Privacy policy
This policy explains how we're protecting your privacy and complying with legislation.
Our contact details
Name: Data Protection Officer (DPO)
Email: dataprotection@researchdata.scot
Address:
Bayes Centre
47 Potterrow
Edinburgh
EH8 9BT
Who we are
Our vision at Research Data Scotland (RDS) is to promote and advance health and social wellbeing in Scotland by enabling access to public sector data about people, places and businesses.
We are also committed to protecting the privacy of individuals whose personal information we hold and to meeting our data protection obligations under the General Data Protection Regulation and UK Data Protection Act 2018. This Privacy Notice details how those commitments are met in practice.
Why we may process your data
In some cases, we need to process data to ensure that we are complying with our legal obligations in so far as it is authorised by UK law or a collective agreement pursuant to UK law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. We may also need to process your data to confirm your identity if you are a researcher or a prospective member of RDS staff (pending a successful application outcome).
RDS may also process pseudonymised research datasets which have been shared by other third parties, in the process of provisioning data for research, where data will be stored the Scottish National Safe Haven. RDS may also process data on behalf of other data controllers in the event where we are acting as a processor.
RDS staff
Following a successful application and accepted offer of employment, the following processing may occur during your employment as an RDS staff member:
- Microsoft Teams and other Office 365 applications
- We may utilise tools such as recording and audio transcription features in meetings for the purpose of accurate minute taking.
- Bright HR for the maintenance and input of human resources related information of RDS staff
- MentorLearn, an application hosted by the Royal Bank of Scotland which is used by RDS to facilitate annual staff training
- ADP which is utilised for RDS employee payroll information
- Nest which is used by RDS to manage RDS staff pensions
- Edenred benefits which are provided to RDS colleagues via the Edenred platform.
Researchers enquiring about data access
When you fill out the enquiry form on our website, your data will be temporarily held in Umbraco and passed on to the responsible parties at eDRIS. Umbraco is a data collection tool where we hold information which comes in via the Enquiry Form and the website Contact Form. This is a temporary solution which will evolve to facilitate sharing directly from the RDS website to the Appian platform.
Researchers applying through the Researcher Access Service
If you are a researcher applying to access data held in the National Safe Haven, we will use the information that you have given us to process data as part of the assessment process for granting access. For example, we need to confirm that the request to access data is legal and in compliance with the objectives of public benefit.
In the event that your research request requires further authoritative sign-off, we will be processing your data in the action of sharing your application and details to the Public Benefit and Privacy Panels.
Where you have successfully accessed the National Safe Haven for research purposes, RDS will publish details (researcher name and organisation affiliation) as part of our values around being open and transparent as an organisation.
Your data may also be collected through our website forms and processed for the purposes of consented user engagement opportunities.
RDS uses platform solutions designed and delivered by Appian. This platform may process personal data and uploaded information in order to enable functionality and successful application progression. This includes the tracking of your application progression, processing supporting documentation required for authentication and case support purposes, and the processing of names and contact details in order to relay details on application progression.
By completing details in the enquiry form, your details will be captured for the triage process to confirm if your application can proceed through the RAS. In the event that your application is unsuccessful, ‘We will then review your information after on an annual basis and assess against a specific criteria if it is necessary and lawful to retain it for longer, if not your information will be securely deleted/destroyed.’
Partner organisations of RDS
If you are a member of a partner organisation of RDS, we may need to process your data through the following operations in order to fulfil our core RDS business processes:
- From interactions between RDS staff and colleagues of partner organisations through the use of Microsoft Teams and other Office 365 applications.
- Partner data may be processed in order to successfully update consenting individuals with RDS updates through the MailChimp solutions.
Members of the public
- Scotland Talks Data is the public engagement panel run jointly by Research Data Scotland and SCADR. Therefore, your information may be used to inform analytics and reports regarding your participation within the panel.
- Your data may be processed in order to successfully update consenting individuals with RDS updates through the MailChimp solutions.
- Your data may be collected through our website forms and processed for the purposes of consented user engagement opportunities.
Our lawful basis for processing your data explained
RDS staff and applicants
RDS will process data in association with staff members for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This data will also be processed as it is necessary for the purposes of performing the employee contract or compliance with a legal obligation to which the controller is subject.
Employees have the option to consent to registering for employee benefits through the Edenred platform, and individual benefits platforms provide links to their specific privacy notices.
RDS processor activities
In the event that RDS works as a processor on behalf of another public body (e.g., Scottish Government bodies), we will process under the lawful basis of that specific controller (e.g., public task).
Research and researcher data
Under the UK General Data Protection Regulation (UK GDPR (General Data Protection Regulation) article 6(f)), the lawful basis which we rely on for processing this information is that we have a legitimate interest. For more information, please visit the Information Commissioner’s Office website.
Public
RDS will utilise the lawful basis of consent for the following areas which require pre-given consent in order to partake in the services and panels in which RDS are involved:
- For data provided by members of the public who are partaking in the Scotland Talks Data engagement panels
- For data provided by those utilising the website features and have given consent for their details to be shared.
For more information regarding our lawful basis, please contact our Data Protection Officer at dataprotection@researchdata.scot. Further data regarding lawful bases for processing can be found on the ICO website.
The types of personal information we collect
The data that we currently collect and process is varied and is dependent upon the purpose of your interaction. The following section details what types of data will be collected (based on your involvement with RDS) and how we will collect and process this information.
RDS staff
In the event that you are employed by RDS, we will collect and process the following personal data:
- Your name, address and contact details, including email address and telephone number;
- Date of birth
- Emergency contact information
- Gender
- Special Category Information where applicable
- Whether you have a disability for which RDS needs to make reasonable adjustments during the process of employment.
- Financial information
Applicants for employment at RDS
RDS collects a range of personal data and information during the process of evaluating applications for advertised RDS positions. This may include:
- Your name, address and contact details, including email address and telephone number;
- Your current job role
Methods of data collection
Data which may be contained in application materials:
- Forms;
- CVs (Curriculum Vitae);
- References provided alongside CVs
- Your current job role
If you are unsuccessful in the application process, we will retain your details for 6 months.
Researchers applying through the Researcher Access Service
We collect a range of information about researchers and research bodies during initial enquiries regarding data access. This may include:
- Personal identifiers, contacts, and characteristics (for example, name and contact details) relating to researchers and research establishments wishing to access data sets for research purposes.
- ‘Personal information’ means any information which relates to or identifies you as an individual. This includes any information provided to us by or on behalf of you via current (or potential) research establishments, current or future public bodies, reference agencies or former employers.
- Your name, address and contact details, including email address and telephone number;
During your application process using the Researcher Access Service, we will collect the following information in the form of application form content and supporting documentation:
- Details of your research qualifications, skills, and experience;
- Information about your present and previous research activities;
- Your training, and particularly training associated with research activities;
- Information about your entitlement to carry out research on behalf of a research establishment or public body;
- In processing your application for research, your justification for performing the research and;
- Any sensitive information provided by you which details a disability for which RDS needs to make reasonable adjustments during the process of providing access to research data. Any information of this sensitivity will be kept confidential.
Methods of data collection
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Data may be collected from online data access application tools.
- Data may be obtained from identity documents or collected through other forms of assessment and certification.
We also receive personal information indirectly, from the following sources in the following scenarios:
- Data may be collected from references supplied by former research bodies.
- We will seek information from third parties only once you have been made aware and will inform you that we are doing so.
- RDS also retains information about the organisations that provide research data to RDS and processes data that it receives from data controllers of research datasets.
- Data collected from the website forms will be held in Umbraco, a data collection tool used to temporarily process and share information which comes in via the Enquiry Form and the website’s Contact Form to the responsible parties within these processes.
Partner organisations of RDS
Through interactions with RDS colleagues, we may process the following personal data:
- Your assigned working email address
- Your name
- The date of your contact with RDS
- Your attendance at RDS held meetings where attendance is recorded, or transcriptions are recorded.
Members of the public
RDS collects a range of personal data and information during the process of evaluating applications and freedom of information requests (FOISA - see note 1). This may include:
- Your name
- Address
- Contact details
- Email address
- Telephone number
Methods Of Data Collection
Data may be collected through the submission of enquiries:
- General enquiries
- Feedback or complaints,
- Freedom of information requests, or
- Scottish Imaging Data Enquiry
- Website forms
How your data may be shared
Staff
If you are employed by RDS, we may share your data for the following purposes:
- Your data may be shared to carry out third party security checks before employment.
- We will share your personal data, including financial information with third party pension companies such as Nest.
- Your data will be shared with the Royal Bank of Scotland to allow you access to their online mentoring platform for training purposes.
- Your data will be shared with Bright HR and subset applications for the purpose of carrying out HR tasks and functions:
- This may also include sharing your data with Bright HR’s application known as Blip for the purposes of time management and clocking in/out.
- We will share personal data with HMRC for the purpose of financial management, payment information and statutory return.
- In the event that we are required to carry out a reasonable task to comply with legal requirements set by other government or security bodies.
- We will share both personal data and special category data in order to comply with emergency services in the event of an emergency situation.
Researchers
During the enquiry process to access the RAS, your information will be collected and shared through Umbraco and passed on to the responsible parties at eDRIS. This is a temporary solution which will evolve to facilitate sharing directly from the RDS website to the Appian platform. Any information also submitted through RDS website’s Contact Form shall be shared with relevant parties within RDS.
In the process of developing and reviewing your application through the Researcher Access Service, your information may be shared to parties who aid in the facilitation of the service and support any application issues. This includes Appian’s customer support team, relevant (authenticated) individuals who comprise the application review panel, and eDRIS employees.
In line with their responsibilities as an organisation and as frontline operators of the Researcher Access Service, eDRIS staff will share specific details of projects and researchers’ Information Governance training to their ServiceNow platform; for the purposes of keeping on top of researcher training, time logging and auditing as a Trusted Research Environment. More information around this process and how your data is being handled can be found in the Public Health Scotland privacy notice.
In the event that your research request requires further authoritative sign-off, your application and contact details will be shared to the Public Benefit and Privacy Panels for their concluding review.
Following a successful application (where data access has been granted), relevant application details may be collected and stored by RDS for platform audit, review and development purposes. In the process of facilitating data access, we may share this information internally or with partner organisations such as the Electronic Data Research and Innovation Service (eDRIS), Edinburgh Parallel Computing Centre (EPCC), Scottish Government and data controllers such as Public Health Scotland for the purposes of the managing access to research data.
We will not share your data with third parties unless your application for access to research data requires us to validate your details. We will then share your data with these third parties as part of the researcher screening process. We will always ask for your consent before processing this type of data as part of our researcher screening.
If your application for access to research data is unsuccessful, RDS may keep your personal data on file in case there are requests from you that are to be considered in the future. We will ask for your consent before we keep your data for this purpose, and you are free to withdraw your consent at any time.
Partner organisations of RDS
RDS (Research Data Scotland) also retains information about the organisations that provide research data to RDS, and organisations that process data received from data controllers of research data sets. Sources of research data include Scottish Government, National Records of Scotland, Public Health Scotland, Education Scotland as well as other public bodies.
Members of the public
- Your data may be specifically shared with the Scottish Centre for Administrative Data Research if you are involved in the Scotland Talks Data public panel.
- Where you have elected to receive communications from RDS, your data may be shared with the contacts list provider i.e., MailChimp.
How your personal information is stored
At RDS, it is our priority that your information is securely stored. As an organisation, the data that we collect from you will be primarily stored inside the UK or the European Economic Area (EEA). However, partners of RDS or solutions used by RDS may store data outside of the EEA in order to support functions such as customer support.
Staff
To operationally store data collected via differing organisational processes, RDS uses a number of Microsoft platforms. These different systems include:
- Microsoft 365
- Microsoft SharePoint
- OneDrive
- Microsoft Teams
- Microsoft Forms
RDS shall store key information regarding your employment to comply with legal and regulatory requirements. This information will be retained in compliance with specific legislation regarding the storing of employee records. Additionally, in-line with our records management policy and retention schedules, your information will be reviewed on an annual basis. Following a departure of employment from RDS, your information will be retained for 6 years and deleted following review.
Researchers
During your use of the Researcher Access Service, your contact information, application details, and RAS progression information will primarily be stored on the cloud-based Appian platform. However, Appian may process data outside of the EEA in order to aid customer support functions. For more information, please refer to Appian’s data processing terms.
Following a successful application (where data access has been granted), relevant application details may be collected and stored by RDS for platform audit, review and development purposes. Following this collection, we will then review your information on an annual basis and assess against a specific criteria if it is necessary and lawful to retain it for longer, if not your information will be securely deleted/destroyed.
In line with their responsibilities as an organisation and as frontline operators of the Researcher Access Service, eDRIS staff will store specific details of projects and researchers’ Information Governance training on their ServiceNow platform; for the purposes of keeping on top of researcher training, time logging and auditing as a Trusted Research Environment. More information around this process can be found in the Public Health Scotland privacy notice.
Partner organisations of RDS
We retain relevant work-based information and communications of individuals from RDS partners in order to satisfy our business operations and ability to effectively collaborate as an organisation. This information will be retained in line with our records management policy and retention schedules and will be reviewed on an annual basis.
Members of the public
If you are a member of one of our public panels, we will store your information on our internal business systems in a secure location for audit and review purposes. This information will be retained in line with our records management policy and retention schedules and will be reviewed on an annual basis. Your information will be removed from our systems as a result of the next review following your dischargement from the panel. If you have consented to marketing communications via MailChimp, your data may be stored on the MailChimp database in order to allow us to contact you.
Your rights
The law gives you a number of rights to control what personal information is used by us and how it is used by us.
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Feedback and complaints
Contacting RDS
Please contact us at dataprotection@researchdata.scot or write to our Data Protection Officer at the following address if you wish to make a request:
Research Data Scotland
Bayes Centre
47 Potterrow
Edinburgh
EH8 9BT
If you have any concerns about our use of your personal information, you can make a complaint to us at dataprotection@researchdata.scot.
Contacting the Information Commissioner's Office
You can also complain to the Information Commissioner's Office (ICO) at the following address if you are unhappy with how we have used your data:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire