Version 2.0 21 January 2026
What is the purpose of this document
sportscotland is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you, in accordance with UK Data Protection legislation. This Privacy Notice contains important information about how we collect, manage, use, and protect your personal information.
This privacy notice is applicable to any individual or entity who has currently or have previously operated under a sportscotland Contract.
The Scottish Sports Council, trading as ‘sportscotland’ of Doges, Templeton on the Green, 62 Templeton Street, Glasgow, G40 1DA is the “controller” of the personal information that you provide to us and is registered as a data controller with the Information Commissioner’s Office, registration number Z7177835.
This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection legislation to notify you of the information contained in this privacy notice.
We may update this Privacy Notice from time to time. Please check this notice frequently to ensure you are aware of the most recent version and the date that it was last updated.
Our contact details
Headquarters
Doges,
Templeton on the Green,
62 Templeton Street
Glasgow, G40 1DA
Tel: 0141 534 6500
Deaf/BSL users can contact us using the Contact Scotland service
Web: sportscotland - sportscotland the national agency for sport in Scotland
Email: sportscotland.enquiries@sportscotland.org.uk
Data Protection Officer Contact Details:
Information Governance and Data Protection Officer
Doges,
Templeton on the Green,
62 Templeton Street
Glasgow,
G40 1DA
Email: DPO@sportscotland.org.uk
What type of information we have
We may collect and process the following throughout the Contract lifecycle dependent on the contract and service being provided: -
- Personal contact details, including name, address, email address, date of birth, and phone number;
- Company information, registered address, date of incorporation, registration number, current officers
- Compensation and insurance details
- Place of work;
- Alternate contact details for any individuals that you may have provided;
- Payment details: including bank account number, sort code, and any other information relating to the provision of payment;
- Qualifications and compliance documents relating to your accreditation to perform the contract tasks;
- Any submissions made when tendering for the contract that was secured
- Photographic ID;
- Disclosure and PVG membership;
- Driving licence;
- Previous offences;
- Passport / visa numbers; and
- Confirmation of eligibility to work in the UK;
We may ask you for additional personal information, which shall be collected, stored, and used in accordance with this privacy notice.
How We Collate Information
We typically obtain personal information about contractors directly from the contractor, through the tendering process, or from third‑party sources. This may include information provided by external organisations, such as background‑checking agencies, including Disclosure Scotland. We may also collect personal information throughout the duration of your contractual relationship with us.
In limited circumstances, we may gather additional personal information in connection with job‑related activities during the period of your engagement. Where this occurs, we will provide you with appropriate information regarding the nature and purpose of the collection at the time the information is obtained.
Our purposes for processing personal data
We may process your personal information for specific purposes. These include: -
- To allow us to fulfil the contract;
- Administering payment;
- Complying with Health & Safety and Fire Safety obligations; and
- Complying with information requests under legislation including the UK GDPR, Freedom of Information (Scotland) Act, and the Public Records (Scotland) Act
- Complying with our legal obligations;
- For further information on sportscotland’s legislative requirements, please see:
- Protected characteristics | EHRC
- Public Sector Equality Duty | EHRC
Who we share your personal information with
- We may share your information with the Emergency Services in the event of an injury or incident;
- If your personal information is included in any images or videos taken by us at our events, we may share it on our websites for promotional/media purposes;
- If your personal information is included in any images or videos taken by us at our events, we may also share this with Commonwealth Games Scotland, Scottish Governing Bodies, and British Governing Bodies of Sport, for promotional and/or journalistic purposes.
- sportscotland engages third-party suppliers to provide services including IT, and training. These suppliers may process personal information on our behalf as “processors” and are subject to written contractual conditions to only process that personal information under our instructions and protect it;
- We may share personal information with our professional and legal advisors for the purposes of taking advice; and
- We may be required to share personal information with statutory or regulatory authorities and organisations. Such organisations include HMRC, the Health & Safety Executive and Disclosure Scotland.
In the event that we do share personal information with external third parties, we will only share such personal information strictly required for the specific purposes and take reasonable steps to ensure that recipients shall only process the disclosed personal information in accordance with those purposes.
How we store and protect your personal information
Security measures in place within sportscotland include physical security measures; strong passwords; password lock out policy; managed permissions; two factor authentication; encryption; antivirus software; anti-malware software; data loss prevention software; secure email gateway; software patch management and appropriate data backup arrangements.
Core systems are only accessible by sportscotland staff and a small number of contracts for service practitioners.
Where sportscotland retains your personal information in one of our own data centres, all data will be stored on UK based servers. Where sportscotland utilises cloud-based storage, your personal information may be stored out with the UK within European Union country data centres, in which case sportscotland will ensure adequate security measures are in place to protect your personal information.
International Data Transfers:
If we transfer personal information outside the UK, we do so in line with the UK General Data Protection Regulations, Data Protection Act 2018 and the Data Usage and Access Act. This means we only transfer data to countries or organisations where the level of protection for personal information is not materially lower than that required under UK law.
Your personal information may also be stored on third party, cloud-based solutions. Where this is the case, sportscotland will ensure that that third party complies with data protection legislation when processing your personal information.
Use of AI Tools: We use certain AI-enabled tools to support administration (e.g., drafting and summarising) and do not use AI to make decisions about individuals. Where AI tools may process personal information, we complete Data Protection Impact Assessments (DPIAs), apply appropriate safeguards, and follow our AI Policy. We will be transparent where AI is used and ensure human oversight.
Retention Periods
We retain personal information only for as long as necessary for the purposes described above, and in line with the sportscotland retention and destruction policy contained within the sportscotland Records Management Plan, which is a legal requirement under the Public Records Scotland Act (2011) You can download this at: sportscotland Records Management Plan
Legal Basis for processing your personal data
We will only collect and process personal information where we have a legal basis for doing so under Data Protection legislation. The legal basis may differ depending on the purpose for processing your data.
Data Type: Name, address, email, phone
Purpose of Processing: Account creation, service provision
Lawful Basis (GDPR/DUAA): Contract (Art. 6(1)(b))
Data Type: Date of birth, gender, age
Purpose of Processing: Eligibility checks, reporting, equality monitoring
Lawful Basis (GDPR/DUAA): Legal obligation (Art. 6(1)(c)); Public interest (Art. 6(1)(e))
Data Type: Payment details (bank, NI number)
Purpose of Processing: Payment for services, payroll
Lawful Basis (GDPR/DUAA): Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))
Data Type: Medical & accessibility info
Purpose of Processing: Course provision, accommodation, health & safety
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a), Art. 9(2)(a)); Public interest (Art. 9(2)(g))
Data Type: Photos/videos (events)
Purpose of Processing: Promotion, media, publications
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a))
Data Type: Website usage data (cookies)
Purpose of Processing: Analytics (audience measurement), site improvement, preferences, advertising
Lawful Basis (GDPR/DUAA): Strictly necessary cookies: not consented; necessary for a service you request. Statistical measurement / appearance cookies: in limited cases may be set without consent under DUAA’s PECR exemptions, with clear info and an easy opt-out. Advertising/targeting cookies: Consent (Art. 6(1)(a))
Data Type: Coaching app data
Purpose of Processing: Tailored notifications, programme administration
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a)); Contract (Art. 6(1)(b))
Data Type: Award nominations
Purpose of Processing: Processing nominations, event invitations
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a)); Legitimate interests (Art. 6(1)(f))
Data Type: CCTV images
Purpose of Processing: Security, crime prevention
Lawful Basis (GDPR/DUAA): Public interest (Art. 6(1)(e)); Legitimate interests (Art. 6(1)(f))
Data Type: Correspondence (email, social)
Purpose of Processing: Responding to queries, customer service
Lawful Basis (GDPR/DUAA): Legitimate interests (Art. 6(1)(f)); Consent (Art. 6(1)(a))
Data Type: eLearning data
Purpose of Processing: Certification, progress tracking
Lawful Basis (GDPR/DUAA): Contract (Art. 6(1)(b)); Consent (Art. 6(1)(a))
Your data protection rights
Under data protection law, you have rights including:
Your right of access : You have the right to ask us for copies of your personal information.
Your right to rectification : You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure : You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing : You have the right to object to the processing of your personal data in certain circumstances.
Your right to data portability: You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
Automated Decision Making: sportscotland does not use automated decision-making processes to make decisions about individuals. All decisions involving your personal information are made by our staff.
Your right to withdraw consent: If we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing carried out before your withdrawal.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please note the lawful basis used for processing your personal information can also affect which rights are available to you as there may be exemptions. Our Data Protection Officer will advise on any exemptions on request.
How to make a request
You can exercise your data protection rights using the Data Protection Officer contact details below. Further information can be found in our Subject Access Request Policy .
We may ask you to confirm your identity or clarify your request. Where clarification or ID is reasonably required, we will pause (“stop the clock”) until the information is provided. We will conduct reasonable and proportionate searches across our systems when responding.
How to complain
If you have any concerns or complaints about this privacy notice, or how we handle your personal data, please contact our Data Protection Officer (DPO) in the first instance:
Information Governance and Data Protection Officer
sportscotland, Doges
Templeton on the Green
62 Templeton Street
Glasgow
G401DA
Email: DPO@sportscotland.org.uk
We will aim to acknowledge your complaint within five working days of receiving it.
We will investigate your complaint thoroughly and may contact you for further information or clarification if needed. We aim to provide a full response within one month. If your complaint is complex or requires more time, we will keep you informed of progress and let you know if we need additional time.
If you are not satisfied with our response, you have the right to contact the Information Commissioner’s Office (ICO) to raise your concerns.
Their contact details are noted below:
The Information Commissioner’s Office – Scotland
Queen Elizabeth House
Sibbald Walk
Edinburgh
EH8 8FT
Telephone: 0303 123 1115 Email: Scotland@ico.org.uk