Privacy Notice

This notice applies to all websites & Services delivered by SCARF Group. SCARF Group is a Scottish Registered Company based in Scotland (SC094819) and considers Scottish law to be its lead supervisory authority. All significant decisions about data processing and policy implementation will be made using UK GDPR (General Data Protection Regulation) This policy is set out to help you understand the types of data that we collect from you and or your business and how that data is collected & processed. 

Commitment 

We are committed to protecting the privacy and security of your personal information. We continually monitor compliance through implementing policies & procedures to safeguard data and by setting regular reviews to manage these policies and procedures.  

Data Controller 

In accordance with ICO Requirements of Data Controllers SCARF Group is registered with the Information Commissioners office (Z7765191).  We act as a data controller and decision maker and in some cases, we act as a data processor depending on the processing being performed and our relationship with you. We continue to use the ICO guidance and self-assessment toolkits when evaluating if we are a Processor, Controller or Joint Controller. 

About Us 

SCARF is an accomplished social enterprise, delivering a range of advisory and support services to householders & businesses throughout Scotland. We are contracted to deliver advisory, grant assistance, support services on behalf of Scottish Government & Local Authorities. 

How we get information 

Through our Enquiry & Customer Service handling Centre we collect information via written, Telephone, Email, Live chat & voice messages. We may also provide home visits to both residential and commercial property. We collect information when we attend various community events & exhibitions. We may also be provided with your data as a request for support through social services, welfare rights & other agencies that have acted on your behalf. We also collect information as part of the recruitment and selection process.

Information we collect  

The information we collect is dependent of your existing or prior relationship or to the organisation and if a Client/Service user will depend on the services you are accessing the categories & types of data we collect are.  

 

Client/Service User – Personal, financial & Special Category Data  

Name, Marital Status, Address, email address, Contact number, Delegated Contact information.  

Date Of Birth, National insurance number, The nature of occupancy, Passport/ Drivers Licence/Accord Card or equivalent identification card, Confirmation and verification of benefits received, We record inbound and outbound calls, Entitlements for reductions such as council tax/school meals, Health & Illness related information, Assessment & Verification for eligibility for various redress programs which may include copies of bank account statements, documentation to support claims due to unemployment/poverty status, We will also collect copies of information around your payment/billing status which may indicate debt 

We also collect indirect information about you where you have been referred to scarf for support through 3rd party services such as Housing Associations, welfare rights, hospital discharge support services. 

 

Employee, Applicant- Personal, financial & Special Category Data.  

Name, Address, Age/date of birth, Email, Birth number, Sex/gender, Photographs, Marital status, Nationality/citizenship/place of birth, contact details, Emergency contacts/next of kin information and details of any dependants, A copy of your driving licence and/or passport/identity card, Education details, Employment history, Current job title/specialism/industry sector, Skills and languages spoken. 

Referee details, Immigration status (whether you need a work permit) Start date or availability date, Details about your previous and current remuneration, pensions and benefits arrangements, Details of hours worked (once you have been placed in a role) Information on your interests and needs regarding future employment, Bank details, Financial information (where we need to carry out financial background checks) Social security number (or equivalent in your country) and any other tax-related information, Details of racial or ethnic origin, sexual orientation, religious or other similar beliefs, and physical or mental health, including disability-related information, diversity monitoring, Sexual orientation (for example where you disclose this through providing next-of-kin details) Physical or mental health, including disability-related information in order to enable us to make reasonable adjustments and health-related information when we need to use or offer occupational health to you in the context of certain types of roles, Details of health-related information arising from or in connection with the COVID-19 or other pandemics, if this is required for a role that you are interested in applying for or where volunteered by you, e.g. a test result (whether positive or negative) or vaccination history (including medical conditions relating to or affecting vaccination) where appropriate, In certain circumstances, video recordings of Candidates attending or participating in training or meetings where individuals have consented to the recording Details of any criminal convictions if this is required for a role that you are interested in applying for. 

 

Indirect information we collect may include  

Extra information that your referees choose to tell us about you, Extra information that our Clients or service users may tell us about you, or that we find from other third party sources such as job sites (which you have uploaded information onto, or is otherwise made available to us) Information about your interests and needs regarding future employment, both collected directly and inferred, for example from jobs viewed or articles read on our website or from links clicked on in emails from us.

 

Stakeholders, Business Contacts, Consultant Supplier, Contractor- Personal, financial & Organisation Data 

Due diligence measures we carry out on a business may include reviewing information available on companies house as well as information we have asked the business to provide directly on supplier forms,  we may carry out measures depending on value or service being delivered which may directly or indirectly identify individuals carrying out work for this supplier , Contact information around directors, Contact information around key account management , Contact information around delivery of services including physical deliveries, When supplier visit sights information will be collected to sign into or access a building to carry out work, Required registration validation checks may reveal key individuals (such as a DPO registered against an organisation).

 

How we use your information (purpose) 

• To Help individuals save money, reduce fuel consumption & poverty. 

• respond, provide support, make assessments and recommendations around products and services we signpost or provide. 

• Establish eligibility for grants, redress funding & other support services we deliver directly or on behalf of another service provider. 

• Provide reporting statistical analysis for staffing levels. 

• Identify trends and measuring effectiveness of marketing campaigns. 

• Service quality, improvements, identify & meet training requirements. 

• Notify you of changes to our services. 

• Validation and verification of Identity  

• Contract Monitoring, Service Audit and Compliance  

• Fraud, Crime detection, prevention, and reporting 

• Profiling we may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you.  We may make use of additional information about you when it is available from external sources to help us do this effectively. We may also use your personal information to detect and reduce fraud and credit risk. 

• Like many other websites we use cookies. ‘Cookies’ are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. For example, we use cookies to store your country preference. This helps us to improve our website and deliver a better more personalised service. It is possible to switch off cookies by setting your browser preferences. Turning cookies off may result in a loss of functionality when using our websites. 

• Job applications form part of our recruitment process to validate and evaluate and review potential and existing staff.   

• Employee Support, HR, Benefits, Training, absence, SSP, Maternity, pension, PAYE, Diversity monitoring, HMRC compliance 

Websites & Applications 

We automatically collect certain information when you visit, use, or navigate the Website. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our website and other technical information. This information is primarily needed to maintain the security and operation of our website, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies. 

The information we collect includes: 

• Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our website and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings and information about your activity in the Website (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called ‘crash dumps’) and hardware settings). 

• Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Website. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system, and system configuration information. 

• Location Data. We collect location data such as information about your device’s location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Website. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note, however, if you choose to opt out, you may not be able to use certain aspects of the Services. ‘Cookies’ are small pieces of Information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. example, we use cookies to store your country preference. This helps us to improve our website and deliver a better, more personalised service. It is possible to switch off cookies by setting your browser preferences. Turning cookies off may result in a loss of functionality when using our websites. 

If you would like to opt-out of Google Analytics monitoring your behavior on our website, please use this link (https://tools.google.com/dlpage/gaoptout/)  

 

3rd Parties  

Our websites & information we share around events & involving stakeholders may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website. In addition, if you linked to our website from a thirdparty site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site. 

 

Social Media 

SCARF can be found on social media platforms such as Facebook, Instagram, Twitter and LinkedIn, Eventbrite & Meetup. These platforms are an important part of our business efforts, so you may be presented with retargeting ads or emails in future following a visit to our website where you register/subscribe to events or newsletters we provide. We may target ads at audiences that we believe match the profile of our target audience and may be interested in our services. We may tag or mention you where we are carrying out business promotion /collaborations. These platforms are run by commercial companies and SCARF is not the Data Controller or Data Processor of your social/professional media profile. You should contact these social media platforms directly if you have concerns over how your personal data is being used and stored by them. 

 

Lawful Basis 

When SCARF handles personal data, it is essential to ensure compliance with data protection laws by establishing a lawful basis for processing. There are six available lawful basis, namely: Consent, Contract, Legal obligation, Vital interests, Public task, and Legitimate interests. 

Our lawful basis for processing your data is a combination of Consent, Contract, legal obligation and Legitimate Interest depending on your relationship with us and which services we are delivering for you. We use legitimate interest when we use your data to keep you up to date with changes and improvements to our services and is necessary for keeping you updated. 

Your relationship to SCARF determines whether we function as a Data Controller, Joint Controller, or Processor. Primarily, due to the services SCARF provides and the type of data it processes, SCARF regularly operates as a data processor for its Service Users and In most instances, we act on behalf of a Data Controller, such as Scottish Government or Local Authorities. Our controller/processor status is decided and controlled through contractual or Data Processing Agreements, specifying the data to be collected and determining the legal basis for processing provided by the Data controller.  

 

The Principles 

Whether we are acting as a data controller or processor we continue to apply the UK GDPR principles to all personal & Sensitive data that we hold or process and these principles lie at the heart of our approach to processing personal data.  

1. Processed lawfully, fairly and in a transparent manner in relation to individuals.  
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.  
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.  
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.  
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals.  
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. 

Sharing Information  

• We share only the information required to deliver advice services & support to you. This may include sharing your information with our suppliers to carry out this work in your home.   

• We will not sell or rent your information to third parties.  

• We will not share your information with third parties for marketing purposes.  

• We may share or disclose your information under the following circumstances: when we suspect or detect instances of fraud, whether actual or attempted, identified during the assessment or delivery of our services; or when we believe a crime has been committed against our staff, individuals, or the organisations we deliver services on behalf of including but not limited to Service Providers, Financial Institutions, Banks, Local Authorities, Scottish and UK government. 

• We may be required to transfer your information to a third party as part of a sale of some or all of our business assets to a third party as part of any business restructuring or reorganisation.   

• We may also be required to disclose or share your personal data in order to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our supporters and customers. However, we will take steps with the aim of ensuring that your privacy rights continue to be protected. 

• We share & report all financial payment information with HMRC for compliance including PAYEE & National insurance, Pension contributions, Student loan deductions, benefits & expenses, SSP & SMP for our employees.  This information is also viewed by accountants contracted to provide audit and compliance services for us. 

Children 

We do not anticipate providing services directly to children, however we do understand that if this change occurs, we will make provisions to verify age.  We will also make further provisions to gain parental or guardian consent for data processing activity where required.  

Protecting your personal information 

SCARF Group will continue to look for new ways to protect data. However, in the event of a data breach we will notify the ICO (Information Commissioners Office) within 72 hours of becoming aware of the breach. Where we do not yet have all the relevant details, we will notify you when we expect to have the results of the investigation. We use the ICO guidance framework on managing a security breach to guide us. 

International 

All significant decisions about data processing and policy implementation will be made using UK GDPR.  As part of the services offered to you the information which you provide to us will not be transferred to countries outside the UK. Our servers are Located inside the UK If we have a requirement to transfer your information outside of the UK in any way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy. 

If you use our services while you are outside the UK, your information may be transferred outside the UK in order to provide you with those services. 

Your data protection rights 

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. 

Your right of access – You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. 

Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. 

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances. 

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances. 

Your right to object to processing – You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. 

Your right to data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. 

Please contact us at dataprotection@scarf.org.uk   if you wish to make a request.  

Further information around your rights can be found at https://ico.org.uk/your-data-matters