Privacy notice

This page explains how we use your data.

This Privacy Notice is a statement by CLAO to clients and service users that describes how we collect, use, retain and disclose personal information which we hold. This privacy notice is part of our commitment to ensure that we process your personal information/data, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and any other applicable data protection law in the United Kingdom.

It applies to Personal Data provided to us, by both individuals that the data relates to or by third parties.

The Civil Legal Assistance Office is a service operated by the Scottish Legal Aid Board, which is the public authority which administers legal aid in Scotland in terms of the Legal Aid (Scotland) Act 1986. The Data Controller is the Scottish Legal Aid Board the contact details of which are shown on the last page of this notice.

We provide legal services directly to individuals as well as legal support to advice agencies. We also offer a referral and signposting service for individuals who want assistance with a legal problem. These are all functions of the Scottish Legal Aid Board.

In carrying out these functions we collect, use and retain different types of personal information about you. We rely on specific provisions under Article 6 of the General Data Protection Regulation as the lawful basis for processing of data, namely a task carried out in the public interest. Our lawful basis for processing your data as a client will also include our contractual obligations to you as a client.

We provide individuals with privacy information at the time that we collect their personal data. This privacy policy explains how we use any personal information we collect. 

What information do we collect from you?

Users of our service (Contact and clients)

We collect, use and store different types of personal information about you.  This may include:

  • Basic details such as name, address, relationship status, date of birth, phone number, National Insurance Number and email address  – where you have provided it to enable us to communicate with you by email
  • Your income and sources of income and capital, including bank details
  • Identity of any carer and contact details
  • Notes and reports about your legal problem
  • Relevant information from other professionals, relatives or others who are witnesses in your case
  • A record of any contacts you have with us such as phone calls and meetings.

Opponents, solicitors, witnesses, advice agencies, referees and referrers

Your personal information will be used for the purposes of conducting legal case work, second tier advice and training.

  • Basic details such as name, address, phone number and email address – where you have provided it to enable us to communicate with you by email.

Suppliers and service providers

If you are part of our supply chain, we will process your personal information for the purpose of procuring and consuming goods and services, and to fulfil our contract with you. This may include your personal contact information and information required for you to supply products and services to us.

  • Name, address, bank details, phone number and email address.

Complainants and enquirers

If you contact us with an enquiry, comment or complaint, we will use the personal information you provide to us to respond and resolve your issue. We may ask you to provide additional personal information if it is necessary for this purpose.

  • Name, address, phone number, email address, details of complaint and enquiry.

Visitors to our premises

Your personal information will be used to facilitate a visit to CLAO premises and to comply with Health and Safety Legislation and Security requirements.

  • Name, organisation, registration number, CCTV footage.

Some types of personal information are defined as special. We will only collect and use these types of information where we need to and using provisions under Article 9 of the General Data Protection Regulation.

Special categories of personal data include:

  • Racial or ethnic origin
  • Political opinions, religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data used for ID purposes
  • Health data
  • Sex life and sexual orientation
  • Criminal convictions data

Data security

We have put in place appropriate security measures to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we will limit access to your personal information to those people who have a business need to know.

We have put procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

In some circumstances we may anonymise or pseudonymised personal data so that it can no longer be associated with you, in which case we will use it without further notice.

Data sharing

We will share personal data with third parties where we are required by law or where we have another lawful basis for doing so.

In sharing any of your information we will always comply with our professional duty of confidentiality to you as set out in Standards Rule B1.6 of The Law Society of Scotland.

Certain services are provided by third parties on our behalf and we may share your personal data with them for example, third parties are used to provide:

  • IT and cloud services
  • Translation and Interpretation services.

All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.

If you are part of our supply chain your information may be shared with:

  • Individuals involved in the procurement exercise or in the evaluation including individuals from other public sector bodies participating in the evaluation of bids, consultants or expert advisers involved in the tender exercise.

While we would not normally transfer data outside the EU, in exceptional circumstances where this is the case all personal data will be provided with adequate protection and transferred lawfully. Where we transfer personal data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.

We sometimes need to share the personal information we process with other organisations. When this is necessary, we will comply with all aspects of the relevant data protection laws. The organisations we may share your personal information with include:

  • Other agents and service providers who we use as part of the provision of services,  including other solicitors, advice agencies, counsel, intermediaries, expert witnesses, courts, and sheriff officers (or similar)
  • The police and other law enforcement agencies, HMRC and other government bodies where it is necessary to do so for the purpose of providing you with our services, or where we have a legal or regulatory obligation to do so
  • Relevant regulators, including the Information Commissioner’s Office in the event of a personal data breach, the Scottish Legal Complaints Commission, the Law Society of Scotland and The Scottish Public Services Ombudsman
  • Other parties in a dispute or legal proceedings, or other matter on which we are advising you.

Research

We, or organisations working on our behalf, may contact you for research purposes. Participation in such research is entirely voluntary: you are under no obligation to take part.

Data retention

We will retain your personal information as a client for as long as is considered necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements.

In relation to matters in which we act for clients, we follow the guidelines issued by the Law Society of Scotland concerning the retention of client files. This means that we will retain those files (and your personal information within them) for a minimum period of 10 years from the date on which the matter on which you have instructed us has completed. If the matter involves advice regarding a child or family law issue then we will either retain those files (and your personal information with them) until 10 years after the youngest child reaches the age of 16 or for the aforementioned 10 year period, whichever is longer.

In relation to matters where we have acted as a referral, signposting or second tier service, we will retain those records (and the personal information within them for a maximum period of five years from the last date you contacted us.

Other records, which are not required to be retained as part of our statutory function, will be kept for a period of time depending on:

  • the type, amount and categories of Personal Data we have collected
  • the requirements of our business and the services we provide
  • the purposes for which we originally collected the Personal Data
  • the lawful grounds upon which we based our processing
  • any relevant legal or regulatory requirements.

We will only process the personal information we hold in accordance with the General Data Protection Regulation and for SLAB’s function under the Legal Aid (Scotland) Act 1986.

We continually review our data retention policies, and we reserve the right to amend the retention periods without notice.

Changes to your data

It is important that the personal information we hold about you is accurate and up to date.

Please keep us informed if your personal information changes.

 

Your rights

Under the General Data Protection Regulation (GDPR) you have the right:

  • to be informed about how we collect and use your personal information through privacy notices such as this
  • to request information we hold about you. This is known as a subject access request and is free of charge. We must respond within one month, although this can be extended by a further two months if the information is complex
  • to rectification. You are entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner
  • to erasure. You have the right to ask us to delete your information or stop using it. It will not always be possible for us to comply with your request, for example if we have a legal obligation to keep the information. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner
  • to restrict processing. You have the right to restrict how your data is processed in certain circumstances, for example if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. If we decide to lift a restriction on processing we must tell you
  • to data portability. If we are processing your personal data with your consent, and it is held in a structured, commonly used, machine readable form, you have a right to ask us to transmit it to another data controller so they can use it. This right does not apply if we process your personal data as part of our public task
  • to object. You can object to your information being used for profiling, direct marketing or research purposes
  • to be informed about any automated individual decision making, including profiling, with legal or similarly significant effects and be given an opportunity to request human intervention or challenge a decision.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer a copy of your personal information to another party or request the reconsideration of an automated decision, please contact our Data Protection Officer at DPO@slab.org.uk.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.

If you are unhappy with the response you get from us, you can ask us to look again at your request – you can write to our Data Protection Officer at SAR@slab.org.uk or using SLAB’s postal address. At any time, you are entitled to ask the Information Commissioner to review our decision or to go to court to enforce your rights.

Changes to this privacy notice

We keep this privacy notice under regular review. This privacy notice was last updated on 10/03/2023.

Contact information

Data Protection Officer

Scottish Legal Aid Board
Thistle House
91 Haymarket Terrace
Edinburgh
EH12 5HE

Email: DPO@slab.org.uk

Telephone: 0131 226 7061

The Information Commissioner

You can find information about how to report a concern to the Information Commissioner on her website at www.ico.org.uk/your-data-matters/

Alternatively you can call them on 0303 123 1113 or write to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Or to the Scottish Regional Office for the ICO:

Information Commissioner’s Office
Queen Elizabeth House
Sibbald Walk
Edinburgh
EH8 8FT

Tel: 0303 123 1115

www.ico.org.uk/about-the-ico/who-we-are/scotland-office/