What your rights are

• By using this website, you agree to our Terms and Conditions. If you do not agree with them, please stop using this website immediately

• If you believe that any of our online content is owned by your or infringes your copyright, please let us know

• Our terms and conditions are under the Scottish law, so if you have any legal disputes with us about our terms and conditions, they will be brought to the Scottish courts.

What we are responsible for

• While we will try our best to keep the website up to date and accurate, there is no obligation and no guarantee that it is

• We are not responsible to you if our website is unavailable – due to technical issues for example

• The content on our website (including its copyright and other intellectual property rights) belongs to us, or the people who have given us permission to use it

• We are not responsible for the external websites that you can access from our website. If you have any issues with their content, you should get in touch with them instead.

• We are not responsible for any loss or damage that you suffer as a result of using our website or the information on our website

• If we decide to sell or transfer our website to someone else, we might also transfer the website’s rights and responsibilities to them. We can do this without telling you

• If we make any changes to the terms and conditions, we are responsible for making it available on our website. The updated terms will take effect immediately after it has been uploaded.

How the website can be used by you

• You must only use this website following our Terms and Conditions

• The website is available to you for free

• The online content on our website is for your personal and professional use only. You are welcome to use small segments of this site and multimedia for your work to discuss Young Scot. We ask you to speak to Communications before using pictures as often the copyright belongs to third parties. We appreciate a link or a mention on social media when you use our content. However, you also cannot make money from our content (e.g. by selling or renting it).

• The information on our website is for general information only, please do not take it as advice or rely on it

• You are responsible for making sure your computer system is technically capable of accessing and using our website. You are also responsible for protecting your system from viruses and infection.

• Just because you agree to our terms and conditions, it doesn’t mean we now have a partnership between us

Our full terms and conditions

• These terms and conditions (“T&Cs”) provide information in relation to your use of (http://www.youngscot.net/) (the "Website"). They also tell you: - what your rights are; what we are responsible for; and how the website can be used by You.  Please read these T&Cs carefully to ensure that you are aware of your obligations. You can print off these T&Cs if is it is easier for You to read them! In addition, if anything in these terms and conditions is unclear, please feel free to e-mail us on info@young.scot

• The Website is operated by Young Scot (‘We’ ‘Our’ Us’) which is a Scottish registered charity (SC029757). Young Scot is also a company limited by guarantee (202687) Our register office is at Rosebery House, 9 Haymarket Terrace, Edinburgh, EH12 5EZ.

• You must only use this Website in accordance with these T&Cs.

• By using this Website You are agreeing to comply with these T&Cs. If You do not agree to these T&Cs, please stop using the Website immediately.

• Changes to the Website

  • Sometimes We might make changes to the Website or update. However, the content available on the Website may not always be up to date and whilst we will try to keep it up date, we are under no obligation to do so.

  • We will try to make sure everything on the Website is correct. However, you should note that We do not guarantee that everything on the Website is complete, accurate; and free from errors.

  • Access to the Website

    • We make the Website available to you for free

    • We cannot guarantee that the Website will always be available when you try to access it and that you will be able to access it without interruption. For example, technical issues may result in the Website being unavailable from time to time.

    • We might suspend, withdraw, discontinue or change the Website or part of it without any notice. If We do this We will not be responsible to You if Our Website is unavailable at any time.

• The Online Content – who owns it and how can You use it?

  • The property and any copyright or other intellectual property rights in the content available on the Website (“Online Content”) belongs to Us or to other business or individuals who have given Us permission to use that content or information on our Website.

  • You can access the Online Content in order to read, look at, download, store, use and copy it for Your own personal or professional use only!

  • You must not:

    1. download, store, reproduce, transmit, display, copy, distribute or use the Online Content for anything other than your own personal use or to highlight the work of Young Scot; or

    2. sub-licence, rent, lease, transfer or attempt to sell the rights in the Online Content to anyone else; or

    3. allow anyone else to use the Online Content, other than another individual, in accordance with these T&Cs, or

    4. use or allow anyone to use the Online Content for commercial purposes or to make any money.

  • If You believe that any Online Content is owned by you or violates Your copyright, You are encouraged to notify Us, setting out (where possible):

    1. who You are;

    2. how You own the relevant copyright work; and

    3. details of the alleged infringement.

       • Young Scot will respond to all such notices, including as required or appropriate by removing the infringing material or disabling all links to the infringing material.

• Reliance

  • The information on the Website is provided for general information only. It is not advice or information, which You can rely on for any reason.

• Liability

  • You are responsible for ensuring that Your computer system will let You use the Website and meets all relevant technical requirements to allow You to use Website.

  • This clause sets out what our liability to You as a user of the Website: -

    1. Young Scot does not guarantee that any Online Content that you can download from the Website will be free from infection, viruses and/or other code that may contaminate or destroy property. You are responsible for putting in place and maintaining your own procedures and virus checks (including anti-virus, firewall and other security checks).

    2. We do not guarantee that the Website will be continuously available 24 hours per day, 7 days per week, 365 days per year but We will try to keep downtime to a minimum.

    3. We have no responsibility for the content of websites which You can link to from the Website. We do not endorse any of the websites You can link to from the Website and Young Scot will not be liable for any loss which may arise from Your use of them. Any concerns regarding any external link from our website should be directed to its website administrator or webmaster.

    4. Nothing in these T&Cs excludes or limits our liability for death or personal injury arising from our negligence or the negligence of our employees, fraud or fraudulent misrepresentation or any liability that cannot be excluded or limited by law.

    5. To the extent permitted by law, We exclude all conditions, warranties, representations or other terms which may apply to the Website or any content on it whether express or implied.

    6. Where You suffer any loss because you used the Website or information on the Website, to the extent permitted by law We accept no responsibility for any loss or damage, whether due to inaccuracy, error, omission or any other cause, and whether this has been caused by Us or Our employees, agents or any other persons.

  • Contact

    • If you wish to contact us, you can do so be various methods as follows:

      1. By post or hand delivery to: - Young Scot Enterprise, Rosebery House, 9 Haymarket Terrace, Edinburgh EH12 5EZ UK

      2. By e-mails to: - info@young.scot

    • General

      • If we sell or transfer the operation of the Website, We may transfer any or all of its rights and obligations under these T&Cs to that party, and We are not required to inform You that We have done so or intended to do so.

      • Nothing in these T&Cs creates or will be treated as having created a partnership between You and Us.

      • We may alter these T&Cs from time to time and post a new version on the Website. Any amended version of the T&Cs will take effect immediately on being posted on the Website.

      • If any section of these T&Cs (or any part of any such provision or term) is or becomes unenforceable for any reason whatsoever, such section (or the relevant part of it) will be cut out from these T&Cs, but the remaining T&Cs will remain unaffected.

      • These T&Cs are governed by Scots law and any dispute under or in connection with them must be brought in the Scottish courts. However, if you have any grievances, please feel free to contact us in accordance with clause 7 above.

• Online Privacy Practices

  • When you use this Website, we will automatically have access to limited personal information about you. In addition, if you sign up to receive our newsletter through this Website, we will have to store and use your personal information. As a result, we are required to make sure that we provide you with protection and process and store your personal data as set out in the Data Protection Act 1998 ("the Act"). Further information about the Act is available on the Internet at www.dataprotection.gov.uk. This Privacy Policy and Cookie Policy below set out how we collect data and how it is processed.

  • One of the requirements under the Act is that we notify the Information Commissioner that we hold and process personal data. We confirm that we have done that and that we have practices in place which ensure that we comply with the requirements of the Act.

• Any information of a personal nature that You provide to Us will be kept confidential by Us and will only be used for the purposes that have been specified above. However, we may transfer personal information to third parties for storage purposes or for the purposes specified in these T&Cs. We will try to make sure that any third parties we transfer your personal information will also keep it confidential. However, you must note that the transmission of information via the internet is never completely secure and whilst we will do what we can to keep it secure and confidential we cannot absolutely guarantee that it will be completely secure. You should always consider the risks before proving personal information through our Website prior to doing so because you are transferring it at your own risk.

Cookies

• We use cookies. However, We do not use cookies for collecting or storing personal information about You. Instead, Young Scot use a form of temporary cookie called a "session cookie" to allow our website to function effectively. Session cookies only store a "session ID" - a string of random characters - which allows the website to group together and distinguish page requests from Your browser during each browsing session. They are not stored on Your computer's hard disk and are held in memory, expiring automatically when You close down Your browser. If for any reason You do not want session cookies to be temporarily stored in the memory of Your computer, then these can be disabled by clicking here – please note that disabling cookies may mean that You will lose some features and functionality of the site. By not opting to disable the cookies then You are consenting to their use.

For further information from Young Scot on their data protection and privacy policies, You should contact info@young.scot.

Young Scot Enterprise is a company limited by guarantee registered in Scotland (No: 202687) and has its registered office at Rosebery House, 9 Haymarket Terrace, Edinburgh.

Email terms and conditions

Emails that you receive from Young Scot staff should be treated as confidential: the information in it may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, please contact the sender immediately then delete it from your computer system.

Opinions, comments or other information in this e-mail that don’t relate to the business of Young Scot are neither given or endorsed by the company. We would kindly ask that you respect privacy and only save or forward this email as part of your business with Young Scot. Young Scot  has taken all reasonable precautions to ensure that no viruses are transmitted to a third party.

However, the recipient should check this e-mail and attachments for the presence of viruses. Young Scot accepts no liability for damage caused by any virus transmitted by this e-mail.

Did you read all of this? Well done you! You deserve a wee treat…maybe a cuppa and a biscuit 😊

Emails that you receive from Young Scot staff should be treated as confidential: the information in it may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, please contact the sender immediately then delete it from your computer system.

Opinions, comments or other information in this e-mail that don’t relate to the business of Young Scot are neither given or endorsed by the company. We would kindly ask that you respect privacy and only save or forward this email as part of your business with Young Scot. Young Scot  has taken all reasonable precautions to ensure that no viruses are transmitted to a third party.

However, the recipient should check this e-mail and attachments for the presence of viruses. Young Scot accepts no liability for damage caused by any virus transmitted by this e-mail.

Did you read all of this? Well done you! You deserve a wee treat…maybe a cuppa and a biscuit 😊

Like all organisations in the United Kingdom, Young Scot must comply with the principles of the Data Protection Act 2018. This ensures that we adhere to best practice in the collection and use of individuals data. The Data Protection Act 2018 states that data must comply with the following six principles:

YOUNG SCOT POLICY ON THE SIX PRINCIPLES OF DATA PROTECTION 

• Data must be processed fairly and lawfully 

• Young Scot staff may only use data obtained through the course of their work for purposes related to Young Scot. They must not use any data obtained for personal purposes. Misuse of any personal data may be considered as gross misconduct. 

• Data must be processed only for one or more specified and lawful purpose 

• All data held by Young Scot can only be used for the purposes specified in Young Scot’ Data Protection Registration with the Information Commissioner. 

• Data must be adequate, relevant and not excessive for those purposes 

• When creating surveys, forms, etc, only sufficient personal information must be asked for that is necessary to complete the task, and no more. 

• Data must be accurate and kept up to date - data subjects have the right to have inaccurate personal data corrected or destroyed if the personal information is inaccurate to any matter of fact 

• Young Scot must correct any inaccurate data that it holds about a person as soon as it is made aware of any inaccuracy by that person. 

• Data must be kept for no longer than is necessary for the purposes it is being processed 

• All personal data must be securely destroyed once the purpose for which it was collected has passed, and so long as there is no legal reason to retain the data any further (eg, PAYE audits, etc). The data retention / destruction timescales for the different areas of Young Scot’s work affected by the DPA are outlined below. 

Consent  

Data protection often requires obtaining informed consent from individuals before collecting or processing their personal data. Individuals have the right to know how their data will be used and to have the option to opt out. We use consent forms for collection data from young people and legitimate interest for collection data from our staff. We currently get informed consent for all young people and for all young people under the age of 16 we get parent/carer consent 

All materials that require a young person to submit personal data should have the following statement appended: “The information gathered will be used by Young Scot in accordance with the Data Protection Act 2018.”. 

Data security  

Data must be secured against accidental loss, destruction or damage and against unauthorised or unlawful processing - this applies to you even if your business uses a third party to process personal information on your behalf: We have a robust system in place to protect our data, this includes measures to secure data against unauthorised access or breaches. This involves using encryption, access controls, firewalls, and other security technologies to prevent data breaches. We no longer store data in paper format. 

 Data integrity

We have key controls in place to ensure we maintain the integrity of our data,  which means that data should not be tampered with or altered in an unauthorised manner.   

Data availability

We make sure that staff can access data when needed. We backup to the cloud and have a disaster recovery plan in place to ensure that data can be restored in the event of data loss or system failures within 24 hours. 

Young Scot maintains a system of secure password/two factor access to its IT systems and takes best efforts to ensure that all data held by it is adequately backed-up to prevent accidental deletion.  

Data confidentiality

We ensure data confidentiality means that only authorised individuals have access to certain data. This is achieved through user authentication, access permissions, and encryption. 

Data sharing  

Young Scot does not ordinarily pass personal data on to any other organisation, and if the need arose to do so, it must inform the data subject about this as a part of the screen / form the information is gathered through. 

Data retention

We have retention policies for how long data will be retained and should be deleted or anonymise data when it is no longer needed for its original purpose. These can be in line with legislation or legitimate business needs. The data retention / destruction timescales for the different areas of Young Scot’s work affected by the DPA are outlined in the below section. 

International data transfers   

Our default is to have our information stored with the UK/EEA We assess all suppliers to ensure that their storage facilities comply with GDPR and if they are out with the UK we check if they are covered under UK ‘adequacy to ensure that it is adequately protected, as different countries may have varying data protection laws. 

What does the UK-US data bridge mean for us transferring personal data to the United States? 

The UK-US data bridge enables frictionless transfers of personal data to the US. Organisations that are currently relying upon the ICO's international data transfer agreement (IDTA) or the EU standard contractual clauses (SCCs) and UK addendum for US data transfers may wish to consider using the UK-US data bridge instead. 

As the UK considers that the US provides an adequate level of protection for personal data when using the UK-US data bridge, organisations relying on the data bridge will not need to carry out a transfer risk assessment or consider whether supplementary measures are necessary.  

The UK-US data bridge will therefore substantially simplify the process of entering into new transfer arrangements, avoiding the time and expense incurred in carrying out transfer risk assessments and putting in place IDTAs or SCCs. 

We need to ensure that the data importer in the US is certified by the US Department of Commerce under the Data Privacy Framework. If we wish to use  the UK-US data bridge for intra-group transfers of personal data or to a service provider located in the US, then we need to ensure that the US entity is certified.  

If the US entity is not certified then exporters will need to continue to use the the IDTA or SCCs and UK addendum for the transfer. However, we should take into account the existence of the new measures introduced by the US when carrying out their transfer risk assessment. 

If we enter into contracts with data processors will want to consider the extent to which they may still wish to approve a transfer by the processor to a US sub-processor. 

We  should also think about how their contracts would deal with any successful challenge the lawfulness of the data bridge, as happened with Safe Harbor and Privacy Shield. 

When does the UK-US data bridge come into force? 

When we are exporting personal data to the US will be able to rely upon the Data Bridge for transfers to US organisations that have certified under the EU US Data Privacy Framework.  

Training and awareness

We carry out annual refresher Data Protection Training with all staff to  ensure they are aware of data protection policies and best practices to minimise the risk of data breaches due to human error. 

Monitor  

We review and monitor our data protection through our quarterly checking system. This has staff review and update their policies for service specific areas to ensure continued compliance with Data Protection Policy on accuracy, retention and purpose of data held. 

The act also covers individual rights and what they are: 

Rights for individuals: 

• The right to be informed 

• The right of access 

• The right to rectification 

• The right to erasure 

• The right to restrict processing 

• The right to data portability 

• The right to object 

• Rights in relation to automated decision making and profiling. 

• Individual Rights explained  

• Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. 

You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. 

You must provide privacy information to individuals at the time you collect their personal data from them. 

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. 

There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them. 

The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. 

It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices. 

User testing is a good way to get feedback on how effective the delivery of your privacy information is. 

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing. 

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people but getting it wrong can leave you open to fines and lead to reputational damage. 

PRIVACY INFORMATION  

What privacy information we must provide 

• We must provide individuals with all the following privacy information: 

• The name and contact details of our organisation. 

• The name and contact details of our representative (if applicable). 

• The contact details of our data protection officer (if applicable). 

• The purposes of the processing. 

• The lawful basis for the processing. 

• The legitimate interests for the processing (if applicable). 

• The categories of personal data obtained (if the personal data is not obtained from the individual it relates to). 

• The recipients or categories of recipients of the personal data. 

• The details of transfers of the personal data to any third countries or international organisations (if applicable). 

• The retention periods for the personal data. 

• The rights available to individuals in respect of the processing. 

• The right to withdraw consent (if applicable). 

• The right to lodge a complaint with a supervisory authority. 

• The source of the personal data (if the personal data is not obtained from the individual it relates to). 

• The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to). 

• The details of the existence of automated decision-making, including profiling (if applicable). 

When to provide it 

• We provide individuals with privacy information at the time we collect their personal data from them. 

• If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information: 

• within a reasonable of period of obtaining the personal data and no later than one month; 

• if we plan to communicate with the individual, at the latest, when the first communication takes place; or 

• if we plan to disclose the data to someone else, at the latest, when the data is disclosed. 

How to provide it 

We have to provide the information in a way that is:  

• concise;transparent;intelligible;easily accessible; and uses clear and plain language. 

• Changes to our privacy information 

• We regularly review and, where necessary, update our privacy information. 

• If you plan to use personal data for a new purpose, you need to update our privacy information and communicate the changes to individuals before starting any new processing. 

What privacy information should we provide to individuals? 

The table below summarises the information that we must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source. 

What information do we need to provide?  

Personal data collected from individuals Personal data obtained from other sources 

The name and contact details of your organisation ✓ ✓ 

The name and contact details of your representative ✓ ✓ 

The contact details of your data protection officer ✓ ✓ 

The purposes of the processing ✓ ✓ 

The lawful basis for the processing ✓ ✓ 

The legitimate interests for the processing ✓ ✓ 

The categories of personal data obtained ✓ 

The recipients or categories of recipients of the personal data ✓ ✓ 

The details of transfers of the personal data to any third countries or international organisations ✓ ✓  

The retention periods for the personal data ✓ ✓  

The rights available to individuals in respect of the processing ✓ ✓  

The right to withdraw consent ✓ ✓ 

The right to lodge a complaint with a supervisory authority ✓ ✓  

The source of the personal data ✓ 

The details of whether individuals are under a statutory or contractual obligation to provide the personal data ✓   

The details of the existence of automated decision-making, including profiling ✓ 

When should we provide privacy information to individuals? 

• When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data. 

When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information: 

• within a reasonable period of obtaining the personal data and no later than one month; 

• if you use data to communicate with the individual, at the latest, when the first communication takes place; or 

• if you envisage disclosure to someone else, at the latest, when you disclose the data. 

• We must  provide privacy information to individuals. We will meet these criteria by putting the information on your website www.young.scot and our Rewards platform, but you must make individuals aware of it and give them an easy way to access it.  

• When collecting personal data from individuals, we do not need to provide them with a privacy notice with any information that they already have. 

When obtaining personal data from other sources, you do not need to provide individuals with privacy information if: 

• the individual already has the information; 

• providing the information to the individual would be impossible; 

• providing the information to the individual would involve a disproportionate effort; 

• providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing; 

• you are required by law to obtain or disclose the personal data; or 

• you are subject to an obligation of professional secrecy regulated by law that covers the personal data. 

• What our privacy information should have? 

• We need to identify the  intended audience for the privacy information and put ourselves  in their position. 

• When we  collect or obtain children’s personal data, we must take particular care to ensure that the information we provide them with is appropriately written, using clear and plain language. 

• For all audiences, we must provide information to them in a way that is: 

• concise;transparent;intelligible;easily accessible; anduses clear and plain language. 

• How should we provide privacy information to individuals? 

There are several techniques we will use to provide people with the required privacy information. We will  use: 

• A layered approach – short notices containing key privacy information that have additional layers of more detailed information. 

• Dashboards – preference management tools that inform people how we use their data and allow them to manage what happens with it. 

• Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people. 

• Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing. 

• Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures. 

• Consider the context in which we are collecting personal data. It is good practice to use the same medium we use to collect personal data to deliver privacy information. 

• Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy information. 

• If we share it- the right to be informed in practice 

• If we share personnel data with other organisations 

• As part of the privacy information we must tell people who we are giving their information to, unless you are relying on an exception or an exemption. 

• We can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful. 

• If we get personal data from other organisations: 

• We must provide young people with our own privacy information, unless we are relying on an exception or an exemption. 

• If we think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, we must carry out a DPIA to find ways to mitigate the risks of the processing. 

• If our purpose for using the personal data is different to that for which it was originally obtained, you must tell people about this, as well as what your lawful basis is for the processing. 

• Provide people with our privacy information within a reasonable period of buying the data, and no later than one month. 

• If we obtain personal data from publicly accessible sources: 

We still have to provide people with privacy information, unless we are relying on an exception or an exemption. 

If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, we must carry out a DPIA to find ways to mitigate the risks of the processing. 

Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources. 

Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month. 

If you apply Artificial Intelligence (AI) to personal data: 

Be upfront about it and explain your purposes for using AI. 

If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update our privacy information and actively communicate this to people. 

Inform people about any new uses of personal data before you actually start the processing. 

If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information we use, why it is relevant and what the likely impact is going to be. 

We will consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data. 

• Test, review and update our privacy information? 

• We will as good practice carry out user testing on our privacy information to get feedback on how easy it is to access and understand. 

• Undertake regular reviews to check it remains accurate and up to date. 

If we plan to use personal data for any new purposes, we must update your privacy information and proactively bring any changes to people’s attention. 

ACCESS REQUESTS  

What is the right of access? 

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. 

What is an individual entitled to?  

Individuals have the right to obtain the following from you: 

• confirmation that you are processing their personal data; 

• a copy of their personal data; and 

• other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below). 

• Personal data of the individual 

• An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data.  

Other information 

In addition to a copy of their personal data, you also have to provide individuals with the following information: 

• the purposes of your processing; 

• the categories of personal data concerned; 

• the recipients or categories of recipient you disclose the personal data to; 

• our retention period for storing the personal data or, where this is not possible, our criteria for determining how long it will store it; 

• the existence of their right to request rectification, erasure or restriction or to object to such processing; 

• the right to lodge a complaint with the ICO or another supervisory authority; 

• information about the source of the data, where it was not obtained directly from the individual; 

• the existence of automated decision-making (including profiling); and 

• the safeguards we provide if we transfer personal data to a third country or international organisation. 

We are providing much of this information already in our privacy notice. But best practise to check if it’s a new information collection. 

How do we recognise a request? 

An individual can make a subject access request to us verbally or in writing. It can also be made to any part of Young Scot (including by social media) and does not have to be to a specific person or contact point. 

A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. 

We have a legal responsibility to identify that an individual has made a request to us and to handle it accordingly. Therefore, we have provided staff training to help to identify a subject access request. We have also set up a dedicated email address to support young people to make a request   

• We will keep a log of all requests including verbal requests. 

• We have created a template form to support individuals to make a subject access request? 

• This will also support staff to recognise a subject access request and for the individual to include all the details you might need to locate the information they want. Young people can email and request this form.  

• We  should note that a subject access request is valid if it is submitted by any means, so we will still need to comply with any requests you receive in a letter, a standard email or verbally. 

• Therefore, although we may invite individuals to use a form we will make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding. 

How should we provide the data to individuals? 

If an individual makes a request electronically, we will provide the information in a commonly used electronic format, unless the individual requests otherwise. 

We have received a request but need to amend the data before sending out the response.  

Should we send out the “old” version? 

GDPR states that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while we are dealing with the request. So it would be reasonable for us to supply information we hold when we send out a response, even if this is different to that held when we received the request. 

However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DP Bill, it is an offence to make any amendment with the intention of preventing its disclosure. 

Do we have to explain the contents of the information we send to the individual? 

We are  required to ensure  that the information we provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child. 

At its most basic, this means that the additional information we provide in response to a request (see the ‘Other information’ section above) should be capable of being understood by the average person (or child). However, we are not required to ensure that that the information is provided in a form that can be understood by the particular individual making the request. 

How long do we have to comply? 

We must act on the subject access request without undue delay and at the latest within one month of receipt. 

We should calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. We can extend the time for a response? 

You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary. 

However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if: 

it is manifestly unfounded or excessive; an exemption applies; or you are requesting proof of identity before considering the request. 

Can we ask an individual for ID? 

If you have doubts about the identity of the person making the request, you can ask for more information. However, it is important that we only request information that is necessary to confirm who they are. The key to this is proportionality. 

We need to let the individual know as soon as possible that we need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information. 

Young Scot does not transfer personal data outside the EEA. When required to pass survey / consultation results to clients, it deletes identifying personal data, leaving only sufficient data to allow demographic and geographic cross-tabulation to be carried out. 

Young Scot does not ordinarily pass personal data on to any other organisation, and if the need arose to do so, it must inform the data subject about this as a part of the screen / form the information is gathered through. 

WHAT DATA DO WE HOLD?  

Young Scot is registered with the Information Commission to process data for various purposes, including those of maintaining membership records, mailing lists and personnel records. 

The Corporate Services Manager  of Young Scot is the registered Data Controller for Young Scot, responsible for compliance with the Data Protection Act 2018(DPA 2018). 

There are five main areas of work within Young Scot that require the DPA 2018 to be taken into consideration. 

Human Resources 

The Corporate Serivces and  Finance Director, Finance Manager  Corporate Services  Manager and Corporate Services  Assistant are responsible for ensuring that data held in the Human Resources files is accurate and complete, and that electronic and paper records of former staff are destroyed after the required period, as set out by HMRC and other bodies. All electronic data is password protected and paper records are held in a secure area accessible only by authorised personnel.  

Young Scot Rewards Registrations 

Young Scot members may voluntarily register their cards and limited personal data on the Young Scot Rewards portal, to participate in activities, such as to take part in surveys and claim rewards such as the ability to enter prize draws etc.  

The member may maintain their original registration beyond the expiry of their card by registering another valid card with a longer expiry date at any time. 

The data related to these registrations must be deleted six months after the member’s last card has expired, to give them time to reactivate their registration with a new card. 

This is the responsibility of Information Services Manager, with assistance Digital Smart Tech Directorate and Storm ID. 

Social Media 

Young people (both members and, in some cases, non-members of Young Scot) may engage through Social Media. Depending on the engagement and the digital tools used we must ensure that we don’t breach any of the principles by not posting any sensitive data that can identify an individual or put them at risk. We must not store any data after we have carried out the task that the engagement has been undertaken for.  

We do not ask for any personal data to be sent over social media (age, address etc). We ask any users who have sent us their personal data to remove it immediately as we cannot delete it ourselves.  

Participation and Engagement Projects and Surveys 

Young people (again, both members and non-members depending on the nature of the participation and engagement project) may take part in Young Scot #YSHive (codesign) projects and surveys, either face-to-face, online or in paper format. 

Young Scot collects and stores young people’s data as part of their involvement in codesign projects.  At the beginning of co-design projects, the Participation and Engagement Team explains to the young people what data is collected about them and the purpose for this and how it will be used.  This data will be stored securely and password protected as per Young Scot’s IT systems all documentations is held electronically and destroyed within the specified timeframe for the project. 

Survey entries will be retained for so long as they remain useful for historical, statistical or research purposes and to allow for any further cross-checking of the data. Any personal data associated with these entries should only be retained for a period of six months following completion of the report of the findings, after which all paper based and electronic data will be securely destroyed. 

The Participation and Engagement Managers are responsible for carrying out this policy, with assistance from, the other directorates within Young Scot. 

Insights Service is responsible for the collection of data and the use of this data to prepare statistical reports for Young Scot and external stakeholders.  We collect this data from primary and secondary sources. Where we use primary data for our own sources we always work in accordance with the data protection act and the policies and procedures around the primary source e.g. Rewards data is stored and used under their policy.   

Test, review and update our data held  

We carry out quarterly compliance checks with each directorate to ensure that we are still complying with the above, they ask them to confirm that:-  

• We are still collecting this source of data 

• What review of the process to collect, store and destroy this data have been undertaken. 

Whilst individual members of staff have been assigned responsibility for carrying out data protection tasks related to their own areas of work, it is the overall responsibility of Young Scot’s Data Controller to ensure that these tasks have indeed been carried out to the correct standard. 

Data protection is a critical consideration for us as an organisation working with young people and their data, as data breaches can have serious consequences, including financial losses, damage to reputation, and legal liabilities. Complying with data protection regulations and implementing robust data protection measures is essential to maintain trust and security in an increasingly data-driven world. 

Reviewed June 2025