PRIVACY & DATA PROTECTION POLICY

Date of Review: March 2024
Reviewed by: Audit Sub-Committee
Proposed next review date: March 2025

About this policy

For over 400 years, ScotsCare has been in London giving a helping hand to Scots and the children of Scots; and is the longest established charity for Scots outside of Scotland. As part of our work, we collect and process personal data about the people who interact with us. The kind of data we collect depends on how people use our services, whether that’s getting advice, applying for assistance, supporting our campaigns, making donations, or volunteering.

We promise we’ll never share or sell your personal data to a third-party organisation for marketing, fundraising or campaigning purposes.

This notice outlines what data we collect, how we may use it, how we protect your data and your rights, and how you can exercise those rights.

References to ‘we’ or ‘us’ are to:

  • The Royal Scottish Corporation (ScotsCare) registered charity number 207326 (England and Wales), of 22 City Road, London, EC1Y 2AJ.

We regularly check this notice to make sure we’re giving you the most up-to-date information available about how we’re processing your data. We recommend you re-read this policy from time to time to make sure you’re happy with any changes that might be made.

While we’ve tried to make our privacy policy as comprehensive as possible, it doesn’t include an exhaustive list of every aspect of how we collect and use personal information. If you need any further information or explanation though, we’re happy to help.

If you have any questions about this policy, please contact us using the details in the ‘Contacting us’ section below.

This privacy policy was last updated in March 2024.

Why we collect your data

We collect and process personal data about the people who interact with us. The kind of data we collect depends on someone’s needs, and how they’re using our services. For instance, we might collect data to communicate with someone and send requested information to them, to administer applications for assistance, to help us administer campaigns and donations, or to improve our services.

We collect the minimum of data required to provide our services and do our work. We’re completely committed to protecting your data and privacy, and we pride ourselves on taking great care to ensure it stays completely safe.

Some of the reasons we might collect your data include:

  • to provide you with advice, support, or services that you have requested or have been referred to by another agency.
  • to record personal details shared during conversations with our helpline.
  • to record and contact you regarding payments you make to ScotsCare.
  • to administer services ScotsCare is providing to you.
  • to communicate with you regarding ScotsCare’s work, fundraising, and campaigning activities.
  • to process donations and administer Gift Aid information for any donation you make to ScotsCare.
  • to provide you with information about and to administer events, including mass participation events, and festivals.
  • to administer and send you information about our legacy programme.
  • to manage your communication preferences.
  • to process job applications or volunteer placements.
  • to conduct surveys, research and gather feedback.
  • to obtain information to improve ScotsCare’s services and user experiences.
  • to address and resolve complaints about ScotsCare and our services.
  • to carry out research to find out more information about our supporters’ and prospective supporters’ backgrounds and interests.
  • to comply with applicable laws and regulations, and requests from statutory agencies.
  • to comply with our contractual obligations to our funders.

Information we collect

Depending on how you use our services, some examples of the types of information we collect from you might include:

  • your full name and date of birth.
  • contact details – including your postal address, telephone number(s), and email address.
  • National Insurance number.
  • your bank details.
  • records of your correspondence and engagement with us.
  • donation history and Gift Aid details.
  • information you may enter on the ScotsCare website.
  • photographs, video, or audio recordings.
  • occupation.
  • biographical information.
  • other information you share with us.

This information may be collected via:

  • any paper forms you complete.
  • telephone, email conversations, or face-to-face interactions.
  • digital forms completed via our website, or online surveys.
  • third-party companies and websites such as CAF, Just Giving, etc.,
  • publicly available sources.
  • communication via social media.

We sometimes also collect sensitive, personal data about individuals. Sensitive, personal data includes information about health, religion, sexuality, ethnicity, political and philosophical beliefs, and criminal records. We will normally only record this data where we have your explicit consent unless we are permitted to do so in other circumstances under data protection law. For example, we may make a record that a person is in a vulnerable circumstance to comply with requirements under charity law and the Code of Fundraising Practice, to ensure that we do not send fundraising communications to them.

Where we are providing you with support services, we may record your sensitive personal data if this is necessary, for example, granting you a tenancy in one of our sheltered housing sites, provision of one or more of our services, participation in an event where we need this information to ensure we provide appropriate facilities for you, or if it is in the substantial public interest because we would not be able to provide our services without doing so.

Using your personal data

ScotsCare Support Services


If you are receiving advice or support from us, or if someone else has referred you to us for such a service, we will need to process your data because of your specific relationship with us.

We will keep all your relevant personal information – including notes, letters, emails, and information given to us about you – in a confidential record that is specific to you. We use an electronic case management system (customer relationship management system (CRM) or other electronic system, depending on the service) as well as paper records to support our advice, guidance, and support provision. This means that we can keep the information you provide us, so we are able to see the history and relevant details of your case(s). This ensures that we provide appropriate and accurate advice or support. We take information security very seriously. No one is allowed access to our system or files unless they need this to provide the service to you, or for one of the other purposes discussed in this notice.

We may need to disclose and discuss your personal information to third party individuals or organisations if this is necessary to help resolve your issue. Examples include:

  • your landlord
  • council housing, social services, and Housing Benefits teams
  • the DWP/Job Centre or HMRC
  • your GP or medical professionals
  • lenders and creditors
  • legal representatives or advisers
  • the court

We will discuss this with you as we go along and will only act with your express consent unless one of the other legal bases in data protection legislation applies.

To ensure that our services meet a high standard of quality, client files are sometimes checked by our quality assurance staff. Files may also be checked by external auditors. All auditors are bound by confidentiality policies.

Where our funders require it as a condition of our contract with them, we may use your data in reports to them. Typically, this is so that they can monitor the outcomes of the help we have provided to you, to ensure we are meeting the terms of our contract with them.

We may use your data for general statistical reports. These statistics will not include any information that could be used to identify any individual.

Fundraising/campaigning/direct marketing

ScotsCare would like to keep you up to date with our fundraising, marketing, and campaign activity.
We use a range of marketing activities and channels to contact our supporters – including our website, face-to-face fundraising, direct mail, SMS/text campaigns, email, and telephone.

We will obtain your consent to contact you by email and text message for marketing purposes.


We will send you marketing by post or email, on the basis of it being within our legitimate interests to do so, unless you opt out. See section 10 (‘Our legal basis for processing data’) for more information about our use of legitimate interests. We will also contact existing supporters by phone on this basis (unless they have opted out of receiving marketing communications from ScotsCare).

We send the following marketing materials:

  • updates about ScotsCare’s work – including newsletters, magazines, and other publications informing you about our work.
  • campaigns – information about our campaigning activities, including how you can support such campaigns, (for example by lobbying influential figures or signing a petition), and updates about the progress of our campaigns.
  • appeals and fundraising activities – including requests for donations, information about how you can leave us a gift in your will, how you can raise money on our behalf, attend or take part in a fundraising event, communications relating to our raffles, and updates on the impact that your fundraising activities have had on our work.
  • events – including details of our challenges, such as sponsored runs and activities, as well as other events such as concerts and comedy gigs in aid of ScotsCare. Please note that if you sign up to a ScotsCare event, we will also send you administrative communications about how you can take part. On occasion we will also send you a reminder about the same event in future years in case you want to participate in it again.
  • volunteering – information about how you can help support ScotsCare by giving up your time or using your influence to progress our aims, along with updates on the impact of your work.

We will never share or sell your personal data to a third-party organisation for its marketing, fundraising or campaigning purposes.

You can withdraw your consent, unsubscribe from, or update your marketing preferences at any point using the details in the ‘Contacting us’ section below.

Any electronic marketing communications, such as emails, will have a link to unsubscribe from future electronic communications, so you can manage your own communication preferences.

If you make any changes to your consent, we will update your record without undue delay and at the latest within one month of receipt. It may take up to 60 days for our systems to update and stop any postal communications from being sent to you. Email communications will, however, be stopped immediately. If you tell us that you do not wish to receive marketing, fundraising or campaign communications, you may still receive transactional and service-based communications confirming and servicing other relationships you have with us (as described below). You can also opt out of receiving marketing communications from us by signing up to the Fundraising Preference Service.

Where possible, we cleanse and remove out of date data by checking it against publicly available records such as deceased records. This helps us to improve the delivery rate of our mailings and minimise wasted expenditure.

Administrative communications to supporters

In addition to the fundraising and marketing communications that you receive from ScotsCare, we will also communicate with you by post, telephone, and email in relation to administrative and transactional matters. For example, we will call you after you have set up a Direct Debit to confirm your details, and upon cancellation. There may also be other occasions where we need to contact you about your donation – for example, if there is a problem with a payment or in relation to your gift aid declaration.

On occasion, we will also contact you about an event that you have signed up to participate in, to – for example – check that fundraising pages have been set up and to provide any other necessary information.

As mentioned above, we may still need to communicate with you for administrative purposes even where you have opted out of marketing communications from us.

Supporter research and analysis

We may use profiling and database segmentation techniques to analyse your personal information, and create a profile of your interests, preferences, and ability to donate. This allows us to ensure communications are relevant and timely, to provide an improved experience for our supporters. It also helps us understand the background of our supporters so that we can make appropriate requests to those who may be willing and able to donate more than they already do or leave a gift in their will. This enables us to raise funds quicker and in the most cost-effective way.

We are also legally required to carry out checks on individuals who give us large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud.

Social media/digital

You may receive targeted advertisements through our use of social media audience tools. This depends on your settings or the privacy policies for social media platforms – e.g., Facebook, X (formally known as Twitter), Instagram, TikTok, and Google. For example, Facebook’s ‘Custom’ and ‘Lookalike’ Audiences’ programmes enable us to display adverts to our existing supporters or other people who have similar interests or characteristics.

We may provide your data (including your name and email address) to social media platforms. This is to check if you have an account, and to create a ‘lookalike’ audience. Our adverts may then appear when you use the social media platform. We only work with social media platforms that provide a facility for secure and encrypted upload of data, and immediately delete any records not matching with their own user base.

For more information, or to manage your social media ad preferences, please see:

When we engage with Facebook to identify you on their platform and provide you with our adverts, we are joint controllers of your personal information with Facebook. Our agreement with Facebook sets out our responsibilities to you – for example, we are responsible for informing you about this activity. Both we and Facebook are responsible for keeping your information secure. You can exercise your privacy rights against each of us individually.

Website analytics

ScotsCare uses Google Analytics to monitor usage of our website. Google Analytics captures locations using IP addresses, but does not make the addresses available to us, which means we cannot identify visitors to our site. We use analytics to let us know the numbers of new and repeat visitors to our website so we can assess how we are doing in spreading the word about our services to potential new clients and supporters.
If you do not want us to use your data for social media advertising, contact us to opt out:

communications@scotscare.com

ScotsCare Communications Team, 22 City Road, London, EC1Y 2AJ



If you have asked us not to use your information for targeted social advertising, you may still see adverts related to us. This is because the social media platform or advertising network may hold information about you (such as your age and location, or websites you have visited) that wasn’t provided by us.

Applying for a job with ScotsCare

When you apply for a job with us, your personal data will be collated to monitor the progression of your application, and the effectiveness of the recruitment process through the statistics collected. Where we need to share your data – such as for gathering references or obtaining a Disclosure and Barring Services check (depends on the role) – you will be informed beforehand unless the disclosure is required by law.

These checks are only done after a position has been offered only to the successful candidate. On the application form, you are asked to complete the referee details, and can tick permission to contact referee. If ticked yes, once offered a role, we will automatically send out reference requests. If you tick no, we will contact successful candidates for permission first.

Personal data about unsuccessful applicants are held for 12 months after the recruitment exercise is complete for that vacancy. You, as an applicant, can ask us to remove your data before this time if you do not want us to hold it. If we feel there is another suitable vacancy available, we will contact the applicant prior to sharing your application details with the relevant manager.

Once you have taken up employment with ScotsCare, we will compile a file relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment. Once your employment with us has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it from our files.

Professional contacts

We may collect data about professional contacts and partners with whom we work. Personal data collected in this way will be processed in accordance with data protection legislation and this policy.

We may send our professional partners information and updates about our work (primarily by email). Such contacts can opt out of receiving this information at any time.

Our legal basis for processing personal data

We need a lawful basis to collect and use your personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that we carry out. This includes information that is processed on the basis of:

  1. a person’s consent (for example, to send you direct marketing by email or SMS)
  2. a contractual relationship (for example, to provide you with goods or services that you purchase from us)
  3. processing that is necessary for compliance with a legal obligation (for example to process a Gift Aid declaration, and carrying out due diligence on large donations)
  4. ScotsCare’s legitimate interests (please see below for more information)

Personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation using the data, if its use is fair and does not adversely impact the rights of the individual concerned.

When we use your personal information, we will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:

  • Charity Governance: including delivery of our charitable purposes, statutory and financial reporting, and other regulatory compliance purposes.
  • Administration and operational management: including responding to solicited enquires, providing information and ScotsCare services, research, events management, the administration of volunteers and employment, and recruitment requirements.
  • Fundraising and Campaigning: including administering campaigns and donations and sending direct marketing by post (and in some cases making marketing calls), sending thank you letters, analysis, targeting and segmentation to develop communication strategies, and maintaining communication suppressions.

If you would like more information on our uses of legitimate interests, or to change our use of your personal data in this manner, please get in touch with us using the details in the ‘Contacting us’ section below.

Disclosure of your personal data

We will not share any of your personal data with any third party – except where:

  1. the transfer is to a secure data processor, which carries out data processing operations on our behalf (please see section 13 for more information)
  2. we are required to do so by law, for example to law enforcement or regulatory bodies where this is required or allowed under the relevant legislation.
  3. we are required to do so because it is a condition of our funding or service provision that we share certain information with the funder or with partnership organisations. We will tell you if this is the case.
  4. it is necessary to protect the vital interests of an individual.
  5. we have obtained your consent.

We will never share or sell your personal data to a third-party organisation for marketing, fundraising, or campaigning purposes.

Security of your personal data

We use appropriate technical and organisational measures and precautions to protect your personal data and to prevent the loss, misuse, or alteration of your personal data.

When completing online applications for our services via our website, the person submitting the form is required to confirm that they have the consent of all individuals whose details they submit.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We encourage you to review the privacy statements of websites you choose to access from the ScotsCare website, so that you can understand how those sites collect, use, and share your information. We are not responsible for the privacy statements, security, or other content on sites outside of the ScotsCare website.

Use of data processors

We may use a third-party supplier to manage mailings for fundraising appeals, campaigns, conduct research surveys or storage of your personal information on our behalf, and to provide some of our advice and support services to you. You can find out more about the suppliers that we use by getting in touch with us using the details in the ‘Contacting us’ section below.

We actively screen and monitor these companies to maximise the protection of your privacy and security. They are only permitted to use the data in accordance with relevant data protection legislation, under strict instructions from us, and in accordance with a data processing agreement entered into between ScotsCare and each supplier.

Transfers of data outside of the European Economic Area

We use Microsoft Office 365 and Azure products, which are multi-tenant cloud services, for our internal office use. This means that internal documents and information generated by us are stored in cloud services hosted within the European Economic Area (EEA).

Our client CRM system is hosted by Salesforce which also stores data in a cloud system hosted within the EEA. However, in some limited cases, we may use data processors that process and/or store data outside of the EEA – for example, payment processors such as Stripe.

In these cases, we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your information, for example, by entering into a contract that includes prescribed clauses about the use of data and (if the company is based in the United States, signing Standard Contract Clause).

Retention of your data

Whatever your relationship with us, we will only store your information for a specified amount of time, as set out in our internal data retention policy.

The length of time that data will be kept may depend on the reasons for which we are processing the data and, on the law, or regulations that the information falls under, such as financial regulations, Limitations Act, Health and Safety regulation etc., or any contractual obligation we might have – such as with government contracts or if we have a business case, such as with research data. For business case data, we will anonymise the data, so no individual is identifiable.
Subject to the above, we will typically store data relating to donors and people who have taken campaign actions for seven years after their last donation or interaction, and people to whom we provide services to for five years after completion of those services. Personal data about unsuccessful applicants are held for 12 months after the recruitment exercise is complete for that vacancy.

Once the retention period has expired, the information will be confidentially disposed or permanently deleted, or anonymised.

If you request to receive no further contact from us, we will keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future.

Your rights

You have many rights under data protection legislation. These include:

Right of Access

You have the right to know what information we hold about you and to ask, in writing, to see your records.
We will supply any information you ask for that we hold about you as soon as possible, but this may take up to one calendar month. We will not charge you for this other than in exceptional circumstances. You will be asked for proof of identity as the person dealing with your request may not be the staff member you have met before. We need to be sure we are only releasing your personal data to you.

This is called a data subject access request, and can be done by:

  • emailing communications@scotscare.com
  • writing to the Data Protection Manager, ScotsCare, 22 City Road, London, EC1Y 2AJ

Right to be informed

You have the right to be informed how your personal data will be used. This policy, as well as any additional information or notice that is provided to you either at the time you provided your details, or otherwise, is intended to provide you with this information.

Right to withdraw consent

Where we process your data based on your consent (for example, to send you marketing texts or emails), you can withdraw that consent at any time. To do this, or to discuss this right further with us, please contact us using the details in the ‘Contacting us’ section below.

Right to object

You also have a right to object to us processing data where we are relying on it being within our legitimate interests to do so (for example, to send you direct marketing by post). To do this, or to discuss this right further with us, please contact us using the details in the ‘Contacting us’ section below.

Right to restrict processing

In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

Right of erasure

In some cases, you have the right to be forgotten (i.e., to have your personal data deleted from our database). Where you have requested that we do not send you marketing materials, we will need to keep some limited information to ensure that you are not contacted in the future.

Right of rectification

If you believe our records are inaccurate, you have the right to ask for those records concerning you to be updated. To update your records, please get in touch with us using the details in the ‘Contacting us’ section below.

Right to data portability

Where we are processing your personal data because you have given us your consent to do so, you have the right to request that the data is transferred from one service provider to another.


Complaints

If you have any complaints about the way in which we have used your data, please get in touch with us using the details in the ‘Contacting us’ section below. We would be happy to help and discuss your concerns.

You are also entitled to make a complaint to the Information Commissioner’s Office and the Fundraising Regulator

Contacting us

If you have any questions about this policy, would like more information, or want to exercise any of the rights set out in the ‘Your rights’ section above, you can get in touch with us in the following ways:

  1. Email: communications@scotscare.com
  2. Telephone: 020 7240 3718
  3. Post: ScotsCare, 22 City Road, London, EC1Y 2AJ
Loading...