doesn’t mean we now have a partnership between us

Our full terms and conditions

• These terms and conditions (“T&Cs”) provide information in relation to your use of (http://www.youngscot.net/) (the "Website"). They also tell you: - what your rights are; what we are responsible for; and how the website can be used by You.  Please read these T&Cs carefully to ensure that you are aware of your obligations. You can print off these T&Cs if is it is easier for You to read them! In addition, if anything in these terms and conditions is unclear, please feel free to e-mail us on info@young.scot

• The Website is operated by Young Scot (‘We’ ‘Our’ Us’) which is a Scottish registered charity (SC029757). Young Scot is also a company limited by guarantee (202687) Our register office is at Rosebery House, 9 Haymarket Terrace, Edinburgh, EH12 5EZ.

• You must only use this Website in accordance with these T&Cs.

• By using this Website You are agreeing to comply with these T&Cs. If You do not agree to these T&Cs, please stop using the Website immediately.

• Changes to the Website

  • Sometimes We might make changes to the Website or update. However, the content available on the Website may not always be up to date and whilst we will try to keep it up date, we are under no obligation to do so.

  • We will try to make sure everything on the Website is correct. However, you should note that We do not guarantee that everything on the Website is complete, accurate; and free from errors.

  • Access to the Website

    • We make the Website available to you for free

    • We cannot guarantee that the Website will always be available when you try to access it and that you will be able to access it without interruption. For example, technical issues may result in the Website being unavailable from time to time.

    • We might suspend, withdraw, discontinue or change the Website or part of it without any notice. If We do this We will not be responsible to You if Our Website is unavailable at any time.

• The Online Content – who owns it and how can You use it?

  • The property and any copyright or other intellectual property rights in the content available on the Website (“Online Content”) belongs to Us or to other business or individuals who have given Us permission to use that content or information on our Website.

  • You can access the Online Content in order to read, look at, download, store, use and copy it for Your own personal or professional use only!

  • You must not:

    1. download, store, reproduce, transmit, display, copy, distribute or use the Online Content for anything other than your own personal use or to highlight the work of Young Scot; or

    2. sub-licence, rent, lease, transfer or attempt to sell the rights in the Online Content to anyone else; or

    3. allow anyone else to use the Online Content, other than another individual, in accordance with these T&Cs, or

    4. use or allow anyone to use the Online Content for commercial purposes or to make any money.

  • If You believe that any Online Content is owned by you or violates Your copyright, You are encouraged to notify Us, setting out (where possible):

    1. who You are;

    2. how You own the relevant copyright work; and

    3. details of the alleged infringement.

       • Young Scot will respond to all such notices, including as required or appropriate by removing the infringing material or disabling all links to the infringing material.

• Reliance

  • The information on the Website is provided for general information only. It is not advice or information, which You can rely on for any reason.

• Liability

  • You are responsible for ensuring that Your computer system will let You use the Website and meets all relevant technical requirements to allow You to use Website.

  • This clause sets out what our liability to You as a user of the Website: -

    1. Young Scot does not guarantee that any Online Content that you can download from the Website will be free from infection, viruses and/or other code that may contaminate or destroy property. You are responsible for putting in place and maintaining your own procedures and virus checks (including anti-virus, firewall and other security checks).

    2. We do not guarantee that the Website will be continuously available 24 hours per day, 7 days per week, 365 days per year but We will try to keep downtime to a minimum.

    3. We have no responsibility for the content of websites which You can link to from the Website. We do not endorse any of the websites You can link to from the Website and Young Scot will not be liable for any loss which may arise from Your use of them. Any concerns regarding any external link from our website should be directed to its website administrator or webmaster.

    4. Nothing in these T&Cs excludes or limits our liability for death or personal injury arising from our negligence or the negligence of our employees, fraud or fraudulent misrepresentation or any liability that cannot be excluded or limited by law.

    5. To the extent permitted by law, We exclude all conditions, warranties, representations or other terms which may apply to the Website or any content on it whether express or implied.

    6. Where You suffer any loss because you used the Website or information on the Website, to the extent permitted by law We accept no responsibility for any loss or damage, whether due to inaccuracy, error, omission or any other cause, and whether this has been caused by Us or Our employees, agents or any other persons.

  • Contact

    • If you wish to contact us, you can do so be various methods as follows:

      1. By post or hand delivery to: - Young Scot Enterprise, Rosebery House, 9 Haymarket Terrace, Edinburgh EH12 5EZ UK

      2. By e-mails to: - info@young.scot

    • General

      • If we sell or transfer the operation of the Website, We may transfer any or all of its rights and obligations under these T&Cs to that party, and We are not required to inform You that We have done so or intended to do so.

      • Nothing in these T&Cs creates or will be treated as having created a partnership between You and Us.

      • We may alter these T&Cs from time to time and post a new version on the Website. Any amended version of the T&Cs will take effect immediately on being posted on the Website.

      • If any section of these T&Cs (or any part of any such provision or term) is or becomes unenforceable for any reason whatsoever, such section (or the relevant part of it) will be cut out from these T&Cs, but the remaining T&Cs will remain unaffected.

      • These T&Cs are governed by Scots law and any dispute under or in connection with them must be brought in the Scottish courts. However, if you have any grievances, please feel free to contact us in accordance with clause 7 above.

• Online Privacy Practices

  • When you use this Website, we will automatically have access to limited personal information about you. In addition, if you sign up to receive our newsletter through this Website, we will have to store and use your personal information. As a result, we are required to make sure that we provide you with protection and process and store your personal data as set out in the Data Protection Act 1998 ("the Act"). Further information about the Act is available on the Internet at www.dataprotection.gov.uk. This Privacy Policy and Cookie Policy below set out how we collect data and how it is processed.

  • One of the requirements under the Act is that we notify the Information Commissioner that we hold and process personal data. We confirm that we have done that and that we have practices in place which ensure that we comply with the requirements of the Act.

• Any information of a personal nature that You provide to Us will be kept confidential by Us and will only be used for the purposes that have been specified above. However, we may transfer personal information to third parties for storage purposes or for the purposes specified in these T&Cs. We will try to make sure that any third parties we transfer your personal information will also keep it confidential. However, you must note that the transmission of information via the internet is never completely secure and whilst we will do what we can to keep it secure and confidential we cannot absolutely guarantee that it will be completely secure. You should always consider the risks before proving personal information through our Website prior to doing so because you are transferring it at your own risk.

Cookies

• We use cookies. However, We do not use cookies for collecting or storing personal information about You. Instead, Young Scot use a form of temporary cookie called a "session cookie" to allow our website to function effectively. Session cookies only store a "session ID" - a string of random characters - which allows the website to group together and distinguish page requests from Your browser during each browsing session. They are not stored on Your computer's hard disk and are held in memory, expiring automatically when You close down Your browser. If for any reason You do not want session cookies to be temporarily stored in the memory of Your computer, then these can be disabled by clicking here – please note that disabling cookies may mean that You will lose some features and functionality of the site. By not opting to disable the cookies then You are consenting to their use.

For further information from Young Scot on their data protection and privacy policies, You should contact info@young.scot.

Young Scot Enterprise is a company limited by guarantee registered in Scotland (No: 202687) and has its registered office at Rosebery House, 9 Haymarket Terrace, Edinburgh.

Email terms and conditions

Emails that you receive from Young Scot staff should be treated as confidential: the information in it may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, please contact the sender immediately then delete it from your computer system.

Opinions, comments or other information in this e-mail that don’t relate to the business of Young Scot are neither given or endorsed by the company. We would kindly ask that you respect privacy and only save or forward this email as part of your business with Young Scot. Young Scot  has taken all reasonable precautions to ensure that no viruses are transmitted to a third party.

However, the recipient should check this e-mail and attachments for the presence of viruses. Young Scot accepts no liability for damage caused by any virus transmitted by this e-mail.

Did you read all of this? Well done you! You deserve a wee treat…maybe a cuppa and a biscuit 😊

Emails that you receive from Young Scot staff should be treated as confidential: the information in it may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, please contact the sender immediately then delete it from your computer system.

Opinions, comments or other information in this e-mail that don’t relate to the business of Young Scot are neither given or endorsed by the company. We would kindly ask that you respect privacy and only save or forward this email as part of your business with Young Scot. Young Scot  has taken all reasonable precautions to ensure that no viruses are transmitted to a third party.

However, the recipient should check this e-mail and attachments for the presence of viruses. Young Scot accepts no liability for damage caused by any virus transmitted by this e-mail.

Did you read all of this? Well done you! You deserve a wee treat…maybe a cuppa and a biscuit 😊

Like all organisations in the United Kingdom, Young Scot must comply with the principles of the Data Protection Act 2018. This ensures that we adhere to best practice in the collection and use of individuals data. The Data Protection Act 2018 states that data must comply with the following six principals:

Six Principles of Data Protection

(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

The Data Protection Act 2018 equally covers relevant data stored electronically and on paper.

If a data controller's processing of personal information does not comply with the principles, the Information Commissioner can take enforcement action against that data controller.

YOUNG SCOT POLICY ON THE SIX PRINCIPLES OF DATA PROTECTION

1. Data must be processed fairly and lawfully. Young Scot staff may only use data obtained through the course of their work for purposes related to Young Scot. They must not use any data obtained for personal purposes. Misuse of any personal data may be considered as gross misconduct.

2. Data must be processed only for one or more specified and lawful purpose. All data held by Young Scot can only be used for the purposes specified in Young Scot’ Data Protection Registration with the Information Commissioner.

3. Data must be adequate, relevant and not excessive for those purposes. When creating surveys, forms, etc, only sufficient personal information must be asked for that is necessary to complete the task, and no more.

4. Data must be accurate and kept up to date - data subjects have the right to have inaccurate personal data corrected or destroyed if the personal information is inaccurate to any matter of fact. Young Scot must correct any inaccurate data that it holds about a person as soon as it is made aware of any inaccuracy by that person.

5. Data must be kept for no longer than is necessary for the purposes it is being processed. All personal data must be securely destroyed once the purpose for which it was collected has passed, and so long as there is no legal reason to retain the data any further (eg, PAYE audits, etc). The data retention / destruction timescales for the different areas of Young Scot’s work affected by the DPA are outlined in the previous section. All materials that require a young person to submit personal data should have the following statement appended: “The information gathered will be used by Young Scot in accordance with the Data Protection Act 2018.”.

6. Data must be secured against accidental loss, destruction or damage and against unauthorised or unlawful processing - this applies to you even if your business uses a third party to process personal information on your behalf. Young Scot maintains a system of secure password access to its IT systems and takes best efforts to ensure that all data held by it is adequately backed-up to prevent accidental deletion.

Young Scot does not ordinarily pass personal data on to any other organisation, and if the need arose to do so, it must inform the data subject about this as a part of the screen / form the information is gathered through.

The act also covers individual rights and what they are:

Rights for Individuals:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling.

Individual Rights explained

• Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.

• You must provide privacy information to individuals at the time you collect their personal data from them.

• If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

• There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

• The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

• It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.

• User testing is a good way to get feedback on how effective the delivery of your privacy information is.

• You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

• Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people but getting it wrong can leave you open to fines and lead to reputational damage.

PRIVACY INFORMATION

We must provide individuals with all the following privacy information:

• The name and contact details of our organisation.

• The name and contact details of our representative (if applicable).

• The contact details of our data protection officer (if applicable).

• The purposes of the processing.

• The lawful basis for the processing.

• The legitimate interests for the processing (if applicable).

• The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

• The recipients or categories of recipients of the personal data.

• The details of transfers of the personal data to any third countries or international organisations (if applicable).

• The retention periods for the personal data.

• The rights available to individuals in respect of the processing.

• The right to withdraw consent (if applicable).

• The right to lodge a complaint with a supervisory authority.

• The source of the personal data (if the personal data is not obtained from the individual it relates to).

• The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

• The details of the existence of automated decision-making, including profiling (if applicable).

When to provide it

We provide individuals with privacy information at the time we collect their personal data from them.

• If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

  • within a reasonable of period of obtaining the personal data and no later than one month;

  • if we plan to communicate with the individual, at the latest, when the first communication takes place; or

  • if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

How to provide it

We have to provide the information in a way that is:

• concise;

• transparent;

• intelligible;

• easily accessible; and

• uses clear and plain language.

Changes to our privacy information

We regularly review and, where necessary, update our privacy information. If you plan to use personal data for a new purpose, you need to update our privacy information and communicate the changes to individuals before starting any new processing.

What privacy information should we provide to individuals?

The table below summarises the information that we must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.

Personal data collected from individuals:

• The name and contact details of your organisation

• The name and contact details of your representative

• The contact details of your data protection officer

• The purposes of the processing

• The lawful basis for the processing

• The legitimate interests for the processing

• The recipients or categories of recipients of the personal data

• The details of transfers of the personal data to any third countries or international organisations

• The retention periods for the personal data

• The rights available to individuals in respect of the processing

• The right to withdraw consent

• The right to lodge a complaint with a supervisory authority

• The details of whether individuals are under a statutory or contractual obligation to provide the personal data

• The details of the existence of automated decision-making, including profiling

Personal data obtained from other sources:

• The name and contact details of your organisation

• The name and contact details of your representative

• The contact details of your data protection officer

• The purposes of the processing

• The lawful basis for the processing

• The legitimate interests for the processing

• The categories of personal data obtained

• The recipients or categories of recipients of the personal data

• The details of transfers of the personal data to any third countries or international organisations✓

• The retention periods for the personal data

• The rights available to individuals in respect of the processing

• The right to withdraw consent

• The right to lodge a complaint with a supervisory authority

• The source of the personal data

• The details of the existence of automated decision-making, including profiling

When should we provide privacy information to individuals?

When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data. When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:

• within a reasonable period of obtaining the personal data and no later than one month;

• if you use data to communicate with the individual, at the latest, when the first communication takes place; or

• if you envisage disclosure to someone else, at the latest, when you disclose the data.

We must provide privacy information to individuals. We will meet these criteria by putting the information on your website www.young.scot and our Rewards platform, but you must make individuals aware of it and give them an easy way to access it. When collecting personal data from individuals, we do not need to provide them with a privacy notice with any information that they already have.

When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:

• the individual already has the information;

• providing the information to the individual would be impossible;

• providing the information to the individual would involve a disproportionate effort;

• providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;

• you are required by law to obtain or disclose the personal data; or

• you are subject to an obligation of professional secrecy regulated by law that covers the personal data.

What our privacy information should have?

• We need to identify the intended audience for the privacy information and put ourselves in their position.

• When we collect or obtain children’s personal data, we must take particular care to ensure that the information we provide them with is appropriately written, using clear and plain language.

• For all audiences, we must provide information to them in a way that is:

  • concise;

  • transparent;

  • intelligible;

  • easily accessible; and

  • uses clear and plain language.

How should we provide privacy information to individuals?

There are several techniques we will use to provide people with the required privacy information. We will use:

• A layered approach – short notices containing key privacy information that have additional layers of more detailed information.

• Dashboards – preference management tools that inform people how we use their data and allow them to manage what happens with it.

• Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.

• Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.

• Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.

• Consider the context in which we are collecting personal data. It is good practice to use the same medium we use to collect personal data to deliver privacy information.

• Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy information.

If we share it- the right to be informed in practice

If we share personnel data with other organisations

As part of the privacy information we must tell people who we are giving their information to, unless you are relying on an exception or an exemption.

• We can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful.

If we get personal data from other organisations:

• We must provide young people with our own privacy information, unless we are relying on an exception or an exemption.

• If we think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, we must carry out a DPIA to find ways to mitigate the risks of the processing.

• If our purpose for using the personal data is different to that for which it was originally obtained, you must tell people about this, as well as what your lawful basis is for the processing.

• Provide people with our privacy information within a reasonable period of buying the data, and no later than one month.

• If we obtain personal data from publicly accessible sources:

• We still have to provide people with privacy information, unless we are relying on an exception or an exemption.

• If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, we must carry out a DPIA to find ways to mitigate the risks of the processing.

• Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources.

• Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month.

• If you apply Artificial Intelligence (AI) to personal data:

• Be upfront about it and explain your purposes for using AI.

• If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update our privacy information and actively communicate this to people.

• Inform people about any new uses of personal data before you actually start the processing.

• If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information we use, why it is relevant and what the likely impact is going to be.

• We will consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data.

• Test, review and update our privacy information?

• We will as good practice carry out user testing on our privacy information to get feedback on how easy it is to access and understand.

• Undertake regular reviews to check it remains accurate and up to date.

• If we plan to use personal data for any new purposes, we must update your privacy information and proactively bring any changes to people’s attention.

ACCESS REQUESTS

What is the right of access?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

• What is an individual entitled to?

• Individuals have the right to obtain the following from you:

  • confirmation that you are processing their personal data;

  • a copy of their personal data; and

  • other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).

Personal data of the individual

An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data.

Other information

In addition to a copy of their personal data, you also have to provide individuals with the following information:

• the purposes of your processing;

• the categories of personal data concerned;

• the recipients or categories of recipient you disclose the personal data to;

• our retention period for storing the personal data or, where this is not possible, our criteria for determining how long it will store it;

• the existence of their right to request rectification, erasure or restriction or to object to such processing;

• the right to lodge a complaint with the ICO or another supervisory authority;

• information about the source of the data, where it was not obtained directly from the individual;

• the existence of automated decision-making (including profiling); and

• the safeguards we provide if we transfer personal data to a third country or international organisation.

We are be providing much of this information already in our privacy notice. But best practise to check if it’s a new information collection.

How do we recognise a request?

An individual can make a subject access request to us verbally or in writing. It can also be made to any part of Young Scot (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. We have a legal responsibility to identify that an individual has made a request to us and to handle it accordingly. Therefore, we have provided staff training to help to identify a subject access request. We have also set up a dedicated email address to support young people to make a request. We will keep a log of all requests including verbal requests. We have created a template form to support individuals to make a subject access request. This will also support staff to recognise a subject access request and for the individual to include all the details you might need to locate the information they want. Young people can email and request this form. We should note that a subject access request is valid if it is submitted by any means, so we will still need to comply with any requests you receive in a letter, a standard email or verbally. Therefore, although we may invite individuals to use a form we will make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding.

How should we provide the data to individuals?

If an individual makes a request electronically, we will provide the information in a commonly used electronic format, unless the individual requests otherwise. We have received a request but need to amend the data before sending out the response. Should we send out the “old” version? GDPR states that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while we are dealing with the request. So it would be reasonable for us to supply information we hold when we send out a response, even if this is different to that held when we received the request. However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DP Bill, it is an offence to make any amendment with the intention of preventing its disclosure.

Do we have to explain the contents of the information we send to the individual?

We are required to ensure that the information we provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child. At its most basic, this means that the additional information we provide in response to a request (see the ‘Other information’ section above) should be capable of being understood by the average person (or child). However, we are not required to ensure that that the information is provided in a form that can be understood by the particular individual making the request.

How long do we have to comply?

We must act on the subject access request without undue delay and at the latest within one month of receipt. We should calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. We can extend the time for a response? You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary. However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:

• it is manifestly unfounded or excessive;

• an exemption applies; or

• you are requesting proof of identity before considering the request

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request, you can ask for more information. However, it is important that we only request information that is necessary to confirm who they are. The key to this is proportionality. We need to let the individual know as soon as possible that we need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information. Young Scot does not transfer personal data outside the EEA. When required to pass survey/consultation results to clients, it deletes identifying personal data, leaving only sufficient data to allow demographic and geographic cross-tabulation to be carried out. Young Scot does not ordinarily pass personal data on to any other organisation, and if the need arose to do so, it must inform the data subject about this as a part of the screen/form the information is gathered through

WHAT DATA DO WE HOLD?

Young Scot is registered with the Information Commission to process data for various purposes, including those of maintaining membership records, mailing lists and personnel records.

The Office Manager of Young Scot is the registered Data Controller for Young Scot, responsible for compliance with the Data Protection Act 2018(DPA 2018).

There are five main areas of work within Young Scot that require the DPA 2018 to be taken into consideration.

1. Personnel

The Finance & Personnel Director, Senior Finance Officer, Office Manager and Human Resource Assistant are responsible for ensuring that data held in the personnel files is accurate and complete, and that electronic and paper records of former staff are destroyed after the required period, as set out by HMRC and other bodies. All electronic data is password protected and paper records are held in a secure area accessible only by authorised personnel.

2. Young Scot Rewards Registrations

Young Scot members may voluntarily register their cards and limited personal data on the Young Scot Rewards portal, to participate in activities, such as to take part in surveys and claim rewards such as the ability to enter prize draws etc.

The member may maintain their original registration beyond the expiry of their card by registering another valid card with a longer expiry date at any time.

The data related to these registrations must be deleted six months after the member’s last card has expired, to give them time to reactivate their registration with a new card.

This is the responsibility of Information Services Manager, with assistance Digital Smart Tech Directorate and Storm ID.

3. Social Media

Young people (both members and, in some cases, non-members of Young Scot) may engage through Social Media. Depending on the engagement and the digital tools used we must ensure that we don’t breach any of the principles by not posting any sensitive data that can identify an individual or put them at risk. We must not store any data after we have carried out the task that the engagement has been undertaken for.

We do not ask for any personal data to be sent over social media (age, address etc). We ask any users who have sent us their personal data to remove it immediately as we cannot delete it ourselves.

4. Co-design Projects and Surveys

Young people (again, both members and non-members depending on the nature of the co-design project) may take part in Young Scot co-design projects and surveys, either face-to-face, online or in paper format. Young Scot collects and stores young people’s data as part of their involvement in co-design projects. At the beginning of co-design projects, the Co-design Team explains to the young people what data is collected about them and the purpose for this and how it will be used. This data will be stored securely and password protected as per Young Scot’s IT systems, and as per our offline systems. All offline systems holding personal data are securely locked and destroyed within the specified timeframe for the project. Survey entries will be retained for so long as they remain useful for historical, statistical or research purposes and to allow for any further cross-checking of the data. Any personal data associated with these entries should only be retained for a period of six months following completion of the report of the findings, after which all paper based and electronic data will be securely destroyed. The Co-Design Managers are responsible for carrying out this policy, with assistance from, the Co-Design and Digital & Smart-tech Directorates.

5. Insights Service

The team is responsible for the collection of data and the use of this data to prepare statistical reports for Young Scot and external stakeholders. We collect this data from primary and secondary sources. Where we use primary data for our own sources we always work in accordance with the data protection act and the policies and procedures around the primary source. E.G. Rewards data is stored and used under their policy.

Test, review and update our data held

We carry out quarterly compliance checks with each directorate to ensure that we are still complying with the above, they ask them to confirm that:-

• We are still collecting this source of data

• What review of the process to collect, store and destroy this data have been undertaken.

Whilst individual members of staff have been assigned responsibility for carrying out data protection tasks related to their own areas of work, it is the overall responsibility of Young Scot’s Data Controller to ensure that these tasks have indeed been carried out to the correct standard.

Reviewed August 2020