Privacy Policy

Scottish Castles Association – Data Protection Policy

The Scottish Castles Association is a Registered Charity (SC029654) located at 95 The Moorings, Dalgety Bay, Fife, KY11 9GP. We are registered as a Data Processor with the Information Commissioner’s Office (ICO), reference number ZB900773.

This policy applies to all trustees, employees, and volunteers of the Scottish Castles Association. It outlines our commitment to meeting our obligations to protect personal data under the Data Protection Act 2018 (UK GDPR) and the General Data Protection Regulation (GDPR).

“Personal data” means any information relating to an identified or identifiable living individual.

Principles of Data Protection

The Scottish Castles Association will ensure that all personal data we hold is:

  • Processed lawfully, fairly, and transparently
  • Collected for specific, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes (purpose limitation)
  • Adequate, relevant, and limited to what is necessary (data minimisation)
  • Accurate and kept up to date (data accuracy)
  • Retained only as long as necessary for the stated purposes (storage limitation)
  • Processed securely, protecting against accidental or unauthorised access, destruction, loss, use, modification, or disclosure (integrity and confidentiality)

Lawful, Fair and Transparent Processing

We maintain Data Audits to record where and why we process personal data. These audits are reviewed annually and kept up to date.

Our lawful basis for processing personal data will always be one of the following, as required by law:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Details of how we process data are provided in our Privacy Notices, available on our website at www.scotlandscastles.org. These notices are reviewed and updated annually.

Purpose Limitation

We are clear about our purposes for processing data from the outset. These are recorded in our Data Audits and published in our Privacy Notices. We will not use personal data for other purposes unless:

  • It is compatible with the original purpose,
  • We obtain consent, or
  • We have a clear legal obligation or function to do so.

Data Minimisation

We ensure that the personal data we process is:

  • Adequate – sufficient to fulfil our stated purpose
  • Relevant – directly related to that purpose
  • Limited – we only hold what is strictly necessary

Data Accuracy

We take all reasonable steps to ensure personal data is accurate and not misleading. Where necessary, we keep data updated. Any data found to be incorrect will be corrected or erased as soon as possible.

Storage Limitation

We only retain personal data for as long as necessary to fulfil our purposes for holding it. Our Document Retention Policy sets out retention periods and how data is erased, anonymised, or removed from our systems.

In some cases, data may be retained longer for public interest archiving, scientific or historical research, or statistical purposes.

Integrity and Confidentiality

We take data security extremely seriously. Measures include:

  • Regular data protection and cybersecurity training for trustees, staff, and volunteers
  • An IT security policy, covering passwords, two-factor authentication, encryption, and approved systems
  • A named Data Protection Officer (DPO) providing advice, support, training, and updates on all aspects of data protection (contact: dataprotection@scotlandscastles.org)

Rights of Individuals

  • Erasure – request deletion of their data unless we have a lawful reason to retain it (for example, donor records required to comply with legislation)
  • Restrict processing – where there is a dispute about the accuracy, validity, or legality of personal data held, individuals can require us to cease processing temporarily until the matter is resolved
  • Data portability – request their data in a common, machine-readable electronic format
  • Object to processing – complaints or objections to processing will be handled promptly and accurately
  • Rights related to automated decision-making and profiling – the Scottish Castles Association does not undertake any automated decision-making or profiling activities

Data Breach

A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Examples include:

  • Access by an unauthorised third party
  • Deliberate or accidental actions (or inaction) by trustees, staff, or volunteers
  • Sending personal data to the wrong recipient
  • Loss or theft of devices containing personal data
  • Alteration of data without authorisation
  • Accidental deletion or loss of access to data
  • Leaving files or devices containing personal data in unsecured locations

All suspected breaches must be reported immediately to the DPO.

Where there is a likely risk to individuals’ rights and freedoms, the DPO will report the breach to the ICO within 72 hours. If there is a high risk to individuals, they will also be informed without undue delay.

The DPO will maintain a record of all breaches and implement measures to reduce the risk of recurrence.

Privacy by Design

Privacy by design is a proactive approach to ensure data protection compliance from the outset of any project or change in process.

Where possible, and where it does not negatively impact the individual, privacy settings will be set to the most secure options by default.

All trustees, employees, and volunteers must:

  • Be familiar with this policy
  • Apply privacy and good data protection practices in all projects and activities
  • Seek advice from the DPO where necessary

Contact

For any questions, concerns, or advice regarding data protection, please contact:
Data Protection Officer (DPO)
Email: dataprotection@scotlandscastles.org

Version 1 Date: 23/07/2025