Privacy Notice
Privacy Notice
Dumfries & Galloway Citizens Advice Service (also referred to as ‘D&GCAS’, ‘the charity’, ‘we’, ’our’, or ‘us’) is the Data Controller for any personal data we process about you for the purposes set out in this Privacy Notice. Our ICO registration number is Z6081270.
This notice outlines what personal data D&GCAS collects and processes about you when seeking advice and assistance from us. This notice does not cover personal data we process about our staff, workers, trustees, volunteers, applicants, supporters, or donors. There are separate privacy policies for these groups. Please read this notice carefully to understand how we process and look after your personal data.
D&GCAS is a member of the Scottish Association of Citizens Advice Bureaux (SACAB – operating name Citizens Advice Scotland), a network of 59 individual Citizens Advice Bureau (CABx). D&GCAS uses a case management system called CASTLE to record details of all our clients’ enquiries. We are a Joint Controller with Citizens Advice Scotland (CAS) for the data held on this system.
1. Our Data Processing
1.1. Providing Advice and Assistance
D&GCAS is an independent charity (SC027107) that provides free, confidential, expert advice and assistance to help you resolve your problems. We deliver a holistic service and our data processing may vary depending on the support we are providing. We only use the personal data we need. Most data we process will have been provided by you during your discussions with our advisors. On occasion referrals are made to D&GCAS from other organisations. They may share your data with us to help us provide you with advice and support. They should make you aware when this happens.
D&GCAS processes personal data to keep records of the advice and support offered. We only ask for the information we need, let you decide what you are comfortable telling us, and explain why we need it. We also treat it as confidential. When we record and use your personal information we comply with the requirements of the UK GDPR and Data Protection Act 2018. This means that we use your personal in a way that is:
- Lawful, fair and transparent
- Compatible with the purposes that we have told you about
- Adequate and necessary, we only use the data we need to use for the reason we told you
- Accurate and up to date
- Not excessive, we only keep your data for as long as we need it, and
- Secure and protected
Personal data is processed by D&GCAS to help us to provide an effective and efficient service to you as well as for our insurance purposes. It may include your
- Name
- Address
- Phone number
- Financial data
We may also sometime record data regarding criminal offence data if this information is needed to help us to advise you. You may also provide information about your ethnicity, mental and physical health, political and philosophical beliefs, religion, trade union membership, genetics, sexual life or gender. This is called ‘special category data’ and we will only use this type of personal data where it is necessary for us to deliver services to you and where we are permitted by law.
If you do not want us to record and use your information, we can help you as best we can, but advice will be limited and general rather than specific to your circumstances.
1.2. Research and Advocacy
We also collect, use and share aggregated data such as statistical or demographic data as part of our research and advocacy work to tackle wider issues in society that affect citizens in Scotland. Aggregated data could be derived from your personal data but is not considered personal data in law as it will not directly or indirectly reveal your identity.
You can see examples of how data is used for research and advocacy work on the Citizens Advice Scotland website.
1.3. Improvement of Services
We may also use personal data to help improve our services through:-
Follow Up Surveys and Customer Satisfaction Monitoring
We may conduct follow-up surveys and customer satisfaction monitoring with you to help assess and improve our services. All such monitoring will only take place where you have already given your consent for this to happen.
Cookies
When you browse our website, we may use “cookies” to help us understand how our site is used by visitors, and to develop and enhance our services to you. You can visit our Cookie Policy here. A “cookie” is a bit of information kept on your computer. It tells us things like what device you are using and what pages you click on. We use cookies to:
- Track aspects of user visits, including the length of a user’s visit, the browser they are using, their geographical location, and the use of the search facility on this website
- Remember user selected contrast and/or text resizing style preference for this website
- Record a user’s video preferences for our videos viewed on the website.
1.4. Promoting our Services
We publish regular newsletters providing information about our service and on current issues which we believe may be of interest to our clients. Newsletters will only be sent to you with your prior consent. You can sign up for our newsletters at Newsletter | Dumfries and Galloway Citizens Advice Service (dagcas.org) .
We may also, from time to time, approach clients to ask them to take part in videos discussing their experiences with our service. You will only need to take part in such videos if you want to and will be asked to sign a consent form before taking part. If you chose to take part, you will have the opportunity to change your name on the video and will be given to opportunity to view the video before it is published. The videos will be publishing on our website and our social media platforms Facebook and Instagram. If you do not wish to take part in such videos then this will in no way affect the assistance which you receive from us.
1.5. Children’s Data
The D&GCAS website is not intended for children and we do not knowingly collect data relating to children from our website. However, we may collect information relating to children from you when providing advice and assistance. We will only collect the minimum amount of data necessary for providing you with the relevant support.
2. Lawful bases we rely on to process your information
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances where:
- It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests,
- You have given us your consent,
- Processing is necessary for us to perform a public task carried out in the public interest, or
- There is a legal obligation for us to do so.
Only one lawful basis need apply.
When we process special category personal data, the additional bases for processing that we rely upon is:
- explicit consent
- where there is a substantial public interest for us to do so
Please see Appendix 1 for further information on the lawful bases we may rely upon to process your personal data.
3. Withdrawing Consent
If we rely upon your consent to process your personal data, you may request to withdraw consent at any time by contacting us at which point we shall stop processing your personal data in that way. Please note that this does not affect the legality of our processing up to the date of your withdrawal of consent.
4. Sharing Data
We may need to share your data in the following situations using the relevant legal basis as noted below:
Consent:-
- When you give us authority to work with organisations on your behalf
- When referring between support organisations
Legitimate Interest:-
- With Citizens Advice Scotland and with members of the Scottish Association of Citizens Advice Bureaux (SACAB)
- With sub-processors delivering services for D&GCAS (e.g. technology providers)
- With our insurers if you submit a complaint
- With funders as part of research and advocacy work
- With our external auditors Scottish Legal Aid Board (SLAB). They check that we are providing you with the highest quality of service and are allowed to access your information (if randomly selected) under the legal basis of ‘public task’.
Legal Obligation:-
In accordance with the law e.g. with a court order, other authorities, or any regulatory requirement to which the charity is subject. For example, the Financial Conduct Authority (FCA) might ask us to share a randomised sample of client cases which are being dealt with by the bureau. This is to make sure the advice and service you get is lawful and meets the FCA rules and regulations.
Protection of Vital Interests:-
- In exceptional circumstances where there is a high risk of harm to an individual. We have strict safeguarding procedures in place for when this may occur.
If we do need to share personal data we will have appropriate controls and processes in place through contracts and/or data sharing agreements. All data sharing will comply with data protection laws. Where possible we will anonymise data.
5. Transfers to 3rd countries
We may at times transfer personal information outside the UK.
Some of our service providers process personal data we give them outside of the UK. Where this happens and the recipient country is not deemed adequate by the UK Government, then we will put in place additional measures to protect your personal data, such as contracts approved for use by the Information Commissioner’s Office, and any necessary supplementary measures.
6. Retention
We will not keep your personal data for any longer than is reasonably necessary. We have a record of retention schedule that sets out the periods for retaining and reviewing all information that we hold. All data will be securely disposed of once it is no longer needed.
Most client information is retained for 7 years, however under certain circumstances we are legally required to retain personal data for longer, for example if you have entered into a debt remedy your information is retained for 7 years plus the length of the debt remedy. Where a complaint has been made and it involves an insurance claim or other dispute then we will retain it for 16 years. Voicemails will be deleted after 28 days. Forms which are completed when you make an initial enquiry to us through our telephone receptionists, or via email, will be kept electronically for 3 months before being deleted from our system. Referral forms received from other organisations will also be kept for 3 months
7. Project Privacy Notices
Where D&GCAS is involved in delivering a national project locally, there may be an additional Privacy Notice for that project. Where you are a client of a project we will seek to refer you to the Privacy Notice to be read along with this one. These Privacy Notices are linked below:
Patient Advice and Support Service (PASS)
https://www.dagcas.org/wp-content/uploads/2023/06/Privacy-Pensionwise.docx
Add in Pensionwise link on website. Use the existing privacy notice
8. Your Data Rights
Under data protection law, you have certain rights when organisations process your personal information. The rights available to you depend on our reason for processing.
- Right of access to the data we process about you
- Right to rectification of any data we process that may be incorrect
- Right to erasure of data we process about you
- Right to restrict processing of data we process about you
- Right to object to D&GCAS processing your data
- Right to data portability
- Right not to be subject to automated decision-making and profiling
9. Complaints
You have a right to make a complaint if you are unhappy about the way that your personal data has been processed. You may do this in writing, by email, by telephone or in person. You should contact the Data Controller as detailed at Section 10 of this document.
So we can help you with your complaint, we need to know:
- your name
- how we can get in touch with you – email, phone or address
- details of the complaint
- problem – for example, whether you wanted help with debt or housing
We will then use the information you give us to deal with your complaint. We will only access your information for other reasons if we really need to – for example:
- for training and quality purposes (your personal data will be anonymised)
- to include anonymised complaint statistics in internal reports
If you escalate your complaint to an external independent adjudicator, we’ll share your complaint information with them and we may share information with our legal advisors, if necessary. If your complaint involves an actual or potential insurance claim, we will share details of your complaint with our insurer, ADS Insurance Brokers and Ansvar Insurance.
We keep your complaint information for 7 years. If your case has been subject to a serious complaint, insurance claim or other dispute we keep the data for 16 years.
10. Data Controller Contact Details
If you have any questions or queries, or wish to exercise your data rights you can contact D&GCAS at info@dagcas.org or write to
Marion Hamilton
Corporate Services Manager
Dumfries & Galloway Citizens Advice Service
81-85 Irish Street
Dumfries
DG1 2PQ
If your queries are about personal data on CASTLE, our case management system, you should contact D&GCAS in the first instance, however your query may be passed to CAS as a Joint Controller of the system. You can find information on CAS’ data processing on the CAS Privacy Policy.
11. Supervisory Authority Contact Details
You also have the right to lodge a complaint to the Information Commissioner about the processing of your data.
Their contact details are: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow
Cheshire, SK9 5AF. Tel: 0303 123 1113. The website is at: https://ico.org.uk
12. Changes
We reserve the right to amend this privacy notice from time to time.
Last Updated: August 2024.