The Cyber and Fraud Centre – Scotland (including the trading names Scottish Cyber Awards) is a data controller and collects and processes personal data. The Cyber and Fraud Centre – Scotland is committed to being transparent about how it collects and uses your data and meeting its data protection obligations. The Cyber and Fraud Centre – Scotland collects personal data from individuals and businesses for a number of different purposes. This notice sets out the various ways in which the Cyber and Fraud Centre – Scotland collects personal data, the ways in which this personal data is processed and the lawful basis for that processing.
2. LAWFUL BASIS FOR PROCESSING
2.1 Legitimate Interest
We process personal data because we have a legitimate interest in providing information to you about the work being done by the Cyber and Fraud Centre – Scotland, including our newsletter, advice, guidance, events, services, and key partners. We provide this information to you because you are a member of the Cyber and Fraud Centre – Scotland, have previously been a member or have expressed interest in our services. We believe this information is of benefit to you, as it will help keep your business safe, secure and resilient. We consider this basis for processing necessary as there is no less intrusive way for us to provide you with this information.
Some of the information we process under this lawful basis includes, but is not limited to, name, work address, work e-mail address, positions and, in some instances, bank/payment details.
Where we are using this lawful basis to process your personal information, we will ensure that you understand that you can opt out of receiving this information and make it clear to you how you do it.
2.2 Legal Obligation
On occasions, we may process some of this information because processing is necessary for compliance with a legal obligation to which the Cyber and Fraud Centre – Scotland as a data controller is subject. We consider this basis for processing necessary because, where appropriate, we will:
- Comply with a common law or statutory obligation
- Document our decision that processing is necessary for compliance with a legal obligation
- Identify the appropriate source for the legal obligation in question
It will not be possible to anticipate every legal obligation, but we will rely on this lawful basis for processing when we are required to process personal information to comply with a common law or statutory obligation. Examples may include court orders or obligations to disclose information about employees to HMRC. The information processed will depend upon the nature of the obligation imposed.
3. HOW DO WE GATHER THIS INFORMATION?
We gather this information from the application forms submitted to us and from the emails and business cards of those applying for membership or services or who have expressed interest in the Cyber and Fraud Centre – Scotland work.
4. WHERE DO WE KEEP THIS INFORMATION?
We keep this information in both hard and electronic formats in hard copy files and computer systems, under the control of the Cyber and Fraud Centre – Scotland. We also keep some information on databases, computer systems and websites of companies that help us process and manage the information we hold. These third parties must at all times provide the same levels of security for personal information as the Cyber and Fraud Centre – Scotland and, where required, are bound by a legal agreement to keep personal information private and secure and to process it only on the specific instructions of the Cyber and Fraud Centre – Scotland and not for their own purposes.
Your information is securely stored on the secure servers operated by Salesforce at the UM6 Data Centre in London, United Kingdom.
5. HOW DO WE KEEP THIS INFORMATION SAFE?
We take appropriate measures to keep all personal information as secure as possible. We have a security policy, and all our staff members are made aware of their obligations to use the information only as authorised. All personal data is only accessible to those who need to use it. We keep personal data in the following ways depending on the risks involved in the processing:
- In a lockable room with controlled access.
- In a locked drawer or filing cabinet.
- If data is computerised, it is stored on network servers and on password-protected databases and not on local systems and have suitable security access levels determined, applied and monitored.
- Particular care is taken of portable ICT equipment, memory sticks etc. which are password protected and encrypted to prevent unauthorised access.
- Sensitive personal data is not kept on memory sticks or routinely taken from premises on any form of removable media.
6. INFORMATION SHARED WITH THIRD PARTIES
The Cyber and Fraud Centre – Scotland may share some of the personal information gathered from people applying to be members or people who have expressed an interest in the work of the Centre with third parties but only in the strictly limited circumstances set out below.
- We may supply personal information to third parties (such as our internet service providers and IT companies) who help us administer our information. These third parties must at all times provide the same levels of security for personal information as the Cyber and Fraud Centre – Scotland and, where required, are bound by a legal agreement to keep personal information private and secure and to process it only on the specific instructions of the Cyber and Fraud Centre – Scotland.
- We may supply personal information to third parties (such as our internet service providers, IT companies) who are based in countries outside the European Union if it is necessary for us to do so to help us to manage our information. Some of these countries do not have the relevant level of protection in place. The Cyber and Fraud Centre – Scotland will ensure that an appropriate contract is in place with any third parties to whom data is transferred regularly or it will rely on an appropriate legal exemption for such transfers.
- We may also supply personal information to government bodies and law enforcement agencies but only: if we are required to do so by the requirements of any applicable law; in our reasonable opinion, such action is reasonably necessary to comply with legal process; to respond to any legal claims or actions; or to protect the rights of the Cyber and Fraud Centre – Scotland, its customers and the public. (see paragraph 2.2)
7. RETENTION PERIOD
As described above, the personal information we gather will be kept by the Cyber and Fraud Centre – Scotland for the purposes set out in section 2 of this document.
Where a membership application is approved, or we have provided services to the client, we may keep the associated personal information for a period comprising of the current year plus six years from the date of the closure of the member account unless there are any extenuating circumstances (e.g. bad debt, ongoing court proceedings). Where this is the case, and the information about the account is to be retained out with this period, then we will fully justify and document our reasons for retaining the personal data.
Where a membership application is declined, we will keep the personal information associated with the application for a period of the current month plus three months from the date of membership being declined unless there are any extenuating circumstances (e.g. complaint or legal challenge to the decision). Where this is the case, and the information about the account is to be retained out with this period, then we will fully justify and document our reasons for retaining personal information.
In addition, the personal data gathered for the purposes of marketing will be retained and used for this purpose unless you tell us you no longer wish to hear from us. We will keep minimal contact details to ensure that you no longer receive our messages.
8. YOUR RIGHTS
As a data subject, you have a number of rights in relation to your personal data. These are listed in brief below. A fee will not generally be charged for exercising any of these rights unless your requests are manifestly excessive.
- The right to access information about the personal data the Cyber and Fraud Centre – Scotland is processing and to obtain a copy of it;
- The right to require the Cyber and Fraud Centre – Scotland to change incorrect or incomplete data;
- The right to request that the Cyber and Fraud Centre – Scotland erases or stops processing your data; and
- The right to object to the processing of your data where the Cyber and Fraud Centre – Scotland is relying on its legitimate interests as the legal ground for processing;
If you would like to exercise any of these rights, or if you have any concerns about how your personal data is being processed, please contact us by e-mail at [email protected] or the Cyber and Fraud Centre – Scotland, Oracle Campus, Blackness Road, Linlithgow, West Lothian EH49 7LR, United Kingdom, Telephone 01786 447441.
If you still believe that the Cyber and Fraud Centre – Scotland has not complied with your rights, you can complain to the Information Commissioner. Contact details are available at www.ico.org.uk
9. OTHER WEBSITES
10. CHANGES TO THIS PRIVACY NOTICE
The Cyber and Fraud Centre – Scotland reserves the right to update this privacy notice at any time and will provide you with a new notice when making any substantial updates. The Cyber and Fraud Centre – Scotland may also notify you in other ways from time to time about the processing of your personal data.
11. MONITORING AND REVIEW
This policy was last updated on 17 February 2023 and shall be regularly monitored and reviewed at least every two years.