Employment relationship privacy notice
This document is for members of staff who are employed with the SLCC and former employees.
The Scottish Legal Complaints Commission (‘the SLCC’) is committed to ensuring that its data processing activities are fully compliant with the data protection laws and the changes introduced by the General Data Protection Regulation (‘the GDPR’).
The SLCC is the ‘Data Controller’, which decides how your personal information is processed and for what reasons.
Our Privacy Notice lets you know what we will do with your personal information while we have it in our possession and how we will make sure that it is kept safe.
Click on the > headings below to find out more about how we use and protect your personal information:
We were set up by the Legal Profession and Legal Aid (Scotland) Act 2007 (“the 2007 Act”) to act as the first point of contact for all legal complaints about Scottish legal practitioners, including solicitors, advocates and commercial attorneys.
Our aim is to modernise the legal complaints system and to enable to complaints to be resolved quickly and effectively.
We are committed to being transparent about how we collect and use our employees’ information.
We have an obligation as a Data Controller to ensure that personal information that we receive from you and that which is generated by us about you, is used in accordance with current Data Protection laws and the GDPR.
We must lawfully process your personal data for limited purposes relating to the employment relationship. The personal information that we hold about you must be adequate, relevant and accurate, kept up to date and retained for no longer than is necessary.
If you have any questions about how we use your personal information, or you would like more information, you can speak to our Data Protection Officer:
Alison Marron (DPO)
Scottish Legal Complaints Commission
The Stamp Office
10-14 Waterloo Place
Phone: 0131 201 2130
We may contact you by post, email, telephone or by fax about any issue relating to your (former) employment with us.
If you want us to contact you in a particular way or you do not want us to contact you once your employment with us has ended, please let us know.
Personal information relates to a living individual who can be identified from that information. Identification can be by the information alone or along with any other information held by us.
The GDPR sets out a number of conditions to make sure that we process your personal information lawfully. The conditions are:
- Consent, i.e. you specifically agree to us processing your personal information.
- Performance of a contract, e.g. to provide services or goods.
- Legal obligation, e.g. we are required by law to liaise with HMRC on tax and NI
- Vital interests, e.g.to protect someone’s health/life.
- Performance of a public task or official authority, e.g. public functions or powers set out in law.
- Legitimate interest,i.e. where processing is necessary and information will be used in a way which can reasonably be expected.
In terms of the employment relationship, we have a legitimate interest to process your personal information. We are able to show a legitimate interest in circumstances where we process your personal information in ways which you would reasonably expect, or where there is a compelling reason for processing your personal information.
There could also be legal reasons. For example, the names of directors of the business must be published in the annual accounts, we must provide information to HMRC, and we must provide the names of certain staff holding roles defined in statute to supervisory bodies or regulators.
We may sometimes need to process your personal information to pursue our legitimate business interests, e.g. to prevent fraud, for administrative purposes or reporting potential crimes. If, in the future, we intend to process your personal information for a purpose other than that for which it was collected, we will let you know about that purpose and any other relevant information first.
You will find more detailed information about the work that we do and the legal basis that we rely upon to use your personal information in our Guide to Data Protection.
The personal information that we receive from you (and that which we generate about you) for the purposes of the employment relationship will include the following:
- Your application form for employment with the SLCC.
- Your equal opportunities form.
- Personal information about any reasonable adjustments that we may need to make for you.
- A copy of your Curriculum Vitae.
- Personal references in support of your employment application.
- Interview and assessment notes taken during your interview.
- Your contract of employment.
- Basic Disclosure Scotland Certificate.
- Your contact details, including emergency contact names and numbers.
- Information about you which is needed for payroll, staff benefits and expenses purposes.
- Your bank/building society details.
- Records of your holiday, flexi-time, sickness and other absences, which may include information about bereavements, maternity, paternity, parental leave, unpaid emergency leave and attendance at training courses.
- Your performance appraisals.
- Any grievance and disciplinary records about you.
- Performance management records about you.
- Information relating to any accidents that you have suffered in the work place.
- Correspondence with or about you, e.g. letters about a pay rise or, at your request, a letter to your mortgage provider confirming your salary etc.
In addition, we can monitor your computer use, as detailed in our IT Use Policy and Employee Handbook.
We also keep records of your hours of work by use of our clocking in and out of our Time and Attendance system (currently Mitrefinch), as detailed in the Employee Handbook, and in ‘AlertCascade’ to help us contact you in an emergency.
‘Special Category’ personal information requires additional protection. These categories include information relating to:
- ethnic origin
- political opinions
- religious and philosophical beliefs
- trade union membership
- biometric data
- sexual orientation
Where necessary, we may keep information relating to your health, which could include reasons for absence and GP/Occupational Health reports and notes. This information will be used by us so we can comply with our health and safety and occupational health obligations, i.e. to consider how your health affects your ability to do your job and whether any reasonable adjustments might be appropriate. We also need this information to administer and manage statutory and company sick pay and our life assurance policy.
Where we are intending to process Special Category personal information, we will always obtain your explicit consent, unless this is not required by law or the information is required to be processed to protect your health/life in an emergency.
For the purposes of the employment relationship, we may require your consent to process your personal information in certain circumstances, such as if we appoint a new supplier of an HR service.
Where we ask you for consent to process personal information, it is important that consent is given freely. Consent must be specific, informed and unambiguous.
You have a right to withdraw consent at any time. If you wish to do so, you can contact the Data Protection Officer.
If you do not provide us with the personal information we need, we may be unable, in some circumstances, to comply with our obligations as your employer. We will tell you about the implications in such circumstances and what action we may take.
Feel free to talk to our HR Manager and/or our Data Protection Officer if you are worried or have any questions about this.
If your personal information changes, e.g. your name, address and contact details, please advise the HR Manager about the changes as soon as possible. We will then update the records that we hold about you.
We make sure that we:
- keep personal information up to date.
- store and destroy it safely.
- only collect or keep information that we need.
- protect personal information from loss, misuse, unauthorised access and disclosure.
- ensure that we use appropriate technical measures to keep information safe.
As your employer, we need to keep and process information about you for normal employment purposes. The information we hold and process will be used for management and administrative purposes only. We will keep and use it to enable us to run the business and manage the employment relationship with you effectively, lawfully and appropriately. This applies during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left.
We will use your personal information to enable us to comply with the employment contract, to comply with any legal requirements, to pursue the legitimate interests of the SLCC and protect our legal position in the event of legal proceedings.
We will keep your personal information in accordance with our Records Management Policy, which includes details of how long we keep information and our processes for destroying your personal information.
The majority of your personal information is stored electronically on Mitrefinch and in a restricted folder on the SLCC’s folders, that only 2 people have access to. We also keep a paper file for each individual employee. These files are held in fire-proof, password protected cabinets that only 3 people have access to.
We will not share personal information about you with third parties without your consent, unless the law allows or requires us to do so, or where we need to comply with our contractual duties to you.
We may need to share your personal information with certain third party agencies, in order to fulfil our contractual obligations, such as:
- HR consultants (currently Magenta HR)
- Occupational Health (currently Integral)
- Pension provider (Standard Life)
- Life Assurance Scheme Provider
- Training providers
- Legal Advisors
In these circumstances, we will keep the information that we share to a minimum.
We never publish information which identifies individuals.
If required, we might need to share information to assist in any investigation into alleged criminal or illegal conduct.
We have undertaken an audit of the personal information which we hold, so we know and we can provide details of our data processing activities. We have identified what personal information we have, whose information it is, when and where the processing occurs and where we keep it. Now we have this information, we can make sure that we keep that this personal information is kept safe and only the appropriate people have access to it.
We have various policies in place regarding the security of information, and the steps which we need to take if there is an information security breach. Our Business Continuity Plan explains the steps that we will take in the event of a serious situation, which could result in personal information being lost, destroyed or made inaccessible, e.g. due to a fire, flood or a computer hacking situation.
We have a regularly reviewed Risk Register, which helps us to analyse the risks presented by our processing and we use this to assess what steps we need to take to keep information safe.
Our building and storage facilities are appropriately secured, e.g. controlled entry, locked doors, locked cabinets etc. Our computer systems are safeguarded with firewalls and antivirus software, we have regular backups of data and we use appropriate passwords and encryption of devices, such as USB sticks.
The very nature of our business, i.e. dealing with legal complaints, is one which requires a culture of confidentiality amongst our employees. Training is provided to all staff at induction and on a regular basis, to ensure that employees understand the need for personal information to be kept confidential and secure. Employees are also trained on information and IT security and how to avoid data breaches.
We have a Retention and Destruction policy and a Records Management Policy, which set out how long we will store personal information for and the arrangements for the anonymisation of personal information.
Your personal information will be stored in line with our Records Management Policy and our Retention and Destruction Schedule.
We respect your privacy rights. Where we hold personal information about you, in certain circumstances, you have rights about how we hold that information. Your rights include the right to:
- request information about or restrict processing of your personal information.
- request correction of inaccurate or incomplete personal information.
- have your personal information erased (this is known as ‘the right to be forgotten’).
- request access to your personal information.
- request that your personal information is moved, copied or transferred (this is known as ‘the right of data portability’).
- withdraw consent previously provided.
If you wish to know more about how to exercise your rights, or you wish to make a request about the personal information which we hold, please contact our Data Protection Officer.
You can also find more information on the ICO’s website.
You are entitled to ask us for a copy of the personal information that we hold about you. To do this, you can contact our Data Protection Officer. We will usually respond within 1 month, but if the request is complex or there is a lot of information, we have up to 3 months to respond.
There is usually no charge for making a request for your personal information.
There are some circumstances when we don’t have to provide you with the personal information that you have asked for, or when we might charge a fee, e.g. the information also includes information about someone else and we do not have their permission to give it to you or we consider the request to be unfounded or excessive.
If we refuse to give you your personal information, we will explain why. If you are not happy, you have the right to contact the Information Commissioner’s Office (‘the ICO’). You must do this within 1 month.
This Privacy Notice was created on 24 May 2018. Its terms will be regularly monitored and formally reviewed after 6 months. Thereafter the review will take place at least every 2 years.
We can decide to change our Privacy Notice at any time without having to let you know first. If we make any changes or plan to use personal information for a new purpose, details will be posted on our website. If we think that it is necessary to tell you directly about changes which we have made, we will contact you.
If you are unhappy about the way that we have used/processed your personal information, feel free to contact our Data Protection Officer, who will try to help you with your concerns.
If you remain unhappy, you can make a complaint to the ICO, which is the UK’s Supervisory Authority for data protection issues:
Information Commissioner’s Office - Scotland
45 Melville Street
EDINBURGH EH3 7HL
Phone: 0303 123 1115
Employment relationship privacy notice
- Current Vacancies
- Working at the SLCC
- Our Recruitment Process
- Job Applicants’ Privacy Notice
- Employment relationship privacy notice
- Who are we?
- What we do as an employing organisation
- How you can contact us
- How might we contact you?
- What is personal information?
- What is the legal basis for us processing your personal information?
- What personal information do we collect about you?
- What is ‘Special Category’ personal information?
- When do we need your consent to your use personal information?
- What will happen if you do not provide the personal information we need?
- What you can do if your personal information changes
- What do we do with your personal information?
- Where is personal information stored and who can access it?
- Who do we share your personal information with?
- How do we keep your information safe?
- How long do we keep your personal information for?
- What are your rights under Data Protection law?
- How you can access your personal information
- What we will do if our Privacy Notice changes
- How can you complain if you are unhappy?