Privacy Notice

Bield Housing & Care (“Bield”, “we”, “us” or “our”) are fully committed to the safeguarding of your privacy.  We take the issue of data protection seriously and strictly adhere to the guidelines published in the UK General Data Protection Regulation (UKGDPR) which is part of the Data Protection Act 2018 (DPA 2018). 
 
This privacy notice explains how we will manage your personal information when you make contact with us or use one of our services.  The webpage has a layered format so you can easily navigate to the information specific to you by clicking on the headings below.
Who are we?

Bield Housing & Care (Scottish Charity Number SC006878) is a registered society under the Co-operative and Community Benefit Societies Act 2014 with Registered Number 1692R (S) and having their registered office at: 79 Hopetoun Street, Edinburgh, EH7 4QF.

Bield Housing & Care will be the ‘Data Controller’ for all personal information we obtain about you, unless otherwise specified. The data controller is accountable for your personal data and determines what personal information is collected and how it will be used. We are registered with the Information Commissioner’s Office under registration number Z5643453.

Data Protection Officer

We have an appointed Data Protection Officer who is responsible for overseeing data protection within Bield.

Data Protection Officer:

Chrisleen Schutte

Address:

79 Hopetoun Street, Edinburgh, EH7 4QF

Email:

dataprotection@bield.co.uk

Telephone:

03000 132 162

How we handle your information when you apply for housing and services?

During the course of our activities, it will be necessary for us to process your personal information in a lawful, fair and transparent manner. When you apply for housing and services, we will be the data controller of your personal information and will determine how your data is collected and used.

When do we collect your personal information?

We collect personal information from you when you:

· apply for housing with us, become a tenant, request services (e.g. care services, repairs) or enter into factoring agreement with us;

· become a member;

· use our online services to apply for housing, to report tenancy/factor related issues or to make a complaint;

· make a payment to us.

Depending on the services you apply for, we may collect the following personal information about you:

· Your name

· Your contact details eg phone numbers, postal address and email address

· Gender

· Ethnicity

· Date of birth

· Nationality

· National Insurance numbers

· Next of kin, emergency contacts and power of attorney

· Disability details

· Health, wellbeing and support details

· Housing benefit reference number

· Identifiable imagery e.g. CCTV

· Language

We may receive the following personal information about you from third parties:

· Benefits information, housing benefit awards and universal credit.

· Payments made by you to us.

· Complaints or other communications regarding behaviour or other alleged breaches of the terms of your contract with us, including information obtained from Police Scotland.

· Reports about your conduct or condition of your tenancy, including references from previous tenancies and complaints of anti-social behaviour.

· If you require a medical adaption (e.g. access ramps, hand rails, hoists), we may receive personal details of the person requiring the adaptation, confirmation of eligibility and reasons for adaption.

· Other agencies working with you to whom you have given consent.

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you apply for housing and the relevant processing activity.

Lawful basis/ processing condition

Meaning

Our processing activity

Consent

The individual has given clear consent for us to process their personal data for a specific purpose.

When we use this lawful basis, you have the right to withdraw your consent at any time and request us to stop processing your personal information.

· It is necessary for us to collect and use your personal information in order to undertake the steps required to enter into a contract or agreement with you.

· We will collect and use your personal information when you have given us your explicit consent to do so, e.g. when we enquire about benefits on your behalf or when you request to become a member of our association.

· We will process health, mobility and disability information to enable us to supply you with the services and information you have requested.

· We may process information about any criminal convictions you have when reviewing your application for housing or services with us.

· We may process personal information as part of our equal opportunities monitoring, to help us maintain and promote equality and diversity within Bield.

Contract

Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract.

· Once a contract or agreement is in place, it is necessary we process your personal information in order to meet our contractual obligations with you. If we are unable to process your personal information we will not be able to supply you with the services and information you have requested (e.g. responding to repair requests, housing and/or care services requests and complaints).

Legal Obligations

Processing is necessary for you to comply with the law (not including) contractual obligations).

· During the course of our activities, we may be required to process your personal information in order to comply with any legal obligations we have (e.g. reporting to the Care Inspectorate, Local Authority departments, National TV Licensing Authority and Department of Work & Pensions).

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

· We may contact you in order to communicate any changes to our supplies and services which may affect you.

· We may contact you for your views on our products and services.

· We may analyse information we collect so that we can administer, support, improve and develop our business and the services we offer.

How long we will keep your personal information

If your application for housing is unsuccessful or cancelled, we will retain your personal information for 1 month. If your application is successful and we enter into a contract or agreement with you, your personal information will become part of the tenancy record. We retain all tenancy records for the life of tenancy/contract plus 6 years, unless otherwise specified by law.

Security and Storage

We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.

Your information will only be stored within the UK.

How we handle your information if you are a BR24 Monitoring Services customer?

When you become a Bield Response 24 Monitoring Service (BR24) customer, we will collect and process your personal information so we can provide you with the services you have requested. We will be the data controller for the processing of your personal information and determine what personal information is collected and how it will be used.

BR24 may be contracted by local authorities, other housing associations and private landlords (data controllers) to provide you with monitoring services on their behalf. In these circumstances, we will be data processor for the processing of your personal data. The data processor will only process your personal information as instructed by the data controller.

What personal information do we collect?

When you become a BR24 customer, we may collect the following information about you:

· Your name

· Your contact details eg phone numbers, postal address and email addresses

· Date of birth

· Spouse details

· GP details

· Next of kin, emergency contacts and power of attorney

· Disability details

· Medical history

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you become a BR24 customer and the relevant processing activity.

Lawful basis/ processing condition

Meaning

Our processing activity

Contract

Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract.

· It is necessary for us to capture and process your personal information so we can undertake and perform our obligations to you as described in the terms of our contract, or take steps to enter into a contract with you. This enables us to supply you with the services you requested (e.g. emergency pull cord monitoring, personal alarm units and out-of-hours repairs).

· If you provide us your health and medical history, we will use this information to respond to emergency calls efficiently. For example: If you have a sensory impairment it be would useful to know what other forms of communication we can use. If you have dementia it would be useful to be aware of the levels or effects of the condition you have.

The ‘special category’ processing condition we will use is:

9(2)(a) explicit consent of the data subject under UK GDPR.

You have a right to withdraw your consent for the processing of your medical or health information at any time. However, if no medical details are provided, this can limit our response and onward communications, which may result in a delay with the emergency services.

· In the event of an incident, we may record your personal information in an incident report, including any health information. The ‘special category’ processing condition we will use is:

9(2)(c) – Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

· BR24 record all voice calls (e.g. telephone calls, voice recordings and CCTV) for training, quality control and audit purposes.

· BR24 record all voice calls for the protection of our staff and service users.

· We may record special category information (e.g. health details) when recording emergency voice calls. The ‘special category’ processing condition we will use is:

9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.

We may share your information with

Depending on the nature of the emergency, we may share your personal information with the emergency services (e.g. fire, police, ambulance), contractors, utility companies, and external agencies such as local authority social work departments. If we need to contact your emergency contact, key holder, power of attorney or next of kin we may disclose your personal information to this person.

How long we will keep your personal information

BR24 retain all client records for the life of the service agreement and will be deleted once the service agreement expires. We retain all voice recordings for 1 year for quality, training and audit purposes.

Security and Storage

We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.

Your information will only be stored within the UK.

How we handle your information when you make a payment?

When you make a payment to us either online or by telephone, you will be redirected to our payment providers who will process the payment on our behalf. We will not collect any additional information from you when you make a payment. Once payment has been received, our payment providers will notify us of your name, amount and account number and we will update your account accordingly.

We will be the data controller of any personal information we receive from our payment providers about your payments. The data controller determines what personal information is collected and how it will be used. Please note - our payment providers will also be data controllers of your personal information when you use their services to make a payment, please read their Privacy Notices when using their services.

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you make a payment to us.

Lawful basis/processing condition

Meaning

Our processing activity

Contract

Processing is necessary for the performance of a contract with the data subject, or to take specific steps before entering into a contract.

It is necessary for us to collect and process your personal information, in order to update your account with your payment details.

How long we will keep your personal information

We retain all tenancy records for the life of tenancy/contract plus 6 years, unless otherwise specified by law.

Security and Storage

We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and proteced against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.

Your information will only be stored within the UK.

How we handle your information when you make a complaint?

Anyone can make a complaint - either in person, by telephone, by e-mail or in writing. Once received, all complaints are recorded and managed through our complaints handling system. When you make a complaint, we may collect the following information about you:

· Your name

· Your contact details e.g. phone number, postal address, email address

When you make a complaint, we will be the data controller for the processing of your personal information.

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you make a complaint.

Lawful basis/ processing condition

Meaning

Our processing activity

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

· We will process your personal information to conduct an investigation into your complaint. It is not compulsory for you to provide your personal information when you make a complaint and we will accept anonymous complaints. However, the more information you provide will enable us to conduct a more thorough investigation.

· During an investigation, we may contact you to obtain further information using the contact details you have supplied.

· We will use your contact details to provide you with a resolution of the complaint and make sure you are satisfied with the outcome.

· We may contact you if we are conducting an internal audit on our complaint handling process.

Who we may share your information with:

In the event you are not happy with the outcome of our complaint, or you have contacted one of the third parties listed below about a complaint, we may be required to share your personal information with:

· The Scottish Public Services Ombudsman

· The First-tier Tribunal for Scotland (Housing and Property Chamber)

· Care inspectorate

· Local authorities

We will occasionally conduct an internal audit of our complaint handling process, and our auditors may contact you to ask for your views of your complaints handling experience.

How long we will keep your personal information

We will retain all records related to your complaints for 5 years after the complaint has been resolved, after which your personal information will be deleted.

Storage and Security

Our complaints handling system is hosted by a third party supplier and any personal information entered into the system will be stored on their servers. We have a data protection contract in place with the provider of our complaints handling system, to ensure they will only process your personal information in accordance with our instructions and will not share your information with any other organisation. Furthermore, they will store your information securely within the UK, and only retain the data for a period instructed by us.

How we handle your information when you apply for employment?

When you apply for employment or casual work with us, we will collect and use your personal information in order to assess your suitability to work for us. As part of the recruitment process we may collect and process the following personal information:

· Your name

· Your contact details e.g. phone numbers, postal address and e-mail address.

· Details of your qualifications, skills, experience and employment history.

· Information about your current level of remuneration including benefit entitlements.

· Whether or not you have a disability that we need to make reasonable adjustments for during the recruitment process.

· Information about your entitlement to work in the UK and information about criminal convictions and offences.

· Information about your registration or membership of professional or regulatory bodies.

· Details of any disciplinary or performance related warnings in your previous employment.

· Equal opportunities monitoring information, including information about your gender, age, ethnic origin, sexual orientation, health and religion or belief.

When you give us your information we take steps to make sure that your personal information is kept secure and safe.

We will be the data controller for the processing of your personal information when you apply for employment with us, unless otherwise specified. The data controller determines what personal information is collected and how it will be used.

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table below lists the lawful basis we use when you apply for employment with us and the relevant processing activity.

Lawful basis/ processing condition

Meaning

Our processing activity

Consent

The individual has given clear consent for you to process their personal data for a specific purpose.

When we use this lawful basis, you have the right to withdraw your consent at any time or request we stop processing your personal information.

· We will process your personal information in order to assess your suitability for employment or casual work; and to decide which applicant to make an offer of employment or casual work.

· We may process health information if we need to make a reasonable adjustment to the recruitment process for the candidates who have a disability. The ‘special category’ processing condition we will use is:

9(2)(a) - Explicit consent of data subject.

You have the right to withdraw your consent for the processing of your disability information at any time.

· We may process information about any criminal convictions when assessing your suitability to work for us. The ‘special category’ processing condition we will use is:

9(2)(b) processing is necessary for carrying out obligations under employment, social security or social protection law or a collective agreement.

· We may process personal information as part of our equal opportunities monitoring, to help us maintain and promote equality and diversity within Bield. The ‘special category’ processing condition we will use is:

9(2)(a) - Explicit consent of data subject.

You have the right to withdraw your consent for the processing of your equality information at any time.

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

· We keep personal information about you and your application for employment to enable us to respond to and defend against legal claims arising from applications for employment.

Who we may share your information with

We will not disclose or share personal information about you with third parties, unless your application is successful and we make an offer of employment.

If you are successful in your application, we will share your personal information for the purposes set out in this notice, or for purposes approved by you, including the following:

· To obtain pre-employment references from former employers, character references and necessary Disclosure or Protection of Vulnerable Group checks from Disclosure Scotland.

· If we have offered you a role which requires you to work overnight then we would also provide your personal information to our occupational health partners to enable a Night Worker Health Assessment to be undertaken, which is a legal requirement.

How long we will keep your personal information

We review our retention periods regularly and will only hold your personal information for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of personal information), or as set out in any relevant contract we have with you.

If your application for employment or casual work is unsuccessful we will hold your personal information on file for 12 months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your personal information is deleted or destroyed.

If your application is successful, personal information gathered during the recruitment process will be transferred to your personnel record and retained during your employment. You will be provided with a fair processing notice for employees and casual workers at this time.

What if you do not provide personal information?

You are under no statutory or contractual obligation to provide personal information during the recruitment process. However, if you do not provide the personal information, we may be unable to process your application properly or at all.

You are under no obligation to provide personal information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Security and Storage

We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.

Your information will only be stored within the UK.

How we handle your information when you apply for a volunteer role?

When you apply to volunteer for us, we will collect and use your personal information in order to assess your suitability to volunteer for us. The type of personal information we collect during the recruitment process includes:

· Your name

· Your contact details e.g. postal address, phone numbers and email address.

· Whether or not you have a disability that we need to make reasonable adjustments for during the recruitment process.

· Information about criminal convictions and offences.

· Equal opportunities monitoring information: gender, age, ethnic origin, sexual orientation, health and religion or belief.

Bield will be the ‘Data Controller’ for the processing of your personal information when you apply to volunteer with us, unless otherwise specified. The data controller determines what personal information is collected and how it will be used.

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you apply to volunteer with us.

Lawful basis/ processing condition

Meaning

Our processing activity

Consent

The individual has given clear consent for you to process their personal data for a specific purpose.

When we use this lawful basis, you have the right to withdraw your consent at any time and request us to stop processing your personal information.

· We will process your personal information to assess your suitability to volunteer for Bield; and to decide which applicant to make an offer of volunteering.

· If you are successful, it will be necessary for us to process your personal information in order to take steps to enter into a volunteering role.

· We may process health information if we need to make a reasonable adjustment to the recruitment process for the candidates who have a disability. The ‘special category’ processing condition we will use is:

9(2)(a) - Explicit consent of data subject.

You have the right to withdraw your consent for the processing of your disability information at any time.

· We may process information about any criminal convictions when assessing your suitability to volunteer for us. The ‘special category’ processing condition we will use is:

9(2)(b) processing is necessary for carrying out obligations under employment, social security or social protection law or a collective agreement.

· We may process personal information as part of our equal opportunities monitoring, to help us maintain and promote equality and diversity within Bield. The ‘special category’ processing condition we will use is:

9(2)(a) - Explicit consent of data subject.

You have the right to withdraw your consent for the processing of your equality information at any time.

Who we may share your information with

We will not disclose or share personal information about you with third parties, unless your application is successful and we make an offer of volunteering. If you are successful, we will share your personal information for the purposes set out in this privacy notice, or for purposes approved by you, including:

· Obtain pre-volunteering character references

· Any necessary Protection of Vulnerable Groups; checks from Disclosure Scotland and Volunteer Scotland Disclosure Services.

How long we will keep your personal information

If your application is successful, personal data gathered during the recruitment process will be transferred to your volunteer record and retained during your volunteering. You will be provided with a 'Fair Processing Notice for Registered Volunteers' at this time.

If your application for volunteering is unsuccessful or you decide to withdraw from the recruitment process, we will hold your personal information on file for 12 months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your personal information is deleted or destroyed.

We review our retention periods regularly and will only hold your personal information for as long as is necessary for the relevant activity.

What if you do not provide personal information?

You are under no statutory or contractual obligation to provide personal information during the recruitment process. However, if you do not provide the personal information, we may be unable to process your application properly or at all.

You are under no obligation to provide personal information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Security and Storage

We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure at all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.

Your information will only be stored within the UK.

How we manage CCTV within our properties?

We operate CCTV surveillance systems across a large number of our properties for 24 hours a day, all year round. We operate two types of CCTV surveillance systems - image only CCTV from fixed location cameras and live capture for emergency lift calls and main door entry systems. In all locations, signs are displayed notifying individuals when CCTV is in operation.

CCTV systems are installed and operated by us for the following purposes:

Lawful basis/ processing condition

Meaning

Purpose

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

· To enhance the security of our properties.

· To assist in the prevention and detection of crime.

· To provide a sense of security to employees and customers.

· To provide out of hours and emergency safety via BR24 for main entrances and lifts.

When operating CCTV systems we will:

· Comply with the GDPR and DPA 2018 and other relevant obligations such as the implications of the European Convention on Human Rights, Article 8 (the right to respect for private and family life, home and correspondence).

· Ensure appropriate installation and operation of CCTV systems.

· Ensure information captured is usable and meets the purposes of the installation.

· Ensure individuals who may be captured in images are reassured that their privacy is being respected and their information handled appropriately.

For the purposes of the GDPR and DPA 2018, Bield is the data controller and legally responsible for the management and maintenance of any CCTV systems operating in our properties. We handle all recorded images in accordance with our Data Protection Policy, CCTV Procedure and CCTV code of practice.

Disclosing CCTV Images

If we are requested by Police Scotland to provide access to CCTV images in the event of an incident or crime being committed, they will be given access by viewing the data at the development office, BR24 Alarm Receiving Centre or by issuing a copy of the CCTV images.

Before disclosing CCTV images to the police, we have to be satisfied that disclosure is necessary for one or more of the following purposes:

· The prevention or detection of crime;

· the apprehension or prosecution of offenders; and

· withholding the personal data would be likely to prejudice the purpose cited.

All other requests for the release of CCTV images by a third party will need to be received in writing. Each request will be dealt with individually and CCTV images will only be released with the appropriate authorisation within Bield and/or from our Data Protection Officer. If there are any concerns about a request, we have the right to refuse the request unless there is an overriding legal obligation e.g. a court order or a subject access request.

Security and Storage

All CCTV equipment will be located in secure and restricted offices with any CCTV monitors switched off. Access is strictly limited to relevant employees and CCTV Contractors.

Retention

CCTV images will be retained only for as long as necessary to fulfil the required purpose for recording information and in accordance with our Retention Schedule.

How we handle your information when using our websites?

This privacy notice details how we manage your personal information when you visit the following Bield websites:

· www.bield.co.uk

What personal information we may collect

Please refer to the relevant sections of this Privacy Notice to find out what personal information we may collect about you when you use our websites for the following:

· Enquiring about renting or purchasing a property

· enquiring about day and evening services

· applying for employment or volunteering roles

· making a complaint

· making a payment

· making a donation.

We may also collect the following personal information about you when you browse and use our webpages, or when you submit a general enquiry using the ‘Contact Us’ button.

· Your name

· Your contact details eg postal address, phone numbers and email address

· IP address

Why we need to collect your personal information

It is a requirement of the GDPR is to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you use our websites.

Lawful basis/ processing condition

Meaning

Our processing activity

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

· We may use your personal information in order to communicate with you and help with your enquiries when you use the Contact Us forms on our webpages.

Third party suppliers

We use a third party supplier for the design, storage and functionality of our websites. When you use our website, we are the ‘Data Controller’ for the processing of your personal information and the website provider is the ‘Data Processor’. The data controller determines what personal information is collected and how it will be used; and the data processor processes the personal information as instructed by the data controller.

Security, Storage and Retention

Our website provider manages the design, storage and functionality of our websites. Any personal information submitted or captured during the use of our websites will be stored on their servers.

We have contracts in place with our website provider to ensure they only process your personal information in accordance with our instruction and will not share your information with any other organisation. They will only store your information securely within the UK, and only for a period instructed by us.

How we use Cookies

About Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently (e.g. remembering your preferences) and for providing website usage information (e.g. counting the number of people browsing a website or webpage).

Our use of cookies is in compliance with The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the General Data Protection Regulation.

2. What Cookies we use and how you can manage them

Cookie

Name

What they are used for

How they can be managed

Google Analytics

_gid
_ga
_gid
_gat

· Collect information in an anonymous form, e.g. site visitor numbers, which pages they’ve viewed and which country they are visiting from.

· If the cookies are event tracking - we can see how many people clicked on a specific button.

· We use the information to compile reports, see how well the website is doing and to help us improve the site.

· All cookies are stored, until the user clears their browser history/data.

· Check your browser’s “Help” files to learn more about handling cookies on your browser.

· To manage your Google Analytics tracking settings, visit the Google website.

1P_JAR

· Used to gather website statistics, and track conversion rates.

CONSENT

· Stores the users cookie consent state for the current domain.

HSID

· A security cookie to authenticate users, prevent fraudulent use of login credentials and protect user data from unauthorised parties.

NID

· Contains a unique ID that Google uses to remember your preferences (e.g. preferred language, how many search results you wish to have shown per page and if you wish to have Google's Safe Search filter turned on).

SIDCC

· Security cookie to protect users data from unauthorised access.

APISID

· These cookies allow Google to collect usage information for Google Maps.

SSID

· SSID cookies are stored on the computer in order to remain connected to your Google account when you visit its service again.

SID

· Contains encrypted records of a user’s account ID and most recent sign-in time as well as their country and language preferences.

· Which videos have been viewed for adverts/related videos.

You Tube

LOGIN_INFO
PREF
SAPISID
SID
YSC

· Enables users to view embedded you tube videos and remembers their settings.

· To learn more about cookies used by YouTube, visit their website.

· All cookies are stored, until the user clears their browser history/data.

· Check your browser’s “Help” files to learn more about handling cookies on your browser.

SSID

· SSID cookies are stored on the computer in order to remain connected to your Google account when you visit its service again.

· Enables Google to collect user information for videos hosted by YouTube.

DSID
IDE

· This cookie is used for re-targeting, optimisation, reporting and attribution of online adverts.

· The information collected is anonymous.

ShareThis

_stid

· This cookie enables users to share our website content using email, Twitter and Facebook.

· Part of the ShareThis sharing button functionality. Unique identifiers given to each computer to allow traffic analysis to ShareThis.

· It may store the end users device ID and IP address.

· ShareThis includes a link in their pop-up box which allows users to specify "Do not track" which deletes cookies as required.

· All cookies are stored, until the user clears their browser history/data.

· To find out more visit the ShareThis privacy notice.

Drupal

has_js

· Used to check if your browser has JavaScript enabled and expires when you exit your browser.

· All cookies are stored, until the user clears their browser history/data.




3. Do we need to get your permission to download Cookies?

Yes - if the cookie captures personal information (such as IP addresses) or monitors users behaviour, we need to obtain your consent to store a cookie on your device.

4. How to find out more about Cookies?

A number of websites provide detailed information on cookies including www.alllaboutcookies.org and www.AboutCookies.org.

More information about cookies can be found on the ICO website: https://ico.org.uk/your-data-matters/online/cookies/

Your data protection rights

Under data protection law, you have rights we need to make you aware of. These rights enable you to have more control over how we process and manage your personal information. The rights available to you will depend on our reason for processing your personal information. To find out more about your data protection rights, visit the ICO website: https://ico.org.uk/your-data-matters/

Your Data Protection Rights

Right to be informed

· You have a right to be told when your personal information is captured, why it is being processed, where it is being stored and how long it will be held for.

· We provide this information in our Privacy Notices and Fair Processing Notices.

Right of access

· You have the right at any time to ask for copies of any personal information we hold on you, by submitting a Subject Access Request.

· This right always applies, although there are some exemptions and you may not always receive all the information we process.

Right to rectification

· You have the right to request we correct any inaccuracies to your personal information or if you think your records are incomplete.

· The accuracy of your personal information is important to us – please help us keep our records up-to-date by informing us of any changes to your personal details.

Right to erasure

· You have the right to ask us to delete your personal information in certain circumstances. Also known as your ‘right to be forgotten’.

· Where we have used Consent as our lawful basis, you have the right to request your personal information to be deleted. However, if you request we delete your personal information we may not be able to provide you with your requested services or information.

· Where we have used Contract as our lawful basis, you may not be able request your personal information to be deleted as processing is necessary for the performance of the contract.

· Where we have used Legal Obligation as our lawful basis, you may not be able request your personal information to be deleted as processing is necessary so we can meet our legal obligations.

Right to restrict processing

· You have the right to ask us to restrict the processing of your personal information, in certain circumstances.

Right to data portability

· Where we have used Consent or Performance of a Contract as our lawful basis, you have the right to ask us to transfer your personal information from one organisation to another or give it to you in a useable format e.g. csv file.

Right to object

· You have the right to object to the processing of your personal information, in certain circumstances.

· Where we have used Consent as our lawful basis, you can withdraw your consent at any time. However, if you withdraw your consent, we may not be able to provide you with your requested services or information.

· Where we have used Performance of a Contract as our lawful basis, you may not be able to object to the processing of your personal information as processing is necessary for us to meet our contractual obligations.

· Where we have used Legal Obligation as our lawful basis, you may not be able to object to the processing of your personal information as processing is required so we can meet our legal obligations.

Your rights in relation to automated decision making and profiling

· You have a right to ask if any of your personal information is being subjected to automatic profiling or decision making.

· We do not use profiling or automated decision-making processes.

Subject Access Requests

The GDPR entitles all individuals the right to find out what personal information we hold on them and request a copy of that information. Individuals can exercise this right by submitting a Subject Access Request (SAR).

When submitting a SAR, we will ask you complete a subject access request form to ensure we have all the necessary information to conduct the search and be able to respond to your request in a more timely and efficient manner. We will make reasonable adjustments for anyone with a disability that makes it difficult for them to complete the SAR form.

We will require proof of identification from you to help us confirm your identity or proof of authority if applicable, to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Once we have received a completed SAR form together with a copy of proof of identity or proof of authority, we will respond to the individual within one calendar month. The timeline for a SAR response will not commence until we have received all the necessary information and confirmed proof of identity.

If we find any personal information about you, we will provide you with either an electronic or hard copy of the personal data, unless any exemption to the provision of that data is applied by law. If the personal data includes data relating to any other persons then reasonable steps will be taken to protect this data. Furthermore, if we do not hold personal data sought by the individual then we will advise them as soon as possible and within one calendar month.

We can legally extend the period of compliance by a further two calendar months where requests are considerable and complex. If this is the case, we will inform the individual within one calendar month and explain why the extension is necessary.

If we find the request to be manifestly unfounded or excessive, particularly if it is repetitive, we can charge a ‘reasonable fee’ or refuse the request. If this is the case, we will inform the individual in writing, within one calendar month, and explain our decision.

More information about how to submit a subject access request can be found in the ICO website: https://ico.org.uk/your-data-matters/your-right-of-access/

If you would like to submit a subject access request, please contact dataprotection@bield.co.uk or 03000 132 162.

How we manage your information when you request access to information

Under the legislations detailed below, you can request access to information we hold.

· The UK Data Protection Act (2018) Part of the UK Data Protection Regulation

· Environmental Information (Scotland) Regulations 2004

· Freedom of Information (Scotland) Act 2002

When you send us a request for information, it will be necessary for us to use your personal information so we can review and process your request. We will collect the following personal information:

· Your name

· Your contact details e.g. postal address, phone numbers and email address.

· Details of anyone authorised to act on your behalf.

· Identifiable imagery e.g. photographs for CCTV requests

· Proof of ID

Bield will be the ‘Data Controller’ for any personal information we collect and process when you submit an information request.

Why we need to collect your personal information

It is a requirement of the GDPR to specify a valid lawful basis for every activity where we process your personal data. The table details the lawful basis we use when you submit an access to information request to us.

Lawful basis/ processing condition

Meaning

Our processing activity

Legal Obligation

Processing is necessary for you to comply with the law (not including) contractual obligations).

Processing your personal information is necessary for the compliance with our legal obligations under the UK General Data Protection Regulation, Freedom of Information (Scotland) Act 2002 and Environmental Information (Scotland) Regulations 2004.

Legitimate Interests

Processing is necessary for our legitimate interests.

This lawful basis is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact.

If you make any request under FOISA or EIR then it will be necessary for us to process your personal information so we can respond to your request.

Who we may share your information with

If you make a complaint or appeal against our decisions, we may be required to share your personal details with the Information Commissioners Office or the Scottish Information Commissioner.

How long we will keep your personal information

When you submit a request for information, we will transfer your request and any submitted personal information into a case file. We will retain the case file for the periods listed below:

· SAR, EIR & FOI(S)A case records: 3 years from close of request

· SAR, EIR & FOI(S)A case not records not actioned: 3 years from last correspondence

· Appeals to ICO or SIC: 5 years from close of investigation

· Proof of ID: Destroyed immediately after confirmation of identity

Security and Storage

We have strict procedures and security features in place to ensure any personal information we hold is kept safe and secure all times and protected against unauthorised or unlawful processing as well as against its accidental loss, destruction or damage.

Your information will only be stored within the UK.

Making a complaint to the Information Commissioner's Office

If you are unhappy with how we handle your personal information, you have the right to complain to the Information Commissioner’s Office. Their details are:

The Information Commissioner’s Office – Scotland
45 Melville Street,
Edinburgh
EH3 7HL

Telephone: 0303 123 1115
Email: Scotland@ico.org.uk

Changes to our Privacy Notice

We are in the process of updating our privacy notice and this will be published shortly.