Data Protection

Policy Statement:


All data/information obtained, stored and processed by the organisation is covered by these policies and procedures.

 Citizens Advice Edinburgh recognises that the handling of identifiable, personal and sensitive information may be necessary for the effective functioning of the organisation and the services we provide.  This may include information obtained from a 3rd party.  Information may be held about individuals using and providing the organisation's services and about individuals in organisations we work in partnership with.

We all have a responsibility to protect the data we hold about people including how we process that data, whether that is citizens, volunteers, employees or partners.  Our reputation as an organisation people can trust also depends on our ability to uphold and maintain data protection standards, in accordance with the law and best practice.

             The main aims of this policy are to:

·        Ensure that the organisation complies with the Data Protection Act 1998 and the associated Codes of Practice and Regulations (including the General Data Protection Regulation (GDPR).

·        Ensure that information given in trust by users of the organisation services, our employees and volunteers or information that is held by the organisation for any other reason; is treated in compliance with the law and associated regulations.

·        Ensure that information is protected in terms of how it is stored, processed and shared in compliance with the law and associated regulations.

·        Ensure that the boundaries of confidentiality and individuals rights in relation to data protection are clear and understood by users of our service, our employees and our volunteers and that we are therefore confident that they are able to provide informed consent.

·        Ensure users are aware of the organisation's responsibilities to protect, control, process and store their information, including requests for access.

·        Make explicit the responsibilities of employees and volunteers concerning data protection, confidentiality and management of a Data Breach.

·        Ensure that we remain compliant with Data Protection, including maintaining an up to date Data Asset Register, carrying out regular Data Protection Audits, providing continuing professional development for employees and volunteers and applying a Data Protection Impact Assessment to any new services or processes we undertake.

 Responsibility for the control of personal data:

The organisation’s Data Protection Officer and Senior Information Risk Owner is the Chief Executive, who is responsible for ensuring all data is controlled in compliance with the Data Protection Act 1998 and associated Codes of Practice and Regulations.

Information and Training:

             All employees and volunteers will be provided with this policy document and new employees will receive a copy of this policy on taking up appointment.

            All employees and volunteers must complete CASLearn online training on Data Protection.  It is the responsibility of their line manager to ensure this has been completed.  Completion of CASLearn provides the organisation with an audit trail that this standard of knowledge and understanding has been achieved for all employees and volunteers.

            The organisation will provide continuing professional development on issues relating to confidentiality and the contents of this policy in order to ensure that our practices remain up to date and compliant.

Compliance with this policy is a condition of employment and/or continued volunteering and any deliberate breach of this policy will result in disciplinary action, which may include dismissal and possible legal action.


             Everyone responsible for using data in the organisation has to understand and comply with Data Protection Legislation and associated regulations. They must make sure the information is:

•used fairly and lawfully

•used for limited, specifically stated purposes

•used in a way that is appropriate, relevant and not excessive


•kept for no longer than is absolutely necessary

•handled according to people’s data protection rights

•kept safe and secure

•not transferred outside the European Economic Area without adequate protection.

There is stronger legal protection for more sensitive information, such as:



•Ethnic background


•political opinions

•religious beliefs



•Commission or alleged commission of an offence

The principle of confidentiality runs through all of the organisations interactions with employees, volunteers and people who use or access our service.  Information should only be shared when there is a clear and legal justification for doing so and where possible, with the informed consent of the individual involved.

            Although personal/sensitive data is protected by the organisation, there are exceptional circumstances when confidential information would have to be disclosed in accordance with the Adult Support and Protection (Scotland) Act 2007, the Children (Scotland) Act 1995 and/or the Children and Young People (Scotland) Act 2014 and CAE’s related policy.  In these circumstances, the CEO will make the final decision if personal/sensitive information should be disclosed. If the CEO is absent and not contactable, the Bureau Manager or Project Manager will be authorised to share information where they believe that information needs to be disclosed in accordance with the legislation above and in accordance with CAE’s related policy.   

           Personal data regarding employees and volunteers: 

o   Personal data relating to employees or volunteers may be collected primarily for the purposes of:

  • recruitment, promotion, training, redeployment, and/or career development;

  • administration and payment of wages and sick pay;

  • calculation of certain benefits including pensions;

  • disciplinary or performance management purposes;

  • performance review;

  • recording of communication with employees, volunteers and their representatives;

  • compliance with legislation;

  • provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers and;

  • Staffing and volunteer levels and service planning.

o   The organisation considers that the following personal data falls within the categories set out above:

  • Personal details including name, address, age, status and qualifications. Where specific monitoring systems are in place, ethnic origin and nationality will also be deemed as relevant;

  • References and CVs;

  • Emergency contact details;

  • Notes on discussions between management and the employee or volunteer;

  • Appraisals, Supervision and Development Records and documents relating to grievance, discipline, promotion, demotion, or termination of employment or volunteering;

  • Training records;

  • Salary, benefits and bank/building society details; and

  • Absence and sickness information.

            Employees, volunteers or potential employees and volunteers will be advised of the personal data which has been obtained or retained, its source, and the purposes for which the personal data may be used or to whom it will be disclosed.


 Data Asset Register:

 The Organisation will maintain a Data Asset Register which records a summary of all of the data the organisation holds, its purpose and location.  This will be reviewed on a quarterly basis to monitor compliance with the law and associated regulations.

The Chief Executive will undertake an annual audit of the organisations compliance with this policy and procedure and report findings and any areas for improvement to the Board.

Obtaining Informed Consent:

All new service users will be given a Data Protection Mandate (copy below) detailing their rights to Data Protection and explaining how and where we will store any information they share with us.  They will be asked to agree and sign the Data Protection Mandate, which will include a note recording any areas of potential information they have asked us not to record.   Thereafter, all information relating to that contact with the service user will be managed in accordance with that agreement.

Where an existing or previous service user asks for advice in relation to another matter that requires them to share new personal or sensitive information, it is imperative that the adviser provides the service user with a new Data Protection Mandate and obtains specific consent for the management of that new information. 

Employees and volunteers will be given a personal annual reminder of the information that we hold on their HR record and asked to provide their consent to this information being maintained.

Posters will be displayed in our Bureau and any other location where we are providing a service (unless we are unable to do so) which remind users of our service about their rights to Data Protection (copy below).  This information will also be available and promoted through our website, with regular reminders posted through our social media.

Requests for access to or amendment of data:

 If an existing service user asks for access to any personal or sensitive information or for that information to be amended or removed from our records, in accordance with their legal rights, they should be given the “Request to access, amend or remove personal or sensitive information mandate” (copy below) to complete and this must be passed onto the bureau manager and to the CEO for action.  An employee or volunteer can make a request at any time directly to their line manger to see their HR Record.  In both circumstances, information should be provided within 30 calendar days of the request being made.

Storage and Disposal of Information:

             All information we obtain about users of our service will only be stored on our electronic data base CASTLE, unless that contact relates to Case Managed Debt and Money advice; where information may also be recorded on our electronic data base PG Debt. 

In some circumstances, temporary paper records will also need to be kept for Case Managed Contacts and Tribunal Representation, where access to paper records are required for purposes of the service we provide. These paper records will be scanned onto CASTLE once access to the paper record is no longer necessary and the paper record will be destroyed.  In circumstances where that paper record is extensive and it is not practical or efficient to scan all of the documentation to CASTLE, a paper record may be maintained and will be held securely for the same duration as the CASTLE Record.  In these circumstances, an alert will be added to the CASTLE record, so that any paper record will be directly connected to it.

We may record information on a note pad during an interview, but this information will be transferred onto CASTLE within 28 days and the paper record destroyed. 

Where a service user shares personal or sensitive information with us in paper form (which is not a Case Managed Contact or for a Tribunal Representation) and it is necessary for us to keep a record of that information, this will be scanned onto CASTLE and the paper record either returned to the service user or destroyed within 28 days. 

If we are required to produce any other record on paper that will be scanned to CASTLE within 28 days and the paper record destroyed.

Where a paper record is maintained, that record will be held in a secure and lockable storage facility accessible only to designated representatives of CAE. In certain circumstances an Adviser may be required to transport paper records out with the organisations premises, this may be for purposes of attending a tribunal, meeting a client in another service or home visit, or transferring files from one location to another.  CAE recognise that this may be necessary for the services we provide and that during such circumstances we cannot provide the same level of security.  Advisers must therefore only transport information when it is absolutely necessary and only the information that is required for that purpose. 

It is the responsibility of the organisation’s employees and volunteers who are handling that data to ensure that personal/sensitive information about service users (individual clients, members, groups and organisations) is treated as confidential and stored securely in accordance with the details above.

            The organisation uses the services of an external confidential waste collection agency and has monitored their policy for compliance with Data Protection Legislation and associated Regulations.

 Telephone Calls and Letters:

             Any mail we receive in relation to a client, will either be scanned immediately onto CASTLE or stored in a secure and locked cabinet until it is transferred onto CASTLE and the paper record subsequently destroyed within 28 days.

            Access to a room where phone calls can be made in private will be available to employees and volunteers working in open plan offices.

Retention of Personnel Records:

Document  -  Retention period

Application form  -  Duration of employment or volunteering

References received  -  Duration of employment or volunteering

Annual appraisal/assessment/supervision /Training records  -  Duration of employment or volunteering

Annual leave records  -  For the leave period

Unpaid leave/special leave records  -  3 years

Sickness records  -  3 years

Records relating to accident or injury at work  -  For at least 3 years from the date the report was made

Disciplinary matters  -  6 years

Payroll and wage information  -  6 years

References given/information to enable references to be provided, e.g Summary of record of service, name, position held, dates of employment or volunteering  -  6 years from reference/end of employment or volunteering.

Data Breach:

 All employees and volunteers have a responsibility to take action where they think there may have been a breach of data protection.  This will be any situation where a person’s data has not been managed in accordance with the above policy and procedure.  If you think there may have been a breach you must report this immediately to your line manager or in their absence a member of the Senior Management Team and the CEO must be informed within 24 hours. We have a legal duty to report any breach of Data Protection to the Information Commissioners Office within 72 hours, therefore immediate action must be taken by all employees and volunteers if they have any concern that a breach may have occurred.  The CEO (alongside delegated responsibility to an appropriate member of the management team) will take responsibility for management of the data breach and reporting to CAS and the ICO in accordance with our legal and regulatory requirements.

A breach of data protection must also be recorded on CAE’s Incident Report and these will be recorded and reviewed for learning and development in accordance with our Incident Reporting processes. 

Document Control

 Created by:                                      Chief Executive

 Date:                                                  23/05/18

 Next Scheduled Review:              23/05/19


In order to provide you with the best possible service, we will ask you to share personal and sometimes sensitive information, so that we have a good understanding of your circumstances and can give you the right advice.

 You have the right to choose what information you share with us, what information you want us to record and to understand exactly what we are using that information for.  You can ask to see or amend that information at any time and we will make the necessary arrangements to do that.


If you have any questions about the information we are asking for, why we are asking for it or how and where it will be stored and recorded, please ask your adviser or ask to speak to the Bureau Manager.



It is important that you read and consider the information below carefully before giving us authorisation to manage and process your data.

The Data Protection Act 1998 and the General Data Protection Regulation (GDPR) establish your legal right to control what information you chose to share with us, how we use and process that information and what information you chose to have on record.  Citizens Advice Edinburgh will take responsibility for ensuring that any data you share with us is kept safe and secure and is held for no longer than is absolutely necessary.

In order to provide you with the best possible service, we will ask you to share personal and sometimes sensitive information, so that we have a good understanding of your circumstances and can give you the right advice.  We will also maintain a record of your contact, which may contain sensitive personal data.  Sensitive personal data includes information relating to: age, gender, race or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexuality, commission or alleged commission of an offence or anything else you consider to be particularly sensitive.

Citizens Advice Edinburgh will use your data for 2 purposes:

  1. To provide you with the advice and information you require and for the organisation to undertake quality assurance.

  2. To monitor the issues that are impacting on the lives of people locally and lobby for changes to legislation and social policy that will improve people’s circumstances and help address common problems. For this purpose, and for quality assurance audits, the Association of Citizens Advice Bureau (Citizens Advice Scotland) will also have access to this information.

You can ask to see your records at any time and you can ask that we destroy your records if you no longer want us to hold that information.  Otherwise, we will retain your records for no more than 7 years and only for the purposes outlined above.

I give my explicit and informed consent to Citizens Advice Edinburgh (CAE) maintaining a record of my contact, including any sensitive data.  I consent that CAE can destroy my file 7 years after my last contact.

Personal consent, clients signature………………………………….                                          Date………………….

If you do not agree to sign this Data Protection Mandate or if you have any questions before doing so, please speak to your adviser

Authorising a 3rd party to act on your behalf.

If you wish someone to deal with your enquiry on your behalf, we need you to provide specific additional consent for that to happen.  You must provide the name and contact details of the person(s) you authorise us to speak to on your behalf and state the particular issues we are authorised to discuss.   This will allow us to discuss that information with this third party, but only you will control how we use and process that information in accordance with your data protection authorisation above.

If you do not require this level of assistance, then please do not complete this section:


I authorise (name of person/s)……………………......................................................................................

Who can be contacted at (address and/or phone number)…………………………………………………………….


To act on my behalf for issues concerning (please state): ……………………………………………………………………………………………………………………………………………………….


Client signature…………………………………………                                                                  Date…………………..



Request to access, amend or remove personal or sensitive information mandate


To the Chief Executive of Citizens Advice Edinburgh:

I hereby request (please select the relevant option):

A copy of all information that Citizens Advice Edinburgh has recorded about me


That Citizens Advice Edinburgh amend personal or sensitive they have recorded about me


That Citizens Advice Edinburgh remove (delete) personal or sensitive they have recorded about me


I understand that I will need to present evidence of my identity that confirms my right to access that particular record.  This will include photographic ID (either a Passport or Driving Licence) and confirmation of the address that the record is linked to in my name (either a bank statement, utility bill, payslip or letter from the DWP).  I also understand that  CAE will take no more than 30 days to respond to my request and that they may wish to discuss with me the best way to comply with my request and/or any other details about my request.

Name (Print)               ________________________________________


Address (Print)            _________________________________________




Postcode                     _________________________________________


Signature                    _________________________________________


Date                            _________________________________________



I certify that I confirmed the identity of the client in accordance with the above identification requirements.

Name (Print)               ________________________________________


Role (Print)                  _________________________________________


Signature                    _________________________________________

Date                            _________________________________________