Privacy Notice

Commitment

We are committed to protecting the privacy and security of your personal information, we continually monitor compliance through implementing policies and procedures to safeguard data and by setting regular reviews to manage these policies and procedures.

Data Controller

In accordance with ICO Requirements of Data Controllers Scarf Group is registered with the Information Commissioners office (Z7765191). We are also considered a data processor where we process information on behalf of the Scottish Government and Local Authorities as part of a contract.

About Us

Scarf is an accomplished social enterprise, delivering a range of advisory and support services to householders and businesses throughout Scotland. We are contracted to deliver advisory, grant assistance, support services on behalf of Scottish Government and Local Authorities.

How we get information

Through our Enquiry and Customer Service handling Centre we collect information via written, Telephone, Email, Live chat and voice messages. We may also provide home visits to both residential and commercial property. We collect information when we attend various community events and exhibitions. We may also be provided with your data as a request for support through social services, welfare rights and other agencies that have acted on your behalf. We also collect information as part of the recruitment and selection process.

Information we collect from

The information we collect is dependent of your existing or prior relationship or to the organisation the categories we hold are

• Client/Service User – Personal, financial and Special Category Data
• Employee, Applicant- Personal, financial and Special Category Data
• Stakeholders, Business Contacts, Consultant Supplier, Contractor- Personal, financial and Organisation Data

How we use your information (purpose)

• To Help you save money and reduce fuel consumption
• respond, provide support, make assessments and recommendations around products and services we signpost or provide.
• Establish eligibility for grants and services
• Provide reporting statistical analysis for staffing levels
• Identify customer trends and measuring effectiveness of marketing campaigns.
• Service quality, improvements, identify and meet training requirements.
• Notify you of changes to our services
• Validation of Identity
• Contract Monitoring, Service Audit and Compliance
• Profiling we may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources to help us do this effectively. We may also use your personal information to detect and reduce fraud and credit risk.
• Like many other websites we use cookies. ‘Cookies’ are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. For example, we use cookies to store your country preference. This helps us to improve our website and deliver a better more personalised service. It is possible to switch off cookies by setting your browser preferences. Turning cookies off may result in a loss of functionality when using our websites
• Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website. In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third-party site.
• Job applications form part of our recruitment process to validate and evaluate and review potential and existing staff.
• Employee Support, HR, Benefits, absence, SSP, Maternity, pension, PAYE, Diversity monitoring, HMRC compliance

The Principles

We apply the GDPR principles to all personal and Sensitive data that we hold or process

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

These principles lie at the heart of our approach to processing personal data.

Sharing Information

• We share only the information required to deliver advice services and support to you. This may include sharing your information with our suppliers to carry out this work in your home.
• We will not sell or rent your information to third parties
• We will not share your information with third parties for marketing purposes
• We may be required to transfer your information to a third party as part of a sale of some or all of our business assets to third party as part of any business restructuring or reorganization.
• We may also be required to disclose or share your personal data in order to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our supporters and customers. However, we will take steps with the aim of ensuring that your privacy rights continue to be protected.

(employees only)

We share and report all financial payment information with HMRC for compliance including PAYEE and National insurance, Pension contributions, Student loan deductions, benefits and expenses, SSP and SMP. This information is also viewed by accountants contracted to provide audit and compliance services for us.

Children

We do not anticipate providing services directly to children, however we do understand that if this change occurs, we will make provisions to verify age. We will also make further provisions to gain parental or guardian consent for data processing activity where required.

Data Breaches

Scarf Group will continue to look for new ways to protect data however in the event of a data breach. we will notify the ICO within 72 hours of becoming aware of the breach, where we don’t yet have all the relevant details we will notify when we expect to have the results of the investigation. we have implemented the ICO guidance framework on managing a security breach document 20121212 version :2.1 This framework includes the following

*Containment and recovery * Assessing the risk/impact * Notification of Breaches * Evaluation and Response

International

All significant decisions about data processing and policy implementation will be made using GDPR. As part of the services offered to you the information which you provide to us will not be transferred to countries outside the European Union (“EU”) our servers are Located inside the EU. If we have a requirement to transfer your information outside of the EU in any way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.

If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access- You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure- You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing – You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.

Your right to data portability- This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Please contact us at dataprotection@scarf.org.uk  if you wish to make a request.

Further information around your rights can be found at https://ico.org.uk/your-data-matters

Scarf Group