Data Protection

In order to operate efficiently in the delivery of our funding, advocacy and development services, we collect information about the people we connect and work with. This may include members of the public, current, past and prospective employees, agency workers, secondees, funding applicants, contractors and suppliers.

We hold and use personal information in accordance with Data Protection legislation which includes the Data Protection Act 2018, UK General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003. Data Protection legislation regulates the way that we handle the personal information that we collect in the course of carrying out our functions and gives certain rights to people whose personal information we may hold.

We will ensure that:

  • staff who handle personal information are appropriately supervised and trained;
  • there is someone with specific responsibility for data protection in the organisation; and
  • we take all necessary steps to ensure that personal information is kept secure at all times against unauthorised or unlawful loss or disclosure.

You can find out more about the personal information we process in Creative Scotland's Privacy Notice.

What is Personal Data?

Personal data is information that relates to a living individual who can be identified. What identifies an individual could be as simple as a name, an email address or could include other identifiers such as a photo, an IP address or a cookie identifier or other factors. Personal data may include any expression of opinion about a living individual or any indication of intentions about that individual. If it is possible to identify an individual directly from the information being held and used, then that information may be personal data.

What are my rights?

Right of Access - you have the right to find out if an organisation is using or storing your personal information. This is called the right of access. You exercise this right by asking for a copy of the information, which is commonly known as making a ‘subject access request’.

Right to Rectification - you can challenge the accuracy of personal information held about you by an organisation, and ask for it to be corrected or deleted. This is known as the ‘right to rectification’. If your information is incomplete, you can ask for the organisation to complete it by adding more details.

Right to Erasure - you can ask an organisation that holds information about you to delete that information and, in some circumstances, it must then do so. This is known as the right to erasure. You may sometimes hear it called the ‘right to be forgotten’.

Right to Restriction - you can limit the way an organisation uses your personal information if you are concerned about the accuracy of the information or how it is being used. If necessary, you can also stop an organisation deleting your information. Together, these opportunities are known as your ‘right to restriction’.

Right to Object to Processing - you have the right to object to the processing (use) of your personal information in some circumstances. If an organisation agrees to your objection, it must stop using your information for that purpose unless it can give strong and legitimate reasons to continue using your information despite your objections.

You have an absolute right to object to an organisation using your information for direct marketing – in other words, trying to sell things to you. This means it must stop using your information if you object.

Right to Data Portability - you have the right to get your personal data from an organisation in a way that is accessible and machine-readable, for example as a CSV file.

You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.

This is known as the right to data portability.

How can I exercise my rights?

To exercise your information rights please contact our Data Protection Officer:

Tel: 0131 523 0080

Creative Scotland
Waverley Gate
2-4 Waterloo Place

You may need to provide adequate proof of identity such as a copy of a utility bill, drivers licence, passport or birth certificate. The standard of identity check will be proportionate to the data you have requested from us.

You can request a copy of any personal information we may hold about you by using any of the above contact options or by completing a Subject Access Request Form (Word) and returning it by email or post.

We will acknowledge your request and provide a response within one month. However, exemptions to disclosure may apply in some circumstances. Data protection legislation allows for the one month deadline to be extended by a further two months where the request is particularly complex.

If you require any assistance completing the Subject Access Request Form or would like to discuss the information we hold with a member of staff, please contact our Data Protection Officer on 0131 523 0080.

Information Commissioner’s Office (ICO)

The ICO has a number of roles and responsibilities including being the UK’s Supervisory Authority (Regulator) of data protection legislation.

The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Visit the ICO website to find out more about the ICO including practical information about your data protection and information rights together with guidance and resources for public bodies, private sector organisations and sole traders.