Citizens Advice Scotland (CAS) is committed to ensuring that we are compliant with our obligations under the General Data Protection Regulation (GDPR), and that whenever we process personal data, we do so in a transparent, fair and lawful manner.
We are registered with the Information Commissioner’s Office as a data controller and our registration number is Z9715836. You can contact our Data Protection Officer by writing to The DPO, Citizens Advice Scotland, Broadside, Powderhall Road, Edinburgh EH7 4GB.
If you are a member of CAS staff looking for information on Data Protection, including information on how to report a data breach, please refer to the CAS Data Protection Policy in the HR Zone.
Who are we?
We are the Patient Advice and Support Service (PASS). PASS is delivered by the Scottish Citizen’s Advice Network. Each local Citizen’s Advice Bureau (CAB), along with Citizen’s Advice Scotland (CAS), are members of the Scottish Association of Citizen’s Advice Bureaux (SACAB). CAB and CAS are responsible for keeping your information safe and making sure we comply with data protection law, making us joint controllers of your data.
If you have any queries about our privacy practices or about this Privacy Statement you can contact our Data Protection Officer by email at DPO@cas.org.uk or by writing to The DPO, Citizens Advice Scotland, Broadside, Powderhall Road, Edinburgh, EH47 4GB.
Please read the following carefully to understand our practices regarding your personal data and how we look after it. Please see our website privacy notice for more information about how we process your personal data
Processing your information
We want to make sure that you are provided with the best possible support and services that we can offer. To do this, we need to collect personal information about you so we can help you with your feedback, comment, concern or complaint about the NHS. This may include your:
- Date of Birth; and
- Contact details.
In order to support you with your NHS issue, we may also collect sensitive personal data including your:
- Medical history;
- Health records; and
- Current state of health.
We record this information on the legal basis of ‘public task’ under the Patient Rights (Scotland) Act 2011, sections 17 to 19.
We may also ask you for information such as your ethnicity, health, political and philosophical beliefs, religion, trade union membership, genetics, mental and physical health, sexual life or gender. This is called ‘special category data’. For any information that we process which we do not need to fulfil our ‘public task’, we will ask your explicit consent.
Who accesses your information?
If you call us, we may record the conversation for training and monitoring purposes. If you leave a voicemail on our helpline (0800 917 2127), the information will be stored on our internal system and will be accessed by management and administration staff at Citizens Advice Scotland and the specialist Patient Advisers in Citizens Advice Bureaux.
If you email us, your email will be accessed by management and administration staff at Citizens Advice Scotland and the specialist Patient Advisers in Citizens Advice Bureaux.
How we use your information
The main reason we need your information is to help solve your problem.
We’ll also access your information in order to review your situation if required – we’ll contact you when we do this to check if your circumstances or details have changed.
We may access copies of your Health Records, in line with the guidance on the NHS Inform website (www.nhsinform.scot/care-support-and-rights/health-rights/confidentiality-and-data-protection/health-records). This would be done with your explicit consent. If you provide us with your Health Records, we will keep these until you ask for them to be returned to you or destroyed. If Health Records are attached to a client record, they will be kept for a maximum of 7 years.
We’ll only access your information for other reasons if we really need to. This includes:
- Training and quality purposes;
- In order to investigate complaints; and
- To help us improve our services.
We might use your contact details to get in touch about your experience of our service or ask you to take part in surveys or research – we’ll only do this with your consent.
We use some information to create statistics about who we’re helping and what issues they face. This information is always anonymised – you can’t be identified. We share these statistics with funders, regulators, government departments and publicly on our blogs, reports, social media and press releases. The statistics also inform our policy research, campaigns, or media work.
Lawful basis we rely on to process your information
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances where:
- It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- We need to comply with a legal obligation.
- You have given us your consent. You have the right to withdraw consent at any time by contacting us.
- We need to perform a task carried out in the public interest under the Patient Rights (Scotland) Act 2011, sections 17 to 19.
When we process special category personal data, in addition to the above legal bases, the additional bases for processing that we rely upon are:
- where it is necessary for the purposes of the provision of health or social care or treatment or the management of health and for ‘Health or Social Care Purposes’ under Schedule 1, Part 1(2)(f) ‘the management of health care systems or services or social care systems or service’ under Schedule 1, Part 1(2) of the Data Protection Act 2018.
- with your explicit written consent.
- where it is necessary to protect you or another person from harm.
Less commonly, we may process this type of information where it is needed in relation to legal claims, or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
When we share your information
To provide our service to you, your information is shared with Citizens Advice Scotland as joint controller under a data sharing agreement and other staff within Citizens Advice Bureaux network.
We will only share your information outside the Citizens Advice Scotland & Citizens Advice Bureax network when we have a signed mandate from you and/or when the law requires, including where it is required for, or in connection with, any legal proceedings or where it is necessary for the purposes of preventing or detecting crime.
Who we share your information with
If you decide to raise your complaint with the NHS or take it to the Scottish Public Services Ombudsman (SPSO), we will share your information with them. We will always discuss this with you. The SPSO’s privacy notice is available on their website at www.spso.org.uk/privacy-notice-and-disclaimer and their document “Your Information Rights and the SPSO” is available on their website at www.spso.org.uk/sites/spso/files/communications_material/leaflets_public/general/your info rights.pdf.
We may sometimes suggest that you go to other third-party organisations as they may be able to help you with all or part of your issue. We will only make a referral and share your information with your consent.
We might choose to use your information for research purposes on the basis of ‘legitimate interest’. This will help us carry out our aims and goals as an organisation – for example, to create case studies and statistics for our national research. If we use it in this way, your personal details will be anonymised or pseudonymised. We will always ask for your consent before creating a case study.
Organisations we share your data with must store and use it in line with data protection law – they cannot pass it on or sell it without your permission.
If we are concerned about yours or someone else's safety
If something you have told us makes us think you, or someone you know, might be at serious risk of harm, we reserve the right to contact the emergency or social services. We may do this under the lawful basis of ‘vital interest’.
Storing your information
Whether you get advice face to face, over the phone, by email, or webchat, our adviser will log all of your information, correspondence, and notes regarding your problem on our case recording system. Some of your information might also be kept within our secure email and IT systems.
We keep your information for a maximum of 7 years. If your case has been subject to a serious complaint, insurance claim or other dispute we keep this personal data for a maximum of 16 years.
You have the right to withdraw consent at any time by contacting us at which point we shall stop processing your personal data in that way. Please note this does not affect the legality of our processing up to the date of your withdrawal of consent.
Will we share your Personal Data outside of the UK?
Where we transfer, store, and process your personal data outside of the UK or European Economic Area (“EEA”) we will use legally-provided mechanisms to lawfully transfer data across borders. We will transfer any personal data to and from the EEA and UK on the basis of the adequacy decisions for the UK and EU.
Your Legal Rights
You have certain rights under data protection law, which are summarised below. You can exercise these by contacting our DPO (firstname.lastname@example.org).
Under certain circumstances, you have rights under data protection laws concerning your personal data including the right to receive a copy of the personal data we hold about you, the right to rectification, restriction, erasure, objection, as well as the right to portability. You also have the right to make a complaint at any time to the Information Commissioner’s Office, the UK regulator for data protection issues (www.ico.org.uk).
To provide this protection, reCAPTCHA collects personal information from users to determine if they are human or bot. The collected information includes IP addresses, user agent details, and other data that reCAPTCHA deems necessary for its service. This data is subject to Google’s privacy practices.
For more information about reCAPTCHA and how it works, please visit the reCAPTCHA page.