Our website uses cookies. See our cookies page for information about them and how you can remove or block them. Click here to opt in to our cookies

Data Protection

In order to operate efficiently in the delivery of our funding, advocacy and development services, we collect information about the people we connect and work with. This may include members of the public, current, past and prospective employees, agency workers, secondees, funding applicants, contractors and suppliers.

We hold and use personal information in accordance with Data Protection legislation which includes the Data Protection Act 2018, the General Data Protection Regulation 2016 (GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003. Data Protection legislation regulates the way that we handle the personal information that we collect in the course of carrying out our functions and gives certain rights to people whose personal information we may hold.

We will ensure that:

  • staff who handle personal information are appropriately supervised and trained;
  • there is someone with specific responsibility for data protection in the organisation; and
  • we take all necessary steps to ensure that personal information is kept secure at all times against unauthorised or unlawful loss or disclosure.

You can find out more about the personal information we process in the following Privacy Notices:

What is Personal Data?

Personal data is information that relates to a living individual who can be identified. What identifies an individual could be as simple as a name, an email address or could include other identifiers such as a photo, an IP address or a cookie identifier or other factors. Personal data may include any expression of opinion about a living individual or any indication of intentions about that individual. If it is possible to identify an individual directly from the information being held and used, then that information may be personal data.

What are my rights?

Right of Access - you have the right to find out if an organisation is using or storing your personal information. This is called the right of access. You exercise this right by asking for a copy of the information, which is commonly known as making a ‘subject access request’.

Right to Rectification - you can challenge the accuracy of personal information held about you by an organisation, and ask for it to be corrected or deleted. This is known as the ‘right to rectification’. If your information is incomplete, you can ask for the organisation to complete it by adding more details.

Right to Erasure - you can ask an organisation that holds information about you to delete that information and, in some circumstances, it must then do so. This is known as the right to erasure. You may sometimes hear it called the ‘right to be forgotten’.

Right to Restriction - you can limit the way an organisation uses your personal information if you are concerned about the accuracy of the information or how it is being used. If necessary, you can also stop an organisation deleting your information. Together, these opportunities are known as your ‘right to restriction’.

Right to Object to Processing - you have the right to object to the processing (use) of your personal information in some circumstances. If an organisation agrees to your objection, it must stop using your information for that purpose unless it can give strong and legitimate reasons to continue using your information despite your objections.

You have an absolute right to object to an organisation using your information for direct marketing – in other words, trying to sell things to you. This means it must stop using your information if you object.

Right to Data Portability - you have the right to get your personal data from an organisation in a way that is accessible and machine-readable, for example as a CSV file.

You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.

This is known as the right to data portability.

How can I exercise my rights?

To exercise your information rights please contact our Information and Records Management Officer:

Email: dataprotection@creativescotland.com

Tel: 0131 523 0080

Information & Records Management Officer, Creative Scotland
Waverley Gate, 2-4 Waterloo Place, Edinburgh EH1 3EG

You may need to provide adequate proof of identity such as a copy of a utility bill, drivers licence, passport or birth certificate. The standard of identity check will be proportionate to the data you have requested from us.

You can request a copy of any personal information we may hold about you by using any of the above contact options or by completing a Subject Access Request Form (Word) and returning it by email or post.

We will acknowledge your request and provide a response within one month. However, exemptions to disclosure may apply in some circumstances. Data protection legislation allows for the one month deadline to be extended by a further two months where the request is particularly complex.

You can find more guidance on accessing your personal information from the UK Information Commissioner's Office website.

If you require any assistance completing the Subject Access Request Form or would like to discuss the information we hold with a member of staff, please contact our Information and Records Management Officer on 0131 523 0080.

As Creative Scotland (Controller) determines the purpose for which personal data is processed, we pay an annual data protection fee to the Information Commissioner’s Office to comply with the Data Protection (Charges and Information) Regulations 2018. A Controller must comply with the requirements of this regulation unless they are exempt.

More about Data Protection

Information Commissioner’s Office

The Information Commissioner's Office can provide help and advice to assist businesses and public bodies in meeting the requirements of data protection laws.

Data Protection Act 2018

The Data Protection Act 2018 is a comprehensive legal framework for data protection in the UK, supplemented by the GDPR until the UK leaves the EU. The Data Protection Act 2018 modernises data protection laws in the UK to meet the needs of our increasing digital economy and society. While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force.

General Data Protection Regulation 2016

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR forms part of the data protection regime in the UK which includes the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003.

Privacy and Electronic Communications (EC Directive) Regulations 2003

The Privacy and Electronic Communications Regulations sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.

There are specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The Information Commissioner’s Office aims to help organisations comply with data protection laws and promote good practice by offering advice and guidance. They will also take enforcement action against organisations that persistently ignore their obligations.