The Carnegie Trust for the Universities of Scotland is fully committed to the principles of personal data protection, as set out by General Data Protection Regulation (GDPR, 2018). The Trust adheres to these principles throughout all its activities, as specified in our Data Protection Policy.
This statement summarises and puts into context the main elements of this Policy.
Why we collect personal information
To fulfil our charitable mission – i.e. to support students and academics at the universities of Scotland – we process personal information for a number of purposes.
These purposes include:
- Publicising opportunities to apply for grant funding from the Trust;
- The assessment of applications for grants;
- The award of grants;
- The management and governance of the Trust;
- Dissemination of information about the Trust’s activities;
- Fundraising; and
- Maintaining the historical record of the Trust.
What types of information we collect
Your exact personal details that are being processed by the Trust depend on the purpose for which they are required. At the time that these data are gathered specific Privacy Notices are issued so as to notify you what information will be held and the purposes to which it will be put.
Depending on the nature of your relationship with the Trust, these details may include, amongst other possibilities, some of the following:
- Names, postal & e-mail addresses, telephone numbers
- Date and place of birth
- Gender, ethnicity, disability information, marital status;
- Log-in credentials (including username and password);
- Social media account ID (e.g. Twitter handles);
- Payment information (such as bank account details);
- Educational background and qualifications;
- Marketing preferences (e.g. whether you have opted to receive newsletters, annual reports, etc);
- Records of contacts (e.g. your requests or enquiries, visits to premises, event attendance, reviewing/assessment activities, panel participation);
- Opinions you have offered, feedback, complaints, comments and/or suggestions;
- Personal preferences, access needs, and dietary requirements;
- Employment related information;
- Security related information (including security incident reports and CCTV footage of our public areas).
The personal information collected may be stored in electronic and/or hard copy formats.
All information collected will be limited to the necessary details only and will not be used beyond the purposes indicated.
How we collect personal information
Where there is a legitimate interest in holding certain information – i.e. when the data are required to assess a grant application or in connection with a financial award from the Trust, etc. – the necessary details and approvals are collected as part of the relevant process (e.g. on an application form or as part of a grant acceptance agreement).
Where the provision of personal information or the agreement to receive certain communications from the Trust is optional, you are informed that this is the case and asked to agree explicitly, or not, to your data being used for such purpose.
The Trust collects personal information through one or more of the following data collection media:
- Our physical site (i.e. through your interaction with staff members, systems or equipment located within Andrew Carnegie House, Pittencrieff Street, Dunfermline);
- Internet-accessible websites and micro-sites as may be updated and/or extended from time to time, including our main website at www.carnegie-trust.org and the individual web portals associated with our services;
- Other online/mobile interactive features;
- Official social media pages (which may be provided in partnership with a third party social media platform such as Facebook, Twitter, LinkedIn where other privacy policies and practices will apply);
- Electronic communication channels (i.e. telephone, SMS/text message, email, fax).
In general, the Trust will acquire the personal information it requires about you directly from yourself. However, it may also collect and/or add information from other sources when it is lawful to do so and when that is likely to enhance the efficiency and relevance of the services that we provide. Such external sources may include:
- Internet search results or publicly available data from social media, etc.;
- Individuals and/or organisations whom you have confirmed may provide us with personal information (e.g. referees);
- Government, tax or law enforcement agencies;
- Other sources (such as when personal information about you is volunteered by a third party, e.g. in a complaint or group booking).
How we use personal information
The Trust may use personal information for a variety of purposes, depending upon your relationship with us. Some examples of the use to which we may put your information (subject to your agreement, as appropriate) are as follows:
- to enable you to participate in our grant programmes;
- to respond to, action and/or deal with your feedback, requests and enquiries;
- to ensure that our programmes are delivered and communicated in the most effective manner;
- to manage and improve services;
- to review and analyse your interaction with the Trust in order to develop and improve the quality of our offering and strengthen our relationship;
- to personalise our services so as to present you with content and information which are tailored to your needs;
- to send you communications about the Trust and its activities;
- to invite you to provide feedback, assist with surveys, and input into consultation and evaluation exercises;
- to provide you with administrative information, announcements and updates;
- to contact you so as to ensure our records are accurate and up to date;
- to fulfil any contractual obligations assumed by the Trust (e.g. in the processing of payments);
- to comply with our legal obligations and to perform our statutory and public functions and duties;
- to administer our legitimate internal management analysis, audit, forecasts and business plans and transactions;
- to enforce our rules and policies (e.g. our Equality & Diversity Policy);
- to ensure your safety and the security of our premises;
- to establish, defend or exercise our legal rights;
- to comply with orders, requests received from public, regulatory, governmental and judicial bodies; and
- to comply with our legal, regulatory and internal governance obligations (e.g. record retention policies).
Personal information will, however, be processed if and only if one or more of the following conditions has been satisfied:
- It is necessary for the Trust’s fulfilment of an agreement with you (e.g. a grant award);
- You have provided informed, unambiguous consent for your information to be used for the specified purpose(s);
- It is necessary for the purposes of the Trust’s legitimate interests;
- The Trust is under a legal obligation to do so (e.g. for equality monitoring, employment or health and safety purposes);
- It is in the public interest and required in the performance of our official duties.
Where the approval given for us to use your personal information in a certain manner was optional, you may withdraw your agreement at any time by contacting us.
Personal information provided will only be used for the purpose indicated at the time it is collected.
From time to time, we undertake online surveys of current/previous grant-holders and others to evaluate the impact of our grant schemes.
Survey results are only used to evaluation purposes. Information contained in survey results will never be attributed to the person who submitted it without their explicit consent. Survey results are anonymised and, for information and/or research purposes, may also be made available to other organisations.
All data collected through surveys will be held securely by the Trust. Data will be stored for a maximum of two years, after which it will then be destroyed. Data required for career-tracking purposes may be kept for a longer period of time in anonymised form.
Do we share personal information with third parties?
Personal information will be made available to those members of the Trust’s staff who need to see it in the context of their role and the purpose for which it was collected. Information may be held in our Customer Relationship Management (CRM) database in order to consolidate details of your dealings with the Trust in their entirety. Where it is necessary to share data with routine external service providers, such as caterers or transport companies, this will be on a need-to-know basis only. The sharing of any more substantial personal data with a third party will only occur with your approval and with a confidentiality agreement put in place prior to the disclosure.
How we protect personal information
Appropriate organisational and technical measures are used to ensure your personal data is secure and protected from loss, misuse and unauthorised access or alteration. The Trust takes all possible steps to protect the security of personal information in accordance with our legal obligations, whether it is being stored in physical or electronic form. In the latter case it will be held on a secure server in a password protected format and made accessible to staff on a need-to-know basis only.
On occasion, the Trust may implement changes or improvements to its systems. Any information used to test or develop new systems is managed in a secure and confidential manner.
Please note, however, that the Trust cannot guarantee the security of the transmission of personal information via the internet. All personal information should therefore be submitted online only if you accept the incumbent security risks.
How long will we retain personal information?
The Trust will keep personal details on record until we have dealt completely with your request, enquiry or contract and then for a reasonable period thereafter in accordance with data protection and other legislation.
Should the Trust decide that the retention of personal information is no longer necessary, all such information will be destroyed/deleted in a secure and confidential manner.
However, limited personal information provided to the Trust in relation to its Grant Recipients and Scholarship Alumni, will be kept indefinitely for the purposes of maintaining a comprehensive archive of the Trust’s historical activities.
What rights do you have in relation to personal information?
You are entitled to request:
- If and how your personal data are being collected and processed;
- A description of the nature of the personal data that are being collected and processed;
- Copies of, and/or access to, your own personal information (see: How do I make a subject access request?, below);
- That your personal information be corrected and/or amended where inaccurate or incomplete;
- That your personal data be deleted or that the Trust stop using them once there is no longer a need to do so;
- That the Trust stop sending general communications;
- That approval be withdrawn in any other instances where agreement to use of your personal information for a particular purpose was optional.
How do you make a subject access request?
If you would like to make a subject access request please email our Data Officer.
What action(s) will we take in response to a personal data breach?
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In instances where a data breach is likely to endanger your rights to privacy, the Trust will notify you immediately.