Privacy Policy

Royal Society for Home Support

Privacy notice

Your privacy is important to us.

Purpose of this notice

This privacy notice describes how Royal Society For Home Support (“the Society”, “we”, “us” or “our”) collects and uses Personal Data, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act and any other applicable data protection law in the United Kingdom (collectively “data protection law”).

It applies to Personal Data provided to us, both by individuals or by others.

Personal Data is any information relating to an identified or identifiable living person. Words used with first letter capitalisation (e.g. Personal Data), unless otherwise defined in this policy, have the same definition and meaning as under data protection law.

About us

The Society is incorporated by Royal Charter,and its Registered Office is 1st Floor, Quay 2, 139 Fountainbridge, Edinburgh , EH3 9QG. The Society is a Scottish Charity with Registered Number SCO 04365.

The Society does not have a Data Protection Officer. If you have any queries regarding our processing of your Personal Data you may contact us by emailing [insert address]

What we do

We give assistance to persons throughout Scotland who have ceased to work on account of having a long term illness (referred to as “Beneficiaries”). This includes considering applications from person to become Beneficiaries (“Applicants”).

Types of Personal Data

In order to provide our charitable services and to administer and develop the Society and its funds we may process many categories of Personal Data. By way of example, we could collect and process the following information in relation to Beneficiaries and Applicants:

  • contact and personal details (including name, address, date of birth, employer name, contact title, phone, email and other business or family contact details);
  • family information;
  • health information
  • information about management and employees of clients;
  • income, taxation, benefits and other financial-related details;
  • payroll details and other financial information.

For certain services or activities, and when required by law or with an individual’s consent, we may also collect Sensitive Personal Data. Examples of special categories include race or ethnic origin; and health data.

Collection of Personal Data

We will only collect such Personal Data that is necessary for us to perform our services and we ask Beneficiaries and Applicants only to share such Personal Data as required for that purpose. Where we identify that a Beneficiary or Applicant has provided us with unnecessary Personal Data we will either return that information to its source or destroy it, taking into account our Beneficiary’s or Applicant’s preference wherever possible.

Generally, we collect Personal Data from our Beneficiaries and Applicants or from third parties acting on the instructions of the relevant Beneficiaries and Applicants. Examples of this collection include when:

  • we are contacted about our services;
  • a Beneficiary receives or an Applicant applies to us to provide our services and also during the provision of those services;

The Society’swebsite uses cookies to collect data on where visitors to the site are going and what information they are finding the most useful.  Using this data the Society is better able to tailor the website to fit the needs of those that are visiting it.

Use of Personal Data

Here we set out the basis upon which we process Personal Data. Please note that we may process Personal Data for more than one lawful basis, depending on the specific purpose for which we are using that information.

Performance of a contract

We provide charitable services mainly in the form of making grant payments to individual Beneficiaries.

These services require us to process Personal Data for purposes necessary for the performance of our contract with our Beneficiaries. For example, this may include processing Personal Data to effect payments to a Beneficiary.

Legitimate interests

We may process Personal Data for the purposes of our own legitimate interests in the effective delivery of information and services to our Beneficiaries, and in the effective and lawful operation of the Society as a Charity, provided that those interests do not override the interests, rights and freedoms of a Data Subject which require the protection of that Personal Data.

Examples of such processing activities include:

  • managing our relationship with Beneficiaries;
  • developing our charitable services;
  • managing risk in relation to the Society generally;
  • maintaining and using IT systems, including security monitoring to identify harmful programs;
  • hosting or facilitating the hosting of events;
  • administering and managing our website and systems and applications.

 

Compliance with a legal obligation

As with any provider of professional services, we are subject to legal, regulatory and professional obligations. We will process Personal Data as necessary to comply with those obligations.

We are also to keep certain records to demonstrate that our services are provided in compliance with our legal, regulatory and charitable obligations.

Consent

In certain limited circumstances, such as where a Data Subject has agreed to receive marketing communications from us, we may process Personal Data by consent. Where consent is the only basis upon which Personal Data is processed the relevant Data Subject shall always have the right to withdraw their consent to processing for such specific purposes.

It is our policy to only process Personal Data by consent where there is no other lawful basis for processing.

Data retention

We retain the Personal Data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).

In the absence of specific legal, regulatory or contractual requirements, our standard retention period for records and other documentary evidence created in the provision of services is 3 years after conclusion of the services. Our standard retention of unsuccessful Applicants is 3 years after notifying unsuccessful candidates.

We continually review our data retention policies, and we reserve the right to amend the above retention periods without notice.

Other records, which are not required to be retained as part of our professional services, will be kept for a period of time depending on:

  • the type, amount and categories of Personal Data we have collected;
  • the requirements of our business and the services we provide;
  • the purposes for which we originally collected the Personal Data;
  • the lawful grounds upon which we based our processing;
  • any relevant legal or regulatory obligations;
  • whether the purpose of the processing could be reasonably fulfilled by other means.

Where relevant, such as the retention of employee and prospective employee personal data, we have a separate privacy notice for that category of Personal Data.

Data security

We take the security of all the data we hold very seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

We have put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. This is not only in accordance with our obligations under GDPR, but also in accordance with our regulatory obligations of confidentiality.

In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know, and our IT systems operate on a ‘least privileged’ basis by default. Third parties will only process Personal Data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify any affected Data Subject and any applicable regulator of a suspected breach where we are legally required to do so.

In some circumstances we may anonymise or pseudonymise Personal Data so that it can no longer be associated with the Data Subject, in which case we may use it without further notice.

Data transfers

We will share Personal Data with third parties where we are required by law, where it is necessary to administer our relationships between clients and Data Subjects, or where we have another legitimate interest in doing so.

We engage Scott-Moncrieff to provide secretarial and administrative services and accordingly Personal Data may be transferred to them for these purposes.

We may also share Personal Data with third-party service providers.  For example, we use third parties to provide:

  • our IT and cloud services, and to operate and manage these services;
  • professional advisory services;
  • administration services;
  • marketing services;
  • banking services.

All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.

Rights and responsibilities

A Data Subject’s duty to inform us of changes

It is important that the Personal Data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, either through your usual contact at the Society or by using one of the means set out at the end of this privacy notice.

A Data Subject’s rights in connection with Personal Data

Data Subjects may have certain rights under UK or EU law in relation to the Personal Data held by us about them. In particular, they may have a right to:

  • request access to their Personal Data. This enables a Data Subject to receive details of the Personal Data we hold about them and to check that we are processing it lawfully;
  • ask that we update the Personal Data we hold about them, or correct such Personal Data that they think is incorrect or incomplete;
  • request erasure of their Personal Data. This enables a Data Subject to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Data Subjects also have the right to ask us to delete or remove Personal Data where they have exercised their right to object to processing (see below). Please note that we may not always be able to comply with a request for deletion of Personal Data for legal reasons which will be notified, if applicable, after receiving such a request;
  • object to processing of their Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this basis. They also have the right to object where we are processing their personal information for direct marketing purposes;
  • request the restriction of processing of their Personal Data. This enables a Data Subject to ask us to suspend the processing of Personal Data about them, for example if they want us to establish its accuracy or the reason for processing it;
  • request the transfer of their Personal Data to them or another Controller if the processing is based on consent, carried out by automated means and this is technically.

 

Withdrawal of consent

Where we process Personal Data based on consent, individuals have a right to withdraw consent at any time. However, as noted above, we do not generally process Personal Data based on consent.

To withdraw consent to our processing of your Personal Data please email [insert details] or, to stop receiving marketing emails, please click on the unsubscribe link in the relevant email received from us.

Contacting us to exercise a right

Any request by a data subject in accordance with data protection legislation to see any information that is held about them by us should be made to [insert name]

Data Subjects also have the right to make a complaint to the ICO, the UK supervisory authority for data protection issues. For further information on individual rights and how to complain to the ICO, please refer to the ICO website.

Changes to this notice

We recognize that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.

This privacy statement was last updated on 1 October 2024.

Registered Office

Royal Society for Home Support
1st Floor, Quay 2
139 Fountainbridge
Edinburgh EH3 9QG
Email:
Telephone: 0131 473 3500