Version 2

 Date: September 2018

Approved by:  Senior Management Team


Sue Irving

Chief Executive

 

Dumfries and Galloway Citizens Advice Service

81 – 85 Irish Street, Dumfries DG1 2PQ

Telephone: 0300 303 4320    E mail: [email protected]

Contents:                                                                                                                       

  • Purpose
  • Scope
  • Responsibilities
  • References
  • Review Date
  • Context & Overview
  • Storing & Processing Data
  • Data Sharing
  • Client Data
  • Staff Data
  • Volunteer Data
  • Complaints
  • Research, Campaigns, News
  • Digital/Social Media/Donations
  • Use of Cookies
  • Retention/Deletion of Data

1.  PURPOSE

This privacy policy details the ways DAGCAS intends to gather, use, disclose, process and manage all data handled by the company in compliance with the Data Protection Act 2018

2.  SCOPE

To cover all client, employee and volunteer data stored, processed and deleted by DAGCAS.

3.  RESPONSIBILITIES

All staff and volunteers are responsible for safeguarding the privacy of data handled in relation to their dealings with clients and external agencies.

4. REFERENCES

4.1  Data Protection Act 2018

5.  NEXT REVIEW DATE

September 2019

6.  CONTEXT & OVERVIEW

Dumfries & Galloway Citizens Advice Service (DAGCAS) is a Company Limited by Guarantee (SC179254), Scottish Charity No: SCO27107, and has its registered office at 81 – 85 Irish St, Dumfries, DG1 2PQ.  DAGCAS needs to gather and process certain l information, about service users for many reasons: to help solve the issues which service users come to us for assistance with; to improve the services we provide to service users; to fulfil contractual obligations, report to funders etc.  In the course of its day-to-day activities, and in order to carry out our charitable purposes DACAS also gathers and processes personal information from a variety of third parties, including suppliers, business contacts, volunteers, staff and other people with whom the organisation has a relationship or who it may need to contact.

This policy sets out how personal data and sensitive personal data will be collected, handled and stored to comply with the Data Protection Act 2018 (“DPA’). For the purposes of the DPA, Personal Data means data that relates to an individual who can be identified from the data or from data and other information held by the Data Controller. Sensitive Personal Data means data regarding the individual’s racial or ethnic origin, political opinion, religious or other belief, trade union membership, physical or mental health, sexuality or criminal/legal proceedings.

This policy ensures DAGCAS:

  • complies with current data protection legislation and implements good practice
  • protects the rights of volunteers, staff, customers and partners
  • is open about how an individual’s personal data is processed and stored
  • minimises the risk of a data breach and provides protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

The DPA defines how DAGCAS must collect, handle and store personal data and sensitive personal data.  To comply with current legislation DAGCAS will ensure personal data and sensitive personal data is collected and used fairly, stored safely and not disclosed unlawfully. 

DAGCAS is registered with the Information Commissioner’s Office Registration No: Z6081270.

DAGCAS will ensure data is:

  • processed lawfully, fairly and transparently
  • obtained for explicit and legitimate purposes
  • adequate, relevant and limited to the minimal amount necessary
  • accurate and up to date
  • not kept in a form which permits identification of the data subject
  • not kept for any longer than is necessary
  • securely managed using appropriate technical and organisational controls
  • compliant with Data Protection Act 2018

7.  Storing and Processing Data

7.1  Data Controller

A data controller is defined as a person or organisation that determines the purposes and means of processing personal data. Dumfries & Galloway Citizens Advice Service and Citizens Advice Scotland (CAS), which is formally known as the Scottish Association of Citizens Advice Bureaux (SACAB), are both responsible for keeping your personal information safe and making sure we comply with data protection law. This means we are 'joint Data Controllers' for your personal information.

7.2  What Kind of Personal Data DAGCAS Collects

We will only ask for information that is relevant to your issue. Depending on what you want help with, this might include:

  • your name and contact details so we can keep in touch with you about your case
  • personal information - for example about family, work, or financial circumstances including debts, creditors and reference numbers; income and expenditure; state of health; housing situation. We may also need to collect proof of identity and proof of income and expenditure.  This may include a copy of your bank statement, tenancy agreement, mortgage statement, utility bills, payslips, social security letters or pension statements. 
  • details about services you get that are causing you problems like energy or post
  • details of items or services you have bought, and traders you've dealt with
  • information like your gender, ethnicity or sexual orientation

7.3. DAGCAS Role as a Data Processor                               

In certain contractual situations DAGCAS will be deemed to be a Data Processor, rather than a controller.  A data processor is responsible for processing personal data on behalf of a data controller. Our legal obligation as a Data Processor are set out in Data Sharing Agreements with the relevant Data Controller.

7.4  Data Asset Register

DAGCAS will maintain a Data Asset Register which records a summary of all of the data the organisation holds, its purpose and location.  This will be reviewed regularly to monitor compliance with the law and associated regulations.  The Chief Executive will undertake an annual audit of the organisation’s compliance with this policy and procedure and report findings and any areas for improvement to the Board.

7.5  Data Sharing Agreements

DAGCAS is required to have data sharing agreements in place when we share data that is:

  • Systemic: Regular, ongoing planned sharing that is part of the usual work of the office. For example, sending personal data each month to a funder for a contract that will last for a period of 12 months.
  • Large Scale: Sharing a large volume of information. For example, more than 100 records over the lifetime of planned sharing.
  • High Risk: Sharing sensitive data.

A data sharing agreement is a formal contract that clearly documents what data are being shared and how the data can be used. A data sharing agreement serves two purposes:

  • it protects the agency providing the data and ensures the data will not be misused.
  • it prevents miscommunication on the part of the provider of the data and the agency receiving the data by making certain that any questions about data use are discussed before any data are shared. Both the provider and receiver are required to come to a collaborative understanding that will then be documented in a data sharing agreement.

7.6  Legal Basis for Storing Personal Data

DAGCAS will collect, store and process personal data needed if we have a legitimate reason to do so. 

We will only ask for the information we need and we will explain why we need it. A lawful basis to collect, store and process personal data is required under General Data Protection Regulations 2018. We will clearly define both the lawful basis for our request for personal data your and the purpose for which we will process your personal data. We recognise that the lawful basis will vary and is dependent on our relationship with individuals and how we interact with individuals/organisations.  

The lawful bases DAGCAS will rely on are:

  • Consent
  • Contractual relationship
  • Legal obligation for example, if a Court orders us to share information or to resolve a complaint
  • Legitimate interest for example to provide advice or representation service
  • Vital Interest for example, sharing information with a paramedic if a client was unwell at the Bureau or one of our outreaches
  • public task for example to carry out a pubic task where there is a clear basis in law

When we record and use personal data or personal sensitive data we:

  • only access it when we have a good reason
  • only share what is necessary and relevant
  • will not sell it on to anyone

8.  Sharing Information

We will only process and share personal data or personal sensitive data with third parties, where a lawful basis to do so has been determined. 

If we are required to report data to funders, we may be required to report personal data and/or personal sensitive data.  In these circumstances data sharing agreements with funders will be agreed to ensure DAGCAS fulfils contractual obligations with funders and complies with current data protection legislation.

We take information security very seriously and no one is allowed to access our systems of files unless they need this to provide a service.

9.  What are my rights?

Individuals have rights under current data protection regulations regarding the way we process personal data and sensitive personal data. More information on these can be found on the Information Commissioner’s website https://ico.org.uk.   

Your rights include:

  • the right to access the personal information that we hold about you
  • the right to ask us to correct any inaccurate personal information we hold about you

the right to ask us to erase any information we hold about you, although this will only apply in certain situations and only where:

  • the data is no longer necessary in relation to the purpose for which it was collected, or
  • where consent is withdrawn, or
  • where there is no legal basis for the processing, or
  • there is a legal obligation to delete data
  • the right to ask us to restrict certain processing of the personal information we hold about you. This will only apply in situations such as:
    • you are disputing the accuracy of the information we hold
    • where we no longer need to use the information but it is needed for legal claims
    • the right to receive personal information, which you have provided to us, in a structured commonly used and readable format
  • the right to object to the processing of personal data relying on the legitimate interests processing condition unless we can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims

If you would like to exercise any of these rights or withdraw your consent at any time the Data Protection Point of Contact is: Business Development Manager, 81 – 85 Irish St, Dumfries, DG1 2PQ.  Telephone 0300 303 4321). Subject Access Request forms can be found at: https://www.dagcas.org/subject-access-request-sar-form

When we would use your information without your permission

There may be occasions when we may need to use or share your information without your permission. If we do, we will always make sure there is a legal basis for it.

Data Retention Periods

Data Retention Periods are set out in Section 17 

10.  CLIENTS - ADVICE FROM AN ADVISER

To enable us to help solve your problems or act on your behalf we will ask for your permission by asking for your consent by either:

  • signing a consent form
  • ticking a box online
  • giving verbal consent over the phone
  • giving consent as part of a webchat

If you are referred to us from another agency or organisation, they will send us your information using a referral form and they will ask for your permission before they send us your information.

If you do not want to give us certain information you do not have to. For example, if you want to stay anonymous we will only record information about your problem and make sure you are not identified. You should be aware that if you choose to remain anonymous, the help we can offer you is limited and will not be specific to your circumstances, although we will advise you as best as we can.

10.1  How we use your information 

The main reason we ask for your information is to help solve your problem.  However, we may need to discuss and disclose personal information to third parties if this is necessary to help resolve your problem.  The information may be collected via:

  • forms you complete
  • telephone or face to face interviews
  • digital forms e.g. website, online surveys, webchat or email conversations
  • third parties

We only access your information for other reasons if we really need to, for example, statistical purposes, research, training and quality purposes, to investigate complaints or to help us improve our services and this information will be anonymised. 

We may use your contact details to get in touch about your experience of our service or ask you to take part in surveys or research – we will only do this if you give us permission.

We share research findings with funders, regulators, government departments and publicly on our blogs, reports, social media and press releases. Statistical information will also inform our policy research, campaigns, or media work.

10.2  What we do with your information

How we handle your personal information depends on how you interact with us.  First and foremost your information will be used to provide you with advice and a record of your enquiry will be kept on our secure electronic case management system (CASTLE) or secure paper filing system.

One of our underlying legitimate interests is to research and campaign on issues which are of relevance to our clients, and by sharing anonymised statistical data for research purposes we can show the value and impact of our service to funders and others who are interested in our work    e.g. Citizens Advice Scotland (formally known as the Scottish Association of Citizens Advice Bureaux (SACAB).

Our services are subject to external audits to check that we are providing you with the highest quality of service and auditors  will be allowed to access your information (if randomly selected) under the legal basis of ‘public task’.  We may also use it to refer you to any specialist services outwith the Scottish Association of Citizens Advice Bureaux (SACAB).

10.3  Sharing Information/Working on your behalf

When you give us authority to act on your behalf we may share information with a third party to help solve your problem or to monitor the quality of our services. We will only share personal information with third parties with your consent and/or where another lawful basis for doing so has been determined and in the resolution of your problem.  Third parties may include landlords, lenders and creditors, mortgage lenders, utility providers, DWP, HMRC, health professionals, Sheriff Court(s), Dumfries & Galloway Council, Citizens Advice Scotland, Scottish Legal Aid Board (SLAB), Scottish Government, Ofgem,  Business, Energy & Industrial Strategy (BEIS).This is not an exhaustive list of agencies, there may be other agencies with whom we share information.

10.4  Who's responsible for keeping your personal information safe?

If we refer you to another organisation for more advice, we might share information about your problem with them so they can help you more quickly. Any organisations or third parties that we share your information with are responsible for storing, processing and deleting your personal information safely and securely in compliance with current data protection law.

We may choose to use your information for research purposes on the basis of 'legitimate interest'. This means it will help us carry out our aims and goals as an organisation – for example, to create case studies and statistics for our national research. If we use it in this way, your personal details will be anonymised.

10.5  Who we share your information with

We may sometimes suggest that you go to another organisation as they may be able to help you with all or part of your issue. We will only make a referral and share your information with your consent. Organisations we share your information with must store and use it in line with data protection law.  If the advice we are providing relates to debt we will share your information with your creditors so we can make offers of repayment or requests for a moratorium.

If you have chosen to enter bankruptcy or the Debt Arrangement Scheme (DAS), we will share your information with the Accountant in Bankruptcy (AiB) so that they can process your application. Please note that if you enter bankruptcy or the DAS scheme, the AiB will place some of your details on a publically accessible register. The AiB are obligated to do this under Scotland’s debt laws. If you've chosen a Protected Trust Deed (PTD) we will send your information as a referral to your chosen provider so that they can process your application.

The Financial Conduct Authority (FCA) might ask us to share a randomised sample of client cases which are being dealt with by the Bureau. This is to make sure the advice and service you get is lawful and meets the FCA rules and regulations.

We might choose to use your information for research purposes on the basis of 'legitimate interest'. This means it will help us carry out our aims and goals as an organisation, for example to create case studies and statistics for our national research. If we use it in this way, your personal details will be anonymised.

10.6  If we're concerned about yours or someone else's safety

If something you have  told us makes us think you or someone you know might be at serious risk of harm, we may inform the police or social services as we have a ‘vital interest’ to do so, for example if we think you might hurt yourself or someone else.  

10.7  Storing your information - if you contact us online, by phone or face to face

Whether you get advice face to face, over the phone, by email or webchat, our adviser will log all your information, correspondence, and notes about your problem on our electronic recording system (CASTLE).  Some of your information might also be kept within our secure email and IT systems.

10.8  Data Retention Periods

Data Retention Periods are set out in Section 17

DAGCAS & SACAB are joint Data Controllers, responsible for processing data in compliance with current regulations.  If you have any concerns about how your data is processed the Data Protection Point of Contact is:  The Business Development Manager, 81 – 85 Irish St, Dumfries, DG1 2PQ.  Telephone: 0300 303 4321.  Subject Access Request forms can be found at: https://www.dagcas.org/subject-access-request-sar-form

11.  STAFF

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, staff have a right to be informed about the collection and use of their personal data. This notice sets out the rights of staff and provides the information needed to exercise those rights.  We will provide data privacy information to staff at the time that we collect personal data from them and within one month if we obtain personal data from other sources.

We will regularly review and where necessary update your data privacy information.  If we start to use information for a new purpose which staff are/were not aware of, we will bring this to their attention before we begin processing it.  We will provide the information in a way that is concise, transparent, intelligible, easily accessible and uses clear and plain language.

11.1    The lawful basis for processing your personal data

As an employer, DAGCAS needs to keep and process information about staff for normal employment purposes.  The information that we hold and process will be used only for administration and management purposes.  We will keep and use it to enable us to run the organisation and manage our relationship with staff effectively, lawfully and appropriately, during the recruitment process, during employment, at the time when employment ends and after individuals have left.  This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the ‘legitimate interests’ of the organisation (for example to prevent fraud, for administrative purposes or to report potential crimes) and protect our legal position in the event of legal proceedings.

11.2  Purpose of processing your personal data

Much of the information that we hold will have been provided by staff, but some may come from other internal sources such as line managers or, in some case, from external sources such as referees.

The sort of information we hold includes application forms and references; contracts of employment and any amendments; correspondence with or about staff; information needed for payroll, health and safety, social security and expenses; contact and emergency contact details; records of holiday, sickness and other absence;  information needed for equal opportunities monitoring; information needed for auditing under the Scottish National Standards for Information and Advice Providers; and records relating to career history such as training records, appraisals, other performance measures and, where relevant and appropriate disciplinary and grievance records. 

Where necessary, we may keep information relating to the health of staff, which could include reasons for absence and GP reports and notes.  This information will be used in order to comply with our health and safety and occupational health obligations to consider how health affects an individual’s ability to do their job and whether any adjustments to their job may be appropriate.  We also need this data to administer and manage statutory and company sick pay. 

Where we process special categories of sensitive personal data relating to your race, ethnic origin, political opinions, religion, trade union membership, genetics, biometric data, health, sexual life or sexual orientation, we will only do so in order to allow us to meet our obligations under employment or occupation health law. If we need to use this data for any other reason, we will always obtain explicit consent from individuals to those activities unless this is not required by law or the information is needed to protect health in an emergency.  Where we are processing data based on individual consent, individuals have the right to withdraw that consent at any time.

11.3  Who your information will be shared with

 Data may be shared with the following agencies and companies:

  •  SAGE, HMRC & Bank of Scotland for the purposes of processing payroll
  • D&G Council’s Care Call system for the purposes of Health & Safety, NEST for the purposes of pension administration
  • ADS, Abbey Legal for the purposes of administering insurance cover
  • The auditors for the Scottish National Standards for Information and Advice Providers in order to provide proof of competence against those standards. Currently the organisation responsible for audit is the Scottish Legal Aid Board
  • Citizens Advice Scotland, for the purposes of audit, complaints handling and support with HR issues (in order to comply with SACAB membership conditions)
  • HR Bureau for the purposes of employment/HR issues

Other than for the purposes outlined above, we will only disclose information about individuals to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to an individual.

11.4  Your rights in relation to the processing of your personal information

 Under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 staff have a number of rights regarding personal data. Individuals have the right to request access to and rectification or erasure of personal data; the right to restrict processing or to object to processing; and (in some circumstances) the right to data portability.

If staff have provided consent for the processing of data, individuals have the right (in certain circumstances) to withdraw that consent at any time, which will not affect the lawfulness of the processing before individual consent is withdrawn.  Individuals have the right to make a complaint to the Information Commissioner’s Office if they believe that we have not complied with the requirements of the GDPR or the DPA. 

11.5  Retention periods for your personal data

Data Retention Periods are set out Section 11

11.6  Identity and contact details of the data controller and the data protection officer

DAGCAS is the Data Controller, responsible for processing data in compliance with current regulations.  If you have any concerns about how your data is processed the Data Protection Point of Contact is:  The Business Development Manager, 81 – 85 Irish St, Dumfries, DG1 2PQ.  Telephone: 0300 303 4321. Subject Access Request forms can be found at: https://www.dagcas.org/subject-access-request-sar-form

12.  VOLUNTEERS

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, volunteers have a right to be informed about the collection and use of personal data. This notice sets out the rights of volunteers and provides the information needed to exercise those rights.

We will provide data privacy information to volunteers at the time that we collect personal data from them and within one month if we obtain personal data from other sources.

We will regularly review and where necessary update data privacy information.  If we start to use information for a new purpose which volunteers are/were not aware of, we will bring this to their attention before we begin processing it.

We will provide the information in a way that is concise, transparent, intelligible, easily accessible and uses clear and plain language.

12.1  The lawful basis for processing your personal data

DAGCAS needs to keep and process information about individual volunteers.  The information we hold and process will only be used for management and administration purposes.  We will keep and use it to enable us to run the organisation and manage our relationship with volunteers effectively, lawfully and appropriately, during the volunteer recruitment process, whilst volunteering with us, at the time when volunteers leave and after they have left.  This includes using information to enable us to comply with any legal requirements, pursue the ‘legitimate interests’ of the organisation (for example to prevent fraud, for administrative purposes or to report potential crimes) and protect our legal position in the event of legal proceedings.

12.2    Purpose of processing your personal data

Much of the information that we hold will have been provided by individual volunteers, but some may come from other internal sources such as managers or, in some cases, from external sources such as referees.

The sort of information we hold includes application form and references; correspondence with or about individuals; information needed to pay any expenses; contact and emergency contact details; information needed for equal opportunities monitoring; information needed for auditing under the Scottish National Standards for Information and Advice Providers; and records relating to volunteering history such as training records, appraisals, other performance measures. 

Where necessary, we may keep information relating to health.  This information will be used in order to comply with our health and safety and occupational health obligations, to consider how health affects an individual’s ability to volunteer with us and whether any adjustments to the role we ask you to do may be appropriate.

Where we process special categories of sensitive personal data relating to race, ethnic origin, political opinions, religion, trade union membership, genetics, biometric data, health, sexual life or sexual orientation, we will always obtain explicit consent from individuals to those activities unless this is not required by law or the information is needed to protect health in an emergency.  Where we are processing data based on individual consent, individuals have the right to withdraw consent at any time.

12.3  Who your information will be shared with

 Data may be shared with the following agencies:

  • ADS for the purposes of administering insurance cover
  • D&G Council’s Care Call for the purposes of Health & Safety
  • The auditors for the Scottish National Standards for Information and Advice Providers in order to provide proof of competence against those standards. Currently the organisation responsible for audit is the Scottish Legal Aid Board
  • Citizens Advice Scotland for the purposes of audit, complaints handling and support with HR issues (in order to comply with SACAB membership conditions)

Other than for the purposes outlined above, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you.

12.4  Your rights in relation to the processing of your personal information

Under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data; the right to restrict processing or to object to processing; and (in some circumstances) the right to data portability.

If you have provided consent for the processing of your data, you have the right (in certain circumstances) to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent is withdrawn.

You have the right to make a complaint to the Information Commissioners Office if you believe that we have not complied with the requirements of the GDPR or the DPA.

12.5  Retention periods for your personal data

Data Retention Periods are set out in Section 17

12.6  Identity and contact details of the data controller and the data protection officer

DAGCAS is the Data Controller, responsible for processing data in compliance with current regulations.  If you have any concerns about how your data is processed the Data Protection Point of Contact is:  The Business Development Manager, 81 – 85 Irish St, Dumfries, DG1 2PQ.  Telephone: 0300 303 432. Subject Access Request forms can be found at: https://www.dagcas.org/subject-access-request-sar-form 

13.  COMPLAINTS

If you want to make a complaint about our service

If you make a complaint, we will collect personal information from you to allow us to investigate your complaint. We have what is known as a ‘legitimate interest’ in collecting this information.

We will collect information from you via phone, email, online form or letter depending on how you choose to contact us.

13.1  What information we ask for

So we can help you with your complaint, we need to know:

  • your name
  • how we can get in touch with you - email, phone or address
  • details of the complaint

If you tell us you have a disability or support need, we may make a note of that so we can help you access our services.

13.2  How we use your information

We use the information you give us to deal with your complaint.

We will only access your information for other reasons if we really need to - for example:

  • for training and quality purposes
  • to include in anonymised statistical reports

13.3  When we share your data and who we share it with

If you escalate your complaint to an external independent adjudicator we will share your complaint information with them e.g. Citizens Advice Scotland

If your complaint involves an actual or potential insurance claim we will share details of your complaint with our insurer, ADS.

13.4  Storing your information - if you contact us online, by phone or face to face

Whether you get advice face to face, over the phone, by email or webchat, our adviser will log all your information, correspondence, and notes about your problem on our electronic recording system (CASTLE).  Some of your information might also be kept within our secure email and IT systems.

We keep your information for 7 years. If your case has been subject to a serious complaint, insurance claim or other dispute we keep the data for 16 years.

14.  RESEARCH, CAMPAIGNS OR NEWS

If we have contacted you for help with research, campaigns or media work, we will have collected information with your consent. 

We might have asked one of our research partners to contact you on our behalf. These companies will have their own privacy policy relating to how they collect, use and share your personal information. 

We will always tell you how we will use your information and ask your permission. For example, by signing a paper consent form, giving agreement over the phone or ticking a box online. 

14.1  What information we ask for

We only ask for the information if we highlight your experience or inform our research. Depending on how we want you to help us, this might include information about:

  •  your situation like family, work or financial circumstances and how it affects you
  • how you use DAGCAS and other organisations' services and what you thought about them
  • your name and contact details so we can keep in touch with you
  • demographic information like your gender, ethnicity or sexual orientation (with your consent)

If you do not want to give us some personal details, you do not have to.

14.2  How we use and share your information

When we contact you we will explain how we want to use your information.  For example, we might want to:

  • ask you to share your story with the media
  • include your information in a report or blog as part of our research and design, campaigns, or media work
  • use your information to improve our services

We will only share your experience publicly if you agree to this and to being identified.  We will not share your identity if you have not agreed to this

We might share your anonymised information with government or industry regulators as part of our campaigns and policy work.

Organisations we share your data with must store and use it in line with data protection law. They cannot pass it on or sell it without your permission.  

15.  SOCIAL MEDIA/DIGITAL/DONATIONS

What happens if you visit our website?

When you browse our website, we collect 'cookies' to help us understand more about how our site is used by visitors, and to develop and enhance our services to you.  A 'cookie' is a bit of information kept on your computer. It tells us things like what device you're using and what pages you click on. 

We use cookies to:

  • track aspects of user visits, including the length of a user's visit, their browser, geographic location and the use of the search facility on this website
  • remember users selected contrast and/or text resizing style preferences for this website
  • record a user's video preferences for our videos viewed on this website.

15.1  Email Enquiries

We may process information contained in email enquiries submitted to us regarding a service provided to you (‘enquiry data’).  The enquiry data may be processed for the purposes of offering relevant services and information to you.  The legal basis for this processing is consent and our legitimate interests in providing a service to you.

We use Transport Layer Security (TLS) to encrypt and protect email traffic.  If your email service does not support TLS you should be aware that any emails we send or receive may not be protected in transit

15.2  Information we collect about you

When you interact with Dumfries and Galloway Citizens Advice Service website we sometimes receive or collect personal information about you.

For example, if you register to receive email updates or apply online to be a volunteer, you might tell us who you are, how we can contact you and anything else you think we might like to know about you.

When you use the Dumfries and Galloway Citizens Advice Service website we will use your IP address and cookies to provide certain functionality to you and to better understand how our services are being used. You can read more about our Cookies Policy below.

15.3  How we use your information

We will use your information for a number of purposes including the following:

  • To contact you. For example, if you have applied to be a volunteer or requested information about a job vacancy.
  • To process and respond to any enquiry submitted to us. The enquiry may be processed for the purposes of offering relevant services and information to you
  • To process and respond to donations, appeals, which you make via our website we use payment providers:
  • Gift Aid Information for any donations made.
  • To provide you with advice and information you have requested.
  • To provide or administer activities relating to all our services: updating you with important administrative messages, to help us identify you when you contact us, and help us to properly maintain our records.
  • To improve your experience with us. We may use your information to enhance the service that our staff provide, to fulfil your orders and gift aid declarations, to improve our information and communications, or to personalise the website to better suit your needs.
  • To provide you with information about our plans. This may be letting you know about new or enhanced services that we hope will be useful and interesting to you, and may include fundraising updates; of course, we will only do this either with your consent, where we need to fulfil a contract or service with you, or where we believe you will expect to be updated and contacted by us. You can of course ask us at any time to change how we contact you, simply contact [email protected]
  • We may need to disclose your information if required to do so by law, for example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority; or in order to enforce our conditions of sale and other agreements;
  • To improve website functionality and our ability to deliver services, the personal information we collect about you will be used by our staff and volunteers in Dumfries and Galloway Citizens Advice Service so that they can support you; also, by a few selected organisations that work with us or on our behalf to deliver our services; and possibly to legal and regulatory authorities if required to by law.  
  • We will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor do we sell any information about your web browsing activity.
  • We will keep your information secure and we will only process your information lawfully.

16.  USE OF COOKIES

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The table below explains the cookies we use and what each is for.

 

 

 

Our website is hosted by Raising IT and uses the following cookies:

Cookie Name

Used by

Description

Expiration

__utma

Google Analytics

Stores the amount of visits of a user, the time of their first visit, the previous visit, and the current visit. It does not contain any personal information and is used only for analytical purposes.  

2 years from set/update

__utmz

Google Analytics

This performance cookie stores where a user came from (e.g. search engine, search keyword, link).

6 months from set/update

 

_ga and _gid

Google Analytics

Used to distinguish between website users in Google Analytics.

2 years and 2 hours

_gat_UA-XXXXXXXX-X (where the Xs are replaced by the Google Analytics ID number)

Google Analytics

Used to moderate calls to the Google Analytics service.

1 minute

__unam

ShareThis

Set as part of the ShareThis service and monitors "click-stream" activity, e.g. web pages viewed, navigation from page to page, time spent on each page etc. The ShareThis service only identifies a user if they have separately signed up with ShareThis for a ShareThis account and given them consent. Checks how long you stay on a site: when a visit starts, and ends. It does not contain any personal information and is used only for analytical purposes.

14 months

cc_cookie_accept

Website

Stores whether the user has accepted the cookie message or not.

365 days

ASP.NET_SessionId

Website

Used for authenticating a user's session after logging in. Closes when you exit the browser.

End of session

ARRAffinity

Website

Tells our infrastructure which server to handle the request.

End of session

MemberLoggedIn

Website

A binary flag which stores whether a user is logged in or not.

End of session

ai_session and ai_user

Website

Tracks users as they navigate the website predominately for infrastructure performance insights.

1 day

DisplayName

Website

Keeps track of a donor’s preference to show their name during a Direct Debit.

End of session

 

 

 

Changing your browser settings for cookies

You can adjust the settings in your web browser to determine whether sites can set cookies on your computer. If you've visited this website before, there may be previously-set cookies on your computer.

You can find out how to delete them from the sites listed below.

 17.  RETENTION & DELETION of DATA

Our data retention policy and procedure is designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal and personal sensitive data.  Personal and personal sensitive data that we process for any purpose(s) will not be kept for any longer than is necessary for that purpose(s).

Retention & Deletion Periods:

 

Type of record

Retention period

Personnel files of employed  and volunteer staff including training

7 years from the end of employment

Records and of disciplinary and grievance hearings

As specified in the staff handbook

Application forms/interview notes for paid and volunteer staff

1 year from the date of the job advertisement

Facts relating to redundancies where less than 20 redundancies

6 years from the date of redundancy

Facts relating to redundancies where 20 or more redundancies

6 years from the date of the redundancies

Financial Records (SAGE Payroll & Accounts) Payroll records, Income Tax and NI Returns, including correspondence with tax office

7 years

Statutory Maternity and adoption Pay records and calculations

7 years after the end of the tax year in which the maternity period ends

Statutory Sick Pay records and calculations/Sickness records

7 years

Individual pension entitlement and contribution history

7 years after the benefit ceases

Disclosure checks for staff and volunteers

6 years after end of employment

Accident books, and records and reports of accidents

6 years after the date of the last entry

Health Records for staff and volunteers

During employment/ volunteer engagement

Health Records where reason for termination of employment is connected with health, including stress related illness

6 years

Examination, testing, monitoring and control records:

Review 5 years after last action

 

Medical records kept by reason of the Control of Substances Hazardous to Health Regulations 1999

40 years

Health and Safety

Training, guidance and instructions: 

 

Risk assessment reports and reviews: 

 

 

 

 

Building related risk assessments

Review 3 years from date superseded

 

 

The HSE recommends 40 years for personal records

http://www.hse.gov.uk/health-surveillance/record-keeping/index    

 

A recent example is the claim relating to exposure to asbestos dating back a number of years with no records available.

 

Contractual records

6 years

 

Or  for the period  specified in contracts and agreed with funders

Minutes

6 years  

Grant agreements with Citizens Advice Scotland

6 years if there is no period specified in the agreement

References received for staff and volunteers

1 year

Annual leave records

2 years

Annual appraisal/assessment records

5 years

Volunteer support and supervision notes

3 months after volunteer leaves

Records relating to promotion, transfer,

training, disciplinary matters

6 years from end of employment/volunteer engagement

References given/ information to enable references to be provided

5 years from reference/ end of employment

Summary of record of service

eg: name, position held, dates of employment

10 years from end of employment

Records relating to accident or injury at work

12 years

                  

 

DAGCAS will hold any client records and additional data in accordance with the schedule below.

 

Low risk

7 years after the case has closed

All client records apart from the high risk categories below.

 

For example, if a client is in a DAS (Debt Arrangement Scheme) for 15 years – the record must be kept for the 15 years of the DAS and 7 years after that.

High risk

16 years after the case has closed

Any case that has been subject to a serious complaint, insurance claim or other dispute.

 

16 years after the case has closed

Any case relating to building works or surveyors' reports on the purchase of property or relating to property.

 

16 years after the case has closed

Any case which Citizens Advice Scotland and/or ADS consider to be a substantial risk, where the sums of money involved are, for example, in excess of £10,000 or where the advice given was especially complex, or where Citizens Advice Scotland and/or ADS is otherwise concerned that the case is unusual.

 

40 years

Employers Liability Insurance certificates

Notwithstanding the provisions in this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person

METHOD OF DELETION

Electronic files will be deleted in line with the timescales set our above.  Paper files will be shredded or disposed of via confidential waste destruction in line with the above timescales.  Where third party companies are used to dispose of confidential waste, destruction certificates are obtained.