Privacy

The Youth Scotland Web Site is intended to provide information on the Youth Scotland organisation and its services. Please see below for more detail on our privacy policy, cookies and data protection.

What this privacy policy covers

Updated: 26 October 2018

This policy explains how Youth Scotland uses, stores and protects any personal data it manages through the provision of its programmes and membership services.

Youth Scotland takes its obligations to any personal data held very seriously and has updated this policy to accommodate new General Data Protection Regulation (GDPR) that come into effect on 25 May 2018.

We may update this policy from time to time to provide additional information or clarity. This page will be the master copy of our policy and we encourage users to regularly check for any updates.

Our intention is to try and use plain English and youth work terminology as far as possible under our requirements for this policy. Any use of ‘us’, ‘we’ or ‘our’ etc. refers to Youth Scotland. Any use of ‘you’, ‘your’ or ‘you’re’ etc. refers to the user of our services. There are some legal terms used out of necessity but please get in contact if you require clarification on any of this policy.

In addition to this webpage, there is a downloadable version of the same text at the bottom of this page. You may also request a physical copy by writing to us.

To contact us regarding this policy, please email: office@youthscotland.org.uk or write to: Youth Scotland, Balfour House, 19 Bonnington Grove, Edinburgh, EH6 4BL. Please note – a physical copy will only be current at time of issue.

Controller of Personal Data

Any personal information provided to or gathered by Youth Scotland is controlled by Youth Scotland, Scottish Charity No: SC000501. A company limited by guarantee No: 125456. Registered in Scotland. Youth Scotland, Balfour House, 19 Bonnington Grove, Edinburgh, EH6 4BL.

In addition to this, Youth Scotland is the legal entity that hosts and administrates the Awards Network. As such, Youth Scotland also acts as the controller of personal data for the Awards Network.

To communicate with our Data Protection Officer please email office@youthscotland.org.uk or write to the above address.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) takes effect from 25 May 2018. GDPR is an evolution of the existing Data Protection Act (DPA) and Data Protection Directive. It is intended to give all of us greater visibility and control of our personal information (referred to as personal data).

Personal data is defined as, “…‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

What this means is any information an organisation holds that could possibly be used to identify a person, counts as personal data.

You can find out more about GDPR and how the Information Commissioner’s Office (ICO) applies it to UK organisations on their website www.ico.org.uk

Child Protection and privacy

Youth Scotland, like its members and many of its partners, operates in the youth sector, interacting with young people from aged 5 years+. Where relevant, and if there exists a conflict, Child Protection legislation and policy supersedes GDPR.

Types of information

Information, or data, that we hold is done so on a consent or legitimate interests basis, meaning that we hold and use information based on your permission (consent) to do so, such as providing your email address and name when you sign up to our email newsletter, or on the requirement for that information to provide our services (legitimate interests), such as information on a youth award challenge sheet to assess whether the candidate has passed or failed their personal challenge.

There are three main types of information Youth Scotland holds to provide services to you:

Information you give us

You provide us with information when you use our services. This may be an application to join Youth Scotland, completing a challenge sheet for an award or registering for a training session we provide. In all cases, you choose to provide the information requested so that we may provide the service.

Information will typically be provided to us via a form. This form may be accessed online, such as a membership application on our website, or via a physical form at or during a Youth Scotland event, such as a registration form.

Information that technology gives us

Information is sometimes automatically passed between your chosen technology and Youth Scotland’s technology by accessing our digital services. The most common usage is website analytics and browser cookies.

Your web browser automatically passes information about itself and your device (computer/mobile etc.) to any internet location you visit. Your browser has specific settings you can adjust to limit or increase these options.

This information is often referred to as metadata and is information including: log data, information passed by your web browser like IP address or other web browser information; device information, like what type of computer or mobile device accessed our website; location information, such as an approximate location while accessing our website.

Electronic communications

We maintain an active email newsletter and bulletin service to opted-in users and we usually receive information, such as a confirmation when you open e-mail, when the email is opened and any links clicked—but only if your technology and services permit it.

This service operates an independent op-out, meaning you may unsubscribe without having to contact us.

How information is used

We use any information you provide to us to fulfil the service or services related to your information. For example, to apply for membership, we will ask for the information about your youth group, meeting place, contacts and other information that we require to grant membership, according to our membership criteria. Likewise, we will ask for names, contact details, dates and times when you book a training event, so that we know who will attend and when.

In essence, the information is directly related to being able to fulfil the service we set out to provide to you or that required by law.

The core uses of personal data held by Youth Scotland are:

  • To provide, update, maintain and improve our services
  • As required by law, legal process or regulation
  • To communicate and respond to requests, comments and questions
  • To send service emails and other communications essential to providing membership and services
  • For billing, account management and other administrative matters
  • To maintain security and standards

In addition to the core purpose we use data for, we may also use information to analyse or profile our users to fulfil legal obligations, reporting obligations and to maintain and improve our services.

This may include:

  • We may use data to analyse our services e.g. satisfaction surveys and programme evaluation surveys to see how we are doing and take on board feedback
  • We may profile data on a geographic basis e.g. we may look at whether a group will qualify for funding or programme access due to relevant geographic criteria
  • We may profile data on age or gender basis e.g. we occasionally seek to understand our membership demographics to improve our offering and complete our annual reporting
  • We may profile data for aggregated statistics to complete reports e.g. we are often required to complete annual reports for programmes we run as a contractual obligation

Sharing information

Some Youth Scotland programmes, events or activities are supported or funded by other organisations. These programmes and events can require that reporting, financial and evaluation data be shared with the supporting funder or partner as a condition of contract. We will always make you aware of where this applies.

The current obligations on Youth Scotland are as follows:

Cashback for Communities

Where applicable consent has been obtained, we will share  potentially sensitive  personal  information  with  Inspiring Scotland,  for  the  purpose  of  monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with Inspiring Scotland is fully anonymised.

We will also share potentially sensitive information with our appointed evaluation contractors, under the terms of our agreed contract and this is covered under current data protection legislation.

Money for Life

Where applicable consent has been obtained, we will share potentially sensitive personal information with UK Youth, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with UK Youth is fully anonymised.

Stand Up to Sectarianism

Where applicable consent has been obtained, we will share potentially sensitive personal information with the Scottish Government, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with the Scottish Government is fully anonymised.

Generation Code

Where applicable consent has been obtained, we will share potentially sensitive personal information with UK Youth, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with UK Youth is fully anonymised.

Starbucks Youth Action

Where applicable consent has been obtained, we will share potentially sensitive personal information with UK Youth, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with UK Youth is fully anonymised.

UPS Road Code

Where applicable consent has been obtained, we will share potentially sensitive personal information with UK Youth, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with UK Youth is fully anonymised.

Achievement Generators

Where applicable consent has been obtained, we will share potentially sensitive personal information with the Corra Foundation, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with the Corra Foundation is fully anonymised.

Young Placechangers

Where applicable consent has been obtained, we will share potentially sensitive personal information with Greenspace Scotland for the purpose of operating this programme and with The Heritage Lottery Fund and Scottish Government, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with The Heritage Lottery Fund and Scottish Government is fully anonymised.

Rural Action Fund

Where applicable consent has been obtained, we will share potentially sensitive personal information with The Robertson Trust, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with The Robertson Trust is fully anonymised.

Activate

Where applicable consent has been obtained, we will share potentially sensitive personal information with Chance to Connect (The Scottish Children’s Lottery), for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with Chance to Connect (The Scottish Children’s Lottery) is fully anonymised.

Breaking Barriers

Where applicable consent has been obtained, we will share potentially sensitive personal information with The Gannochy Trust, for the purpose of monitoring engagement, reach and impact of this programme. Where such consent is not given, all data recorded and shared with The Gannochy Trust is fully anonymised.

Youth Scotland Awards (Hi5, DYA and YAA) and PDA in Youth Work

Any participant in Youth Scotland Awards or accredited training requires to provide personal data relevant to their Award or qualification which is shared with the relevant awarding body, currently the Scottish Qualifications (SQA), in order to fulfil the criteria of the Award.

Workers delivering Youth Scotland Awards are required to provide personal data relevant to their role which is shared with the relevant awarding body, currently the Scottish Qualifications (SQA), and the relevant Operating Agency.

Youth Scotland Membership (including insurance applications)

Membership data for Youth Scotland primarily contains data about relevant member groups but applications and member information records contain personal data relating to member contacts.

Personal data from direct memberships and applications come directly to Youth Scotland only and is not shared.

Memberships and applications for groups operating under an Area Association are sent to Youth Scotland and shared with the appropriate Area Association

All member groups who apply for an insurance package have group data and meeting address details, but not contact details, submitted directly to the Insurance Brokers, who submit to the Insurance Providers. The Insurance Brokers are Towergate Insurance. Insurance Brokers produce group insurance certificates and schedules and share these with Youth Scotland.

Youth Scotland Worker Training

Where applicable consent has been obtained, we will share potentially sensitive personal information on workers undertaking Youth Scotland training with associated funders and partners of said training. Unless covered elsewhere within this policy, these funders and partners include: Education Scotland, YouthLink Scotland and the Youth Scotland Network. Where such consent is not given, all data recorded and shared is fully anonymised.

PVG Scheme

All youth workers who apply for PVG scheme membership/updates provide sensitive personal data required to process the PVG Checks. These details are submitted by Youth Scotland directly to Disclosure Scotland. Disclosure Scotland produce PVG certificates and share these with applicants and with Youth Scotland.

CORRA Foundation

Where applicable consent has been obtained, we will share potentially sensitive personal information with the Corra Foundation, for the purpose of monitoring engagement, reach and impact of Youth Scotland’s programme of work. Where such consent is not given, all data recorded and shared with The Corra Foundation is fully anonymised.

Youth Scotland never sells data to third parties.

Inform 100

Where applicable consent has been obtained, we will share potentially sensitive personal information with Audit Scotland, for the purpose of fulfilling project goals, reporting, monitoring engagement, reach and impact of this programme.

Security and where information is stored

Youth Scotland takes every reasonable precaution to ensure any data we hold is secure and stored according to GDPR.

The following details explain the groupings for data storage; the technology involved and location.

In addition to the secure storage outlined below, access to any Youth Scotland system is always protected by the requirement for secure login to our systems. Any physically held data is protected locally by secure entry system, alarm and CCTV. Filing cabinets where used are locked.

Membership

Our membership data is stored, accessed and updated in a Microsoft Dynamics 365 CRM system. Dynamics 365 is a third-party, cloud-based system and data is not stored locally. Microsoft datacentres are among the most secure in the world and are held in European GDPR-compliant datacentres.

Website

The Youth Scotland websites are hosted on Microsoft Azure cloud hosting. No data is held locally. Microsoft datacentres are among the most secure in the world and are held in European GDPR-compliant datacentres.

Events

Youth Scotland uses the Eventbrite platform to manage our bookings for training and events. Eventbrite is a third-party, cloud-based system and data is not held locally. Eventbrite store data globally in compliance with GDPR and the EU-US Privacy Shield Framework.

SurveyMonkey

We use SurveyMonkey to capture feedback and evaluation data. SurveyMonkey is a third-party, cloud-based system and data is not held locally. SurveyMonkey store data globally in compliance with GDPR and the EU-US Privacy Shield Framework.

MailChimp

We use MailChimp as our email newsletter platform. MailChimp is a third-party, cloud-based system and data is not held locally. MailChimp store data in the USA in compliance with GDPR and the EU-US Privacy Shield Framework.

Basecamp

We may use Basecamp as a project management, document sharing and discussion platform. Basecamp is a third-party, cloud-based system and data is not held locally. Basecamp store data in the USA in compliance with GDPR and the EU-US Privacy Shield Framework.

Project data

Our project data is maintained in Microsoft Access or Microsoft Excel databases. These databases are stored locally on a secure server, requiring triple security access; users must be physically on Youth Scotland premises, sign in to a centrally-managed profile and have password access to each database.

Data retention

Youth Scotland will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

To achieve this, we have grouped personal data and set the following general limitations:

Membership data

Data is considered active and current during a membership period of 12 months. Data will be held by Youth Scotland for up to 24 months after non-renewal before being archived. Only the base data required to identify a returning member group will be archived.

Awards and worker training data

Participants in Youth Scotland’s awards often follow a learning pathway, where a young person may complete up to six possible awards between a potential age range of 5-26. This supports Scotland’s policy objectives for enabling lifelong learning. We have tried to strike a realistic balance to allow for reasonable gaps in between awards but not retain data for extended periods of time.

Data will be held by Youth Scotland for up to 60 months from the last award granted before being archived, in order to accommodate returning candidates. Only the base personal data required to identify a returning candidate will be archived.

Project data

Projects and programmes run for varying periods of time, typically increments of 12 months by financial year. To accommodate this, we will keep data for period of time limited by project completion dates or by financial year in rolling projects.

Data is considered active and current during a project. Data will be held by Youth Scotland for up to 24 months from the project completion date or 24 months from financial year end for rolling programmes.

Training & event registration data

Youth Scotland uses personal data to allow participants to register for training and other event opportunities. This is typically through the Eventbrite booking platform but occasionally through direct communication with Youth Scotland (forms and emails etc.)

Data will be held by Youth Scotland for up to 12 months from the training or event completion date.

Financial data

Like other organisations, Youth Scotland is required to hold organisational financial records for accounting, auditing and taxation purposes.

Data will be held by Youth Scotland for up to 84 months from the end of financial year.

Employee & trustee data

Youth Scotland holds various personal data on current and former employees and trustees.

Data is considered active and current during the period an employee is actively employed by the organisation or for the tenure of a trustee. Data will be held by Youth Scotland for up to 12 months for employees and trustees and 12 months from last contract for freelancers and contractors.

PVG member applicant data

Youth Scotland holds personal data on PVG Applicants whilst their PVG Scheme application is being processed and until their PVG Certificate has been received and a recruitment decision made by the member group.  After a recruitment decision has been made, we will delete the PVG Certificate. We will retain minimal contact details and note of PVG certificate number on file for the duration of their active involvement with a Youth Scotland Member Group in a regulated work role.

These limitations may be superseded by legal requirements placed upon Youth Scotland.

Cookies

Like the majority of websites, the Youth Scotland website uses modern technology and data provided by you and your browser to try and provide the best service and experience we can.

Cookies may be used on our website. A cookie is a very small text file that is placed on your computer's hard drive when accessing a website and it collects standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.

You can set your browser to refuse cookies and you can find out more information on how to refuse and delete cookies at http://www.aboutcookies.org. However, please note that some of this website may not function as a result.

Individual rights

GDPR provides certain rights for individuals. These are how they apply to Youth Scotland:

  1. The right to be informed – the core purpose of this policy; we aim to tell you about the collection of personal data.
  2. The right of access – you have access to your personal information (often called a “data subject access request”). This enables you to ask for a copy of the personal information we hold about you. This is normally free but please note that, as per ICO guidelines, an administration fee may apply, “when a request is manifestly unfounded or excessive, particularly if it is repetitive.”
  3. The right to rectification – in clearer words, the right to have corrections made. This a shared obligation between us to keep personal data as up to date as is practical.
  4. The right to erasure - this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  5. The right to restrict processing - This enables you, where appropriate, to ask us to suspend the processing of personal information about you. For example, if you are checking the accuracy of information we hold.
  6. The right to data portability – in clearer words, the ability for you to take personal data from us to an alternative supplier. Less relevant to our operations but the right remains.
  7. The right to object - where we are using a legitimate interest basis and there is something which makes you want to object to processing on these grounds. This may mean we are unable to provide some services to you.
  8. Rights in relation to automated decision making and profiling - automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Conditions of use and terms of service

You may find our terms & conditions on this page

For everyone involved in community based youth work. Find out more about what we do and apply for membership.