Updated May 2018
Any personal data collected through the Don’t Risk It website will be treated as confidential. We have a legal duty to protect any information we collect from you. We use leading technologies to safeguard your data, and keep strict security standards to prevent any unauthorised access to it.
Who we are
Don’t Risk It is a Scottish Government campaign. This means that The Scottish Government is the Data Controller in respect of personal information that we gather and process in relation to dontriskit.info.
Collection and Use of Personal Information
The information we collect from visitors to this site is their site usage information from session cookies and log files only.
Why do we need it?
We need to know your basic personal data to:
- Monitor, measure, improve and protect the content or our website and services to provide enhanced and personal user experience for you.
Legal basis for processing
In order to process and use your personal information lawfully, we rely on the following legal basis:
- Consent – This applies when we store analytical cookies on your device to measure your interaction with the site so we can make improvements on your device.
Cookies and Website Traffic Analysis
When users enter the dontriskit.info website their computers will automatically be issued with ‘cookies’. Cookies are text files which identify users’ computers to the Scottish Government’s server. The website then creates “session” cookies to store some of the preferences of users moving around the website, e.g. retaining a text-only preference. Cookies in themselves do not identify individual users but identify only the computer used and they are deleted on departure from the website.
Many websites do this to track traffic flows, whenever users visit those websites.
The information collected by Don’t Risk It will include IP Address, pages visited, browser type and operating system. The data will not be used to identify any user personally.
Users have the opportunity to set their computers to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these means that certain personalised services cannot then be provided to that user.
Who we share your information with
We may share your personal information with third party organisations to enable us to deliver marketing services. These third parties do not retain, share, store or use personally identifiable information for any secondary purposes and are fully appraised by Scottish Government before we enter into contracts with them. A third-party data processor is an entity that processes Personally Identifiable Information on behalf of a data controller (The Scottish Government). The data processor will not pass on the data or act upon the data without instruction from the data controller.
For example. We use a third-party service, Google Analytics, to collect information on how you use the site, using cookies and page tagging techniques. The information we – and Google – collect doesn’t identify anyone.
If we do want to collect personally identifiable information through the site, we will be upfront about it.
How long will we keep it?
We will keep your information only for as long as necessary depending on the purpose for which it was provided. When determining the relevant retention periods, we will take into account the guidelines issued by relevant data protection authorities. Otherwise, we securely erase your information once this is no longer needed.
Log files stored on the Scottish Government’s web server allow the recording and analysis of users’ use of the website. Log files do not contain any personal information.
This website contains links to other sites. Please be aware that the Scottish Government is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by this website.
We do not use your personal information for any form of automated decision-making.
How is your personal information transferred outside the EEA?
We, or our third-party service providers may host, store and handle your personal information outside of the European Economic Area (EEA).
We will only permit this to happen if adequate safeguards have been put in place to protect your personal information. This means that we will:
- ensure that the country in which your personal information will be handled has been deemed “adequate” by the European Commission under Article 45 of the General Data Protection Regulation (GDPR);
- include standard data protection clauses approved by the European Commission for transferring personal information outside the EEA into our contracts with those third parties (these are the clauses approved under Article 46.2 of the GDPR); or
- (in the case of transfers from the EEA to the USA), ensure that the recipient of the personal information has certified with the US-EU Privacy Shield Framework, as permitted by Article 46.2 of the GPDR.
Your rights in relation to the personal information we process:
- Right to be informed
You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. This is why we’re providing you with the information in this Privacy Notice.
- Right of access
You have the right to obtain access to your personal data (if we’re processing it) and certain other information (similar to that provided in this Privacy Notice) by making a data subject access request. This is so you’re aware and can check that we’re using your personal data in accordance with data protection law.
- Right to rectification
You are entitled to have your personal data corrected if it’s inaccurate or incomplete.
- Right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal data where there’s no compelling reason for us to keep it. This is not a general right to erasure; there are exceptions.
- Right to restrict processing
You have rights to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further.
- Right to data portability
You have the right to obtain and reuse your personal data in a structured, commonly used and machine-readable format in certain circumstances. In addition, where certain conditions apply, you have the right to have such information transferred directly to a third party.
- Right to object to processing
You have the right to object to certain types of processing in certain circumstances. In particular, the right to object to the processing of your personal data based on our legitimate interests or on public interest grounds; the right to object to processing for direct marketing purposes (including profiling); the right to object to the use of your personal data for scientific or historical research purposes or statistical purposes in certain circumstances.
- Right to withdraw consent
If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for direct marketing.
You have a right of access to any personal data we hold about you, by making a Subject Access Request (SAR). In addition, if you believe that the data we hold is inaccurate or incomplete you can ask us to update our records. If you are unhappy with the way in which we process your personal data you can request that we stop or restrict the processing we complete using your personal data or ask us to delete the personal data we hold about you. In some circumstances we may not be able to comply with your request. This is because some of these rights are conditional and can only be applied in certain circumstances and/or where there is no compelling reason to continue to process your personal data.
The Data Protection Officer
Data Protection and Information Assets Team
The Information Commissioner
If you’re not satisfied with our response to any complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (ICO) using the following details:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone number: 0303 123 1113
Notification of Changes
We may update our Privacy Notice from time to time. If we do, we will post the changes to this privacy statement, and other places we deem appropriate so users are always aware of what information we collect, how we use it and under what circumstances. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it. If we are going to change the way we use personal data from that currently stated we will notify users via email.