The Scottish Business Resilience Centre (including the trading names Best Bar None Scotland, Secure Supply Chain Scotland, Curious Frank and Scottish Cyber Awards) is a data controller and collects and processes personal data. The SBRC is committed to being transparent about how it collects and uses your data and to meeting its data protection obligations. The SBRC collects personal data from individuals and from businesses for a number of different purposes. This notice sets out the various ways in which the SBRC collects personal data, the ways in which this personal data is processed and the lawful basis for that processing.
2. LAWFUL BASIS FOR PROCESSING
2.1 Legitimate Interest
We process personal data because we have a legitimate interest in providing information to you about the work being done by the SBRC including our newsletter, advice, guidance, our events and services and those of our key partners. We provide this information to you because you are a member of the SBRC, have previously been a member or have expressed interest in the services provided by us. We believe that this information is of benefit to you, as it will help you to keep your business stays safe, secure and resilient. We consider that this basis for processing is necessary as there is no less intrusive way for us to provide you with this information.
Some of the information that we process under this lawful basis includes, but is not limited to name, work address, work e-mail address, positions and in some instances bank/payment details.
Where we are using this lawful basis to process your personal information we will always make sure that you understand that you can opt out of receiving this information and make it clear to you how you do this.
2.2 Legal Obligation
On occasions we may process some of this information because processing is necessary for compliance with a legal obligation to which the SBRC as a data controller is subject. We consider this basis for processing is necessary because, where appropriate, we will:
- Comply with a common law or statutory obligation
- Document our decision that processing is necessary for compliance with a legal obligation
- Identify the appropriate source for the legal obligation in question
It will not be possible to anticipate every legal obligation, but we will rely on this lawful basis for processing when we are required to process personal information to comply with a common law or statutory obligation. Examples may include court orders or obligations to disclose information about employees to HMRC. The information processed will depend upon the nature of the obligation imposed.
3. HOW DO WE GATHER THIS INFORMATION?
We gather this information from the application forms submitted to us and from the e-mails and business cards of those applying for membership, services or who have expressed an interest in the work of the SBRC.
4. WHERE DO WE KEEP THIS INFORMATION?
We keep this information in both hard and electronic formats in hard copy files and computers systems, which are under the control of the SBRC. We also keep some information on databases, computer systems and websites of companies that help us process and manage the information we hold. These third parties must at all times provide the same levels of security for personal information as the SBRC and, where required, are bound by a legal agreement to keep personal information private, secure and to process it only on the specific instructions of the SBRC and not for their own purposes.
5. HOW DO WE KEEP THIS INFORMATION SAFE?
We take appropriate measures to keep all personal information as secure as possible. We have a security policy and all our staff members are made aware of their obligations to use the information only as authorised. All personal data is only accessible to those who need to use it. We keep personal data in the following ways depending on the risks involved in the processing:
- In a lockable room with controlled access.
- In a locked drawer or filing cabinet.
- If data is computerised it is stored on network servers and on password-protected databases and not on local systems and have suitable security access levels determined, applied and monitored.
- Particular care is taken of portable ICT equipment, memory sticks etc. which are password protected and encrypted to prevent unauthorised access.
- Sensitive personal data is not kept on memory sticks or routinely taken from premises on any form of removable media.
6. INFORMATION SHARED WITH THIRD PARTIES
The SBRC may share some of the personal information gathered from people applying to be members or people who have expressed an interest in the work of the Centre, with third parties but only in the strictly limited circumstances set out below.
- We may supply personal information to third parties (such as our internet service providers, IT companies) who help us administer our information. These third parties must at all times provide the same levels of security for personal information as the SBRC and, where required, are bound by a legal agreement to keep personal information private, secure and to process it only on the specific instructions of the SBRC.
- We may supply personal information to third parties (such as our internet service providers, IT companies) who are based in countries outside the European Union if it is necessary for us to do so to help us to manage our information. Some of these countries do not have the relevant level of protection in place. The SBRC will ensure that an appropriate contract is in place with any third parties to whom data is transferred on a regular basis or it will rely on an appropriate legal exemption for such transfers.
- We may also supply personal information to government bodies and law enforcement agencies but only: if we are required to do so by the requirements of any applicable law; in our reasonable opinion, such action is reasonably necessary to comply with legal process; to respond to any legal claims or actions; or to protect the rights of the SBRC, its customers and the public. (see paragraph 2.2)
7. RETENTION PERIOD
The personal information that we gather as described above will be kept by the SBRC for the purposes set out in section 2 of this document.
Where a membership application is approved, or we have provided services to the client, we may keep the associated personal information for a period comprising of the current year plus 6 years from the date of the closure of the member account, unless there are any extenuating circumstances (e.g. bad debt, ongoing court proceedings). Where this is the case and the information about the account is to be retained out with this period, then we will fully justify and document our reasons for retaining the personal data.
Where a membership application is declined, we will keep the personal information associated with the application for a period of the current month plus 3 months from the date of membership being declined, unless there are any extenuating circumstances (e.g. complaint or legal challenge to decision). Where this is the case and the information about the account is to be retained out with this period, then we will fully justify and document our reasons for retaining personal information.
In addition, the personal data gathered for the purposes of marketing will be retained and used for this purpose unless you tell us you no longer wish to her from us. Thereafter we will keep minimal contact detail to ensure that you no longer receive our messages.
8. YOUR RIGHTS
As a data subject, you have a number of rights in relation to your personal data. These are listed in brief below. A fee will not generally be charged for exercising any of these rights unless your requests are manifestly excessive.
- The right to access information about the personal data the SBRC is processing and to obtain a copy of it;
- The right to require the SBRC to change incorrect or incomplete data;
- The right to request that the SBRC erases or stops processing your data; and
- The right to object to the processing of your data where the SBRC is relying on its legitimate interests as the legal ground for processing;
If you would like to exercise any of these rights, or if you have any concerns about how your personal data is being processed, please contact us by e-mail at [email protected] or at the Scottish Business Resilience Centre, Unit 10, Alpha Centre, University Innovation Park, Stirling, FK9 4 NF, Telephone 01786 447441.
If you still believe that the SBRC has not complied with your rights, you can complain to the Information Commissioner. Contact details are available at www.ico.org.uk
9. OTHER WEBSITES
10. CHANGES TO THIS PRIVACY NOTICE
The SBRC reserves the right to update this privacy notice at any time and will provide you with a new notice when making any substantial updates. The SBRC may also notify you in other ways from time to time about the processing of your personal data.
11. MONITORING AND REVIEW
This policy was last updated on 25 May 2018 and shall be regularly monitored and reviewed, at least every two years.