SCOTO is a registered Scottish Company No: SC726720, registered at the following address: SCOTO c/o Loch Ness Hub, The Car Park, Drumnadrochit, Inverness IV63 6TX

This policy applies to all members and trustees of SCOTO and covers our commitment to meeting our requirements to protect personal data under the Data Protection Act 2018 (also known as the UK GDPR) and the General Data Protection Regulation (GDPR).

“Personal data” means any information relating to an identified or identifiable living individual.

Principles of Data Protection
SCOTO will ensure that all personal data that it holds will be:

- processed lawfully, fairly and in a transparent manner;

- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)

- adequate, relevant and limited to what is necessary (data minimisation)

- accurate and kept up to date (data accuracy)

- kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation)

- processed in a manner that ensures appropriate security of the personal data, including protection against accidental or unauthorised access to, or destruction, loss, use, modification, or disclosure of personal data (integrity and confidentiality)

Lawful, fair and transparent

To ensure processing of data is lawful, fair and transparent, SCOTO shall keep and maintain Data Audits to record where and why we process personal data. The Data Audits will be kept up to date and fully reviewed every year.

The Data Audits will record our lawful bases (our reason) for processing any personal data, this must be one of the following as required by legislation:

- consent
- contract,
- legal obligation,
- vital interests,
- public task
- legitimate interests

The way in which we process personal data is detailed within our privacy notices, which can be found on our website www.scoto.co.uk Our privacy notices will be kept up to date and fully reviewed every year.

SCOTO is fully committed to meeting the data protection principle of lawfulness, fairness and transparency.

Purpose Limitation

SCOTO will be clear about what our purposes for processing data are from the start. We will record these purposes in our Data Audits and include details in our public privacy notices.

We will not use the personal data for any other purpose unless this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law.

Data Minimisation

We will make sure that the personal data we are processing is:

- adequate – sufficient to properly fulfil our stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – we do not hold more than we need for that purpose.

Data Accuracy
SCOTO will take all reasonable steps to ensure the personal data we hold is not incorrect or misleading as to any matter of fact. We may need to keep the personal data updated, although this will depend on what we are using it for. If we discover that personal data is incorrect or misleading, we will take reasonable steps to correct or erase it as soon as possible.

Storage Limitation
SCOTO will not keep personal data for longer than we need it. How long we keep personal data will depend on our purposes for holding the data. We may keep personal data for longer for public interest archiving, scientific or historical research, or for statistical purposes.

Integrity and Confidentiality
SCOTO takes the security of personal data extremely seriously. We do this through a variety of technical and organisational security measures, including but not limited to:

- our IT security policy covers technical measures such as passwords, two factor authentication, encryption, clarity on which systems must be used

- a named Data Protection Officer (DPO) to provide advice, support, training, resources, and updates on all aspects of Data Protection. Our DPO is Diane A Smith

- When using a third party to gather information, for example for our email newsletter, we will use trusted and recommended organisations. (Please see below for further information on what third parties we currently use.)

Our security measures are regularly updated, tested and reviewed to make sure that we keep personal data secure and confidential.

Rights of Individuals
Individuals have the right to access their personal data and any such requests made to SCOTO shall be dealt with in line with legal requirements, with some limited exceptions.
The UK GDPR provides the following rights for individuals in relation to their personal data:

1. - the right to be informed – we do this by making sure our privacy notices are correct and up to date and direct individuals to these notices on our website www.scoto.co.uk
2. - the right to access their own data – any subject access requests must be notified to our Data Protection Officer (DPO) who will co-ordinate a full search all of our systems before responding to the individual within 30 days, as required by law.
3. - rectification – we will quickly update any personal data which has been identified as inaccurate or incorrect.
4. - erasure – we will remove any personal data if an individual requests this, unless we have other lawful bases which would prevent this e.g. we cannot delete employee records as we need to keep these to comply with other legislation
5. - to restrict processing - where there is a dispute about the accuracy, validity or legality of personal data held by us, an individual has the right to require us to cease processing the data for a reasonable period of time to allow the dispute to be resolved.
6. - the right to data portability - we will provide an individual with their data in a common and machine-readable electronic format.
7. - the right to object – complaints or objections to processing personal data will be dealt with quickly and accurately.
8. - rights in relation to automated decision-making and profiling – we do not carry out any automated decision-making or profiling of any individual.

Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data.

All trustees, staff and volunteers must be able to identify a suspected personal data breach. A breach could include:

1. - access by an unauthorised third party to personal data;
2. - deliberate or accidental action (or inaction);
3. - sending personal data to an incorrect recipient;
4. - computing devices containing personal data being lost or stolen;
5. - alteration of personal data without permission;
6. - loss of availability of personal data; and
7. - leaving a file on a train, ferry or bus.

Where a member of SCOTO discovers or suspects a personal data breach, this should be reported to the DPO as soon as possible. Where there is a likely risk to individuals’ rights and freedoms, the DPO will report the personal data breach to the ICO within 72 hours of SCOTO being aware of the breach.

Where there is also a likely high risk to individuals’ rights and freedoms, we will inform those individuals without undue delay.

The DPO will keep a record of all personal data breaches reported and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.

Privacy by Design
Privacy by design is an approach that promotes privacy and data protection compliance from the beginning. When relevant, and when it does not have a negative impact on an individual, privacy settings will be set to the most private by default.

Trustees, Staff and volunteers must become familiar with this policy and include privacy and good data protection practices as core within any new project design or any material change to an existing project/work.

If you have any questions, concerns or need help or advice about any aspect of Data Protection, contact our DPO: Diane A Smith

Cookies and your Privacy

Cookies are small text files that are placed on your machine to help the site provide a better user experience. The cookies we use come under the category of ‘Strictly Necessary’ in that they are necessary for the website to function properly. We do not use cookies to store personal information about you. Cookies are used as follows:

Making the site work better
Cookie ‘catAccCookies’ is used to indicate that you have accepted the use of cookies on this site. It is a persistent cookie and will remain on your computer for approx 8 months.
‘PHPSESSID’ is used to remember information, e.g., entered in a form, so that it can be checked or used on another page. This is deleted as soon as you leave the website.

Improving our service
We also use web analytics services to help us understand how our site is used. These cookies are served by a third party, Google. Using the ‘Anonymize IP’ option, Google analytics data does not contain any information that identifies you personally, but still enables us to see which areas of the website are most popular, and how they are being used, allowing us to continually improve our service to you.
If you prefer to disable cookies on this site (and on others), the most effective way to do this is to disable cookies in your browser.

Your Personal Information
Your personal data will be treated as strictly confidential. Following current good practice, SCOTO have a security certificate and use the https prefix. This provides enhanced security for any information stored on the website.
The website does store the following personal information as entered by you when you book events or join SCOTO as a member.

- Name
- Address
- Email
- Telephone

This information is used to compile a list of those who have booked an event, and also to enable us to contact you prior to the event for further information, booking details or cancellation notices. As mentioned it is also gathered when you consent to become a SCOTO member.

Where consent is given your name and email address is used to send newsletters advising you of SCOTO news and activity. We use the Campaign Monitor to do this and your name and email are stored on the Campaign Monitor servers. They do not share your details with others for marketing or similar purposes. You can unsubscribe from this newsletter at any time. Member data will also be held in spreadsheet format on SCOTO’s private Dropbox and Google drive which are only accessible by directors, the company secretary and the SCOTO Coordinator.

We keep your personal information as long as you have agreed to be a member of SCOTO. SCOTO will not use your information, nor pass any personal details to others beyond that indicated above.

Deleting your details
You can ask us to delete any information we hold about you at any time by contacting us. When a membership is terminated, we will delete all personal data associated with that membership. Please keep in mind that we need to retain your name, email address and telephone number if you have a ‘live’ booking with us.
You can opt-out of receiving our newsletter communications from us at any time and have your data deleted by using the unsubscribe link in the email communication we send.

Additional Survey Terms & Conditions
Occasionally we will ask all members to take part in surveys. Participation in these surveys is voluntary. If you decide to participate you may withdraw at any time.

Your responses will be confidential, and we will not collect identifying information such as your name or email address unless we inform you otherwise.

As mentioned we will not ask for your email or name and to protect your confidentiality, the surveys will not contain information that will personally identify you. The IP address will be removed. The results of any survey will be used for the purpose of improving SCOTO’s activities

Changes To Our Privacy Policy
Any changes to this policy will be posted on this page and where appropriate we will contact you via email, with any significant changes.

Questions or complaints?
If you have any questions or wish to make a complaint about the way we have handled your personal information, please let contact our DPO so that we can improve our services. You can also contact the Information Commissioner’s Office, which oversees data protection law.