Version 1.0 6th January 2022
What is the purpose of this document
sportscotland is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you, in accordance with Data Protection legislation. This Privacy Notice contains important information about how we collect, manage, use, and protect your personal information.
This privacy notice is applicable to any individual or entity who has currently or have previously operated under a sportscotland Contract.
The Scottish Sports Council, trading as ‘sportscotland’ of Doges, Templeton on the Green, 62 Templeton Street, Glasgow, G40 1DA is the “controller” of the personal information that you provide to us and is registered as a data controller with the Information Commissioner’s Office, registration number Z7177835.
This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection legislation to notify you of the information contained in this privacy notice.
We may change this Privacy Notice from time to time. Please check this notice frequently to ensure you are aware of the most recent version and the date that it was last updated.
Our contact details
Headquarters
Doges
Templeton on the Green
62 Templeton Street
Glasgow
G40 1DA.
Tel: 0141 534 6500
Deaf / BSL users can contact us using the Contact Scotland service
General enquiries form or email sportscotland.enquiries@sportscotland.org.uk
Data Protection Officer Contact Details
Information Governance and Data Protection Officer
Templeton on the Green
62 Templeton Street
Glasgow
G40 1DA
Tel: 0141 534 1176
Email: DPO@sportscotland.org.uk
What type of information we have
We may collect and process the following throughout the Contract lifecycle dependent on the contract and service being provided: -
- Personal contact details, including name, address, email address, date of birth, and phone number;
- Company information, registered address, date of incorporation, registration number, current officers
- Compensation and insurance details
- Place of work;
- Alternate contact details for any individuals that you may have provided;
- Payment details: including bank account number, sort code, and any other information relating to the provision of payment;
- Qualifications and compliance documents relating to your accreditation to perform the contract tasks;
- Any submissions made when tendering for the contract that was secured
- Photographic ID;
- Disclosure and PVG membership;
- Driving licence;
- Previous offences;
- Passport / visa numbers; and
- Confirmation of eligibility to work in the UK;
We may ask you for additional personal information, which shall be collected, stored, and used in accordance with this privacy notice.
How We Collate Information
We typically collect personal information about contractors directly from the contractor, via the tendering process, or through a third party. We may collect additional information from third parties including background check agencies, specifically Disclosure Scotland. We may also collect information throughout the course of your contract with us.
We may collect additional personal information in the course of job-related activities throughout the period in which you are contracted to us, though this is unlikely. We will provide you with adequate information in respect of this personal information collection as and when this information is collected.
Our purposes for processing personal data
We may process your personal information for specific purposes. These include: -
- Administering payment;
- Complying with Health & Safety and Fire Safety obligations; and
- Complying with our legal obligations;
The following personal information may be captured to monitor use and compliance of IT systems (where applicable): -
| What type of information we have | Our purposes for processing | Where its stored |
|---|---|---|
| Emails |
Email service continuity and backup; Search functionality; Subject Access Requests; and Freedom of Information Requests. |
Mimecast email archive. |
| Web browsing history |
Network utilisation analysis; and Web security policy analysis. |
Symantec Web Security Service. |
| Network utilisation | Network capacity planning, analysis, and troubleshooting. | Cisco Meraki network management dashboard. |
| Cloud services utilisation | Cloud service web security and analysis. | Symantec Cloud Access Service Broker. |
| Anti-Virus/Malware utilisation | Anti-virus/malware compliance and incident response. | Trend Micro Office Scan and Deep Security. |
| Cyber security training completion | Compliance and training needs identification. | Mimecast Awareness Training. Exercise in A Box. |
| File’s storage (file servers, Office 365) |
Personal identifiable data protection and security policy compliance Capacity utilisation and retention |
Symantec DLP. Office 365. |
| Door Access | Security – Access Control | Door Access System |
| Xerox Printer utilisation |
Secure Printing; Metrics for cartridge replacement; and Prints billing. |
PaperCut for Xerox Xerox Analytics |
|
Helpdesk Requests |
Analytics to track completion of helpdesk requests and support trends | Zendesk Helpdesk |
|
Office 365 Products utilisation |
Utilisation and system performance analysis, licensing management and automated user productivity feedback | Office 365 |
For further information on sportscotland’s legislative requirements, please see:
Who we share your personal information with
- We may share your information with the Emergency Services in the event of an injury or incident;
- If your personal information is included in any images or videos taken by us at our events, we may share it on our websites for promotional/media purposes;
- If your personal information is included in any images or videos taken by us at our events, we may also share this with Commonwealth Games Scotland, Scottish Governing Bodies, and British Governing Bodies of Sport, for promotional and/or journalistic purposes.
- sportscotland engages third-party suppliers to provide services including IT, and training. These suppliers may process personal information on our behalf as “processors” and are subject to written contractual conditions to only process that personal information under our instructions and protect it;
- We may share personal information with our professional and legal advisors for the purposes of taking advice; and
- We may be required to share personal information with statutory or regulatory authorities and organisations. Such organisations include HMRC, the Health & Safety Executive and Disclosure Scotland.
In the event that we do share personal information with external third parties, we will only share such personal information strictly required for the specific purposes and take reasonable steps to ensure that recipients shall only process the disclosed personal information in accordance with those purposes.
How we store and protect your personal information
Where sportscotland retains your personal information in one of our own data centres, all data will be stored on UK based servers. Where sportscotland utilises cloud-based storage, your personal information may be stored out with the UK within European Union country data centres, in which case sportscotland will ensure adequate security measures are in place to protect your personal information.
Core systems are only accessible by sportscotland staff and a small number of external providers.
Security measures in place within sportscotland include physical security measures; strong passwords; password lock out policy; managed permissions; two factor authentication; encryption; antivirus software; anti-malware software; data loss prevention software; secure email gateway; software patch management and appropriate data backup arrangements.
Your personal information may also be stored on third party, cloud-based solutions, such as PSF, our CRM system or email/Mimecast. Where this is the case, sportscotland will ensure that that third party complies with Data Protection legislation when processing your information.
We retain all personal information in line with the sportscotland retention and destruction policy contained within the sportscotland Records Management Plan which is a legal requirement under the Public Records (Scotland) Act 2011 You can download this at: -sportscotland Records Management Plan
Our Legal Basis for Processing your Personal Data
We will only collect and process personal information where we have a legal basis for doing so under Data Protection legislation.
The legal bases used by sportscotland for the processing of Contract for Service Individuals personal information are: -
GDPR Article 6 (1)
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
GDPR Article 9 (2)
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where domestic law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or
(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
When using Condition 9 (2) (g) we also rely on a condition within DPA 2018, Schedule 1, Part 1: -
- (1) (a) Employment, social security, and social protection
the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security, or social protection.
Your data protection rights
Under data protection law, you have rights including: -
Your right of access: You have the right to ask us for copies of your personal information;
Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete;
Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances;
Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances;
Your right to object to processing: You have the right to object to the processing of your personal data in certain circumstances; and
Your right to data portability: You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please note the lawful basis used for processing your personal information can also affect which rights are available to you as there may be exemptions. Our Data Protection Officer will advise on any exemptions on request.
Please contact us at DPO@sportscotland.org.uk, 01415341176 sportscotland, Doges, Templeton on the Green, 62 Templeton Street, Glasgow, G40 1DA if you wish to make a request.
How to complain
If you have any queries or concerns regarding this Privacy Notice or how your personal information is processed, please contact the sportscotland Data Protection Officer in the first instance: -
Information Governance and Data Protection Officer
sportscotland, Doges
Templeton on the Green
62 Templeton Street
Glasgow
G401DA
Email: DPO@sportscotland.org.uk
Tel:01415341176
Please note you have the right to contact the Information Commissioner’s Office if you are unhappy with how your enquiry has been dealt with. Their contact details are noted below:
The Information Commissioner’s Office – Scotland
Queen Elizabeth House
Sibbald Walk
Edinburgh
EH8 8FT
Telephone: 0303 123 1115
Email: Scotland@ico.org.uk