Updated: 25 May 2018
The LAYC Web Site is intended to provide information on the LAYC organisation and its services.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is intended to give all of us greater visibility and control of our personal information (referred to as personal data). Personal data is defined as, “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”What this means is any information an organisation holds that could possibly be used to identify a person, counts as personal data.
LAYC takes its obligations to any personal data held very seriously and has updated this policy to accommodate new General Data Protection Regulation (GDPR) that come into effect on 25 May 2018.
This policy explains how LAYC uses, stores and protects any personal data it manages through the provision of its programmes and membership services. We may update this policy from time to time to provide additional information or clarity. This page will be the master copy of our policy and we encourage users to regularly check for any updates.
Our intention is to try and use plain English and youth work terminology as far as possible under our requirements for this policy. Any use of ‘us’, ‘we’ or ‘our’ etc. refers to LAYC. Any use of ‘you’, ‘your’ or ‘you’re’ etc. refers to the user of our services. There are some legal terms used out of necessity but please get in contact if you require clarification on any of this policy.
You can find out more about GDPR and how the Information Commissioner’s Office (ICO) applies it to UK organisations on their website www.ico.org.uk
Controller of Personal Data
Any personal information provided to or gathered by LAYC is controlled by LAYC.
LAYC is a Scottish Charitable Incorporated Organisation SC009193
To communicate with our Data Protection Manager, Graham McCulloch, please email firstname.lastname@example.org
or write to
Gillian Stanway, Administrator
LAYC, Dunford House
7 Boroughloch Lane, Edinburgh EH8 9NL
Tel: 0131 667 1828
Child Protection and privacy
LAYC, like its members and many of its partners, operates in the youth sector, interacting with young people from aged 5 years+. Where relevant, and if there exists a conflict, Child Protection legislation and policy supersedes GDPR.
Types of information and how it is used
Information, or data, that LAYC hold is done so on a consent or legitimate interests basis, meaning that we hold and use information based on your permission (consent) to do so, such as providing your email address and name when you sign up to our email newsletter, or on the requirement for that information to provide our services (legitimate interests), such as information provided as part of a group’s application for membership.
LAYC use any information you provide to us to fulfil the service or services related to your information. For example, to apply for membership, we will ask for the information about your youth group, meeting place, contacts and other information that we require to grant membership, according to our membership criteria. Likewise, we will ask for names, contact details, dates and times when you book a training event, so that we know who will attend and when.
The core uses of personal data held by LAYC are:
- To provide, update, maintain and improve our services
- As required by law, legal process or regulation
- To communicate and respond to requests, comments and questions
- To send emails and other communications essential to provide membership and services
- For billing, account management and other administrative matters
- To maintain security and standards
In addition to the core purpose we use data for, we may also use information to analyse or profile our users to fulfil legal obligations, reporting obligations and to maintain and improve our services.
LAYC may from time to time
- use data to analyse our services e.g. satisfaction surveys and programme evaluation surveys to see how we are doing and take on board feedback
- use data on a geographic basis e.g. we may look at whether a group will qualify for funding or programme access due to relevant geographic criteria
- use data on age or gender basis e.g. we occasionally seek to understand our membership demographics to improve our offering and complete our annual reporting
- usedata for aggregated statistics to complete reports e.g. we are often required to complete annual reports for programmes we run as a contractual obligation
LAYC never sells data to third parties.
Membership data is stored, accessed and updated in a Microsoft Dynamics 365 CRM system. Dynamics 365 is a third-party, cloud-based system and data is not stored locally. Microsoft datacentres are held in European GDPR-compliant datacentres. Data is considered active and current during a membership period of 12 months. Data will be held by LAYC for up to 24 months after non-renewal before being archived.
All youth and children’s workers who apply for PVG scheme membership/updates provide sensitive personal data required to process the PVG Checks. These details are submitted by LAYC to Disclosure Scotland. Disclosure Scotland produce PVG certificates and share these with applicants and with LAYC.
LAYC holds personal data on PVG Applicants whilst their PVG Scheme application is being processed and until their PVG Certificate has been received. Thereafter LAYC will only retain minimal contact details and note of PVG certificate and membershipnumber on file for the duration of their active involvement with a LAYC Member Group in a regulated work role.
Security and where information is stored
LAYC takes every reasonable precaution to ensure any data we hold is secure and stored according to GDPR.In addition to the secure storage outlined below, access to any LAYC system is always protected by the requirement for secure login to our systems. Any physically held data is protected locally by secure entry system, alarm and CCTV. Filing cabinets where used are locked.
The following details explain the data storage, technology involved and location when LAYC uses external services to process data.
The LAYC website is hosted by Launchsite. No data is held locally.
Launchsite datacentres are among the most secure in the world and are held in European GDPR compliant datacentres.
We use SurveyMonkey to capture feedback and evaluation data. SurveyMonkey is a third-party, cloud-based system and data is not held locally. SurveyMonkey store data globally in compliance with GDPR and the EU-US Privacy Shield Framework.
LAYC uses MailChimp as our email newsletter platform. MailChimp is a third-party, cloud-based system and data is not held locally. MailChimp store data in the USA in compliance with GDPR and the EU-US Privacy Shield Framework.
LAYC will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
To achieve this, we have grouped personal data and set the following general limitations:
Like the majority of websites, the LAYC website uses modern technology and data provided by you and your browser to try and provide the best service and experience we can.
Cookies may be used on our website. A cookie is a very small text file that is placed on your computer’s hard drive when accessing a website and it collects standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
GDPR provides certain rights for individuals. These are how they apply to LAYC:
- The right to be informed – the core purpose of this policy; we aim to tell you about the collection of personal data.
- The right of access – you have access to your personal information (often called a “data subject access request”). This enables you to ask for a copy of the personal information we hold about you. This is normally free but please note that, as per ICO guidelines, an administration fee may apply, “when a request is manifestly unfounded or excessive, particularly if it is repetitive.”
- The right to rectification – in clearer words, the right to have corrections made. This a shared obligation between us to keep personal data as up to date as is practical.
- The right to erasure – this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- The right to restrict processing – This enables you, where appropriate, to ask us to suspend the processing of personal information about you. For example, if you are checking the accuracy of information we hold.
- The right to data portability – in clearer words, the ability for you to take personal data from us to an alternative supplier. Less relevant to our operations but the right remains.
- The right to object – where we are using a legitimate interest basis and there is something which makes you want to object to processing on these grounds. This may mean we are unable to provide some services to you.
- Rights in relation to automated decision making and profiling – automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Conditions of use and terms of service
You may find our terms & conditions on this page.