Controller of Personal Data
Any personal information provided to or gathered by Youth Scotland is controlled by Youth Scotland, Scottish Charity No: SC000501. A company limited by guarantee No: 125456. Registered in Scotland. Youth Scotland, Balfour House, 19 Bonnington Grove, Edinburgh, EH6 4BL.
In addition to this, Youth Scotland is the legal entity that hosts and administrates the Awards Network. As such, Youth Scotland also acts as the controller of personal data for the Awards Network.
To communicate with our Data Protection Officer please email office@youthscotland.org.uk or write to the above address.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) takes effect from 25 May 2018. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR), subsequently updated to UK GDPR in January 2021. It is intended to give all of us greater visibility and control of our personal information (referred to as personal data).
Personal data is defined as, “…‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
What this means is any information an organisation holds that could possibly be used to identify a person, counts as personal data.
You can find out more about GDPR and how the Information Commissioner’s Office (ICO) applies it to UK organisations on their website www.ico.org.uk
Child Protection and privacy
Youth Scotland, like its members and many of its partners, operates in the youth sector, interacting with young people from aged 5 years+. Where relevant, and if there exists a conflict, Child Protection legislation and policy supersedes GDPR.
Types of information
Information, or data, that we hold is done so on a consent or legitimate interests basis, meaning that we hold and use information based on your permission (consent) to do so, such as providing your email address and name when you sign up to our email newsletter, or on the requirement for that information to provide our services (legitimate interests), such as information on a youth award challenge sheet to assess whether the candidate has passed or failed their personal challenge.
There are three main types of information Youth Scotland holds to provide services to you:
Information you give us
You provide us with information when you use our services. This may be an application to join Youth Scotland, completing a challenge sheet for an award or registering for a training session we provide. In all cases, you choose to provide the information requested so that we may provide the service.
Information will typically be provided to us via a form. This form may be accessed online, such as a membership application on our website, or via a physical form at or during a Youth Scotland event, such as a registration form.
Information that technology gives us
Information is sometimes automatically passed between your chosen technology and Youth Scotland’s technology by accessing our digital services. The most common usage is website analytics and browser cookies.
Your web browser automatically passes information about itself and your device (computer/mobile etc.) to any internet location you visit. Your browser has specific settings you can adjust to limit or increase these options.
This information is often referred to as metadata and is information including: log data, information passed by your web browser like IP address or other web browser information; device information, like what type of computer or mobile device accessed our website; location information, such as an approximate location while accessing our website.
How information is used
We use any information you provide to us to fulfil the service or services related to your information. For example, to apply for membership, we will ask for the information about your youth group, meeting place, contacts and other information that we require to grant membership, according to our membership criteria. Likewise, we will ask for names, contact details, dates and times when you book a training event, so that we know who will attend and when.
In essence, the information is directly related to being able to fulfil the service we set out to provide to you or that required by law.
The core uses of personal data held by Youth Scotland are:
- To provide, update, maintain and improve our services
- As required by law, legal process or regulation
- To communicate and respond to requests, comments and questions
- To send service emails and other communications essential to providing membership and services
- For billing, account management and other administrative matters
- To maintain security and standards
In addition to the core purpose we use data for, we may also use information to analyse or profile our users to fulfil legal obligations, reporting obligations and to maintain and improve our services.
This may include:
- We may use data to analyse our services e.g. satisfaction surveys and programme evaluation surveys to see how we are doing and take on board feedback
- We may profile data on a geographic basis e.g. we may look at whether a group will qualify for funding or programme access due to relevant geographic criteria
- We may profile data on age or gender basis e.g. we occasionally seek to understand our membership demographics to improve our offering and complete our annual reporting
- We may profile data for aggregated statistics to complete reports e.g. we are often required to complete annual reports for programmes we run as a contractual obligation
Individual rights
GDPR provides certain rights for individuals. These are how they apply to Youth Scotland:
- The right to be informed – the core purpose of this policy; we aim to tell you about the collection of personal data.
- The right of access – you have access to your personal information (often called a “data subject access request”). This enables you to ask for a copy of the personal information we hold about you. This is normally free but please note that, as per ICO guidelines, an administration fee may apply, “when a request is manifestly unfounded or excessive, particularly if it is repetitive.”
- The right to rectification – in clearer words, the right to have corrections made. This a shared obligation between us to keep personal data as up to date as is practical.
- The right to erasure – this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- The right to restrict processing – This enables you, where appropriate, to ask us to suspend the processing of personal information about you. For example, if you are checking the accuracy of information we hold.
- The right to data portability – in clearer words, the ability for you to take personal data from us to an alternative supplier. Less relevant to our operations but the right remains.
- The right to object – where we are using a legitimate interest basis and there is something which makes you want to object to processing on these grounds. This may mean we are unable to provide some services to you.
- Rights in relation to automated decision making and profiling – automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.