Core Privacy Notice

Privacy Notice

We are committed to protecting the privacy of the people whose personal information we hold and to meeting our data protection obligations under the General Data Protection Regulation and UK Data Protection Act 2018. This Privacy Notice explains how we meet those commitments in practice. 

Who we are
How to contact us
What is our legal basis for processing your data
Whose personal data do we process and why
Detailed privacy notices
Sharing your data
Protecting your data
How long we keep your data
Your rights
Changes to this notice

Who we are

We are the Care Inspectorate, the independent regulator of social care and social work services across Scotland, formed under the Public Services Reform (Scotland) Act 2010.

We are a registered ‘data controller’ with the UK Information Commissioner and our registration number is Z2582022.

How to contact us

If you have any questions about this privacy notice or our data protection policies generally, please contact us by emails, phone or post.

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.

By phone: 0345 600 9527

By post: The Data Protection Officer, Compass House, 11 Riverside Drive Dundee, DD1 4NY

What is our legal basis for processing your data

As the scrutiny and improvement body for social care and social work services across Scotland, we have powers under Part 5 of the Public Services Reform (Scotland) Act 2010 to collect and process personal information about people experiencing care and people who provide, manage, and work for care services.

The main legal basis we rely on:

  • to process your personal data is that it is necessary to perform our public tasks as a regulator
  • to process sensitive personal data is to ensure high standards of care.

We also process personal information for a number of other purposes:

  • to fulfil a contract with you as an employee or contractor
  • to meet specific legal and statutory obligations
  • because the processing is within our legitimate interests as a business.
  • for research, historic and statistical purposes

Whose personal data do we process and why

People experiencing care
Care service managers, owners and workers
Participants in our research and policy work
People who use our websites and engage with us on social media
Job applicants
Current and former employees
Inspection volunteers and involved people

People experiencing care

Access to personal information about people experiencing care plays an essential role in the Care Inspectorate’s inspections and the wider regulation of health and social care services in Scotland.

Our statutory powers under Part 5 of the Public Services Reform (Scotland) Act 2010 allow us to obtain and review the personal details of individual people experiencing care. This includes information from medical and care records, where it is necessary to do so as part of our regulatory care service inspections and when undertaking investigations related to complaints and enforcement action. These powers mean that we do not need to get a person’s consent to obtain this information.

We may need to access personal and sensitive personal information of people experiencing care to allow our inspectors to assess whether:

  • providers of care are using care plans to ensure that people experience person-led care that meets their clinical and personal needs, particularly older people and people with long-term conditions (such as diabetes or dementia), people with a learning disability, and other people who may be vulnerable because of their circumstances
  • lessons have been learned from complaints and serious incidents to improve safety and care, and whether care providers have met their duty of candour obligations to explain and apologise for serious mistakes
  • the rights of people who have been detained under the Mental Health Act are being respected and protected
  • medication records are kept properly
  • information has been shared properly (lawfully, effectively and appropriately) between care services
  • people are properly involved in decisions about their care, they are asked to give their consent about their care, and their decisions are respected
  • safeguarding concerns are being appropriately acted on to ensure that people who may be vulnerable are being protected from abuse and harm.

We also obtain information in a number of other ways, out with our inspections, to help us to monitor the quality of care, prioritise our work, and identify problems with services that may require us to take regulatory action. We do this in a number of ways, for example:

  • we invite people who use services to share their experiences with us
  • we share information locally and nationally with other organisations involved in commissioning, providing and regulating care, for example, local authorities, Healthcare Improvement Scotland, and professional regulators like the Scottish Social Services Council and the Nursing and Midwifery Council.

Where possible, we will use anonymised information or information other than personal information to carry out our work, but looking at, and using, personal information is often the only practical way in which we can carry out our work effectively. For example, it may be difficult and time consuming for a care provider to make anonymised copies of any records we need to see as we request them during an inspection. In other cases, we may need to know whose records we are looking at because we are trying to understand how that person’s needs have been met.

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the complaint is in relation to the care of an individual. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle each complaint on an anonymous basis.

Similarly, where enquiries are submitted to us in relation to care services or our own operations, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Care service managers, owners and workers

As the independent regulator of social care and social work services across Scotland, we have powers under Part 5 of the Public Services Reform (Scotland) Act 2010 to collect and process personal information about people who provide, manage and work for care services. This can include their name, address and other contact details, date of birth, qualifications, training and experience, data relevant to disclosure and PVG checks, employment history including any disciplinary action and outcome.

We process this personal information for a number of purposes:

  • processing applications for the registration of new care services
  • maintaining a public register of regulated care services
  • administering regulatory notifications and annual returns
  • inspecting social work services and registered care services to support improvement in the quality of care experienced by people and their carers
  • investigating any complaint raised against a care service or the Care Inspectorate itself, including making any necessary publications about the investigation
  • taking formal enforcement action to require care services to improve the quality of their care
  • providing information and advice to people who provide care services, or who are considering becoming care service providers
  • sending communications connected with care service registration or notifications
  • dealing with any calls to our contact centre
  • policy development, research and engagement activities to improve care quality standards.

Participants in our research and policy work

We may ask whether you wish to take part in a research project, consultation or survey. Participation is entirely voluntary and any information is collected with your consent.

Where possible we will avoid collecting personal information about you, when collecting this information. Where this cannot be avoided, we delete your personal data as soon as we have collated the information into an anonymised format.

We will inform you that research-related information may be held by external researchers with whom we are working.

If you choose to provide us with information that identifies you, this will not be published in any reports.

People who use our websites and engage with us on social media

To access some of the services available via our websites you will need to register with us. This includes subscription to our Hub e-newsletter and online account. During the registration process you will be asked to submit personal information about yourself, for example name and email address. By entering your details in the fields requested, you enable us to provide you with those services or to contact you as agreed during the registration process.

When you provide such personal information, you accept that we may retain your personal information and that it may be held by us or any third party that processes it on our behalf for the purposes of providing the information or services which you have requested.

When you subscribe to our services, you can cancel your subscription at any time and are given an easy way of doing this. We will then delete your personal data in line with our retention policy.

Where we require your consent to use the personal information provided, we will state this at the point of collection of that information and let you know how to withdraw your consent should you wish to in the future.

In addition, we may also collect personal information from you when you correspond with us, for example, when you phone, email or write to us or when you engage with us on our social media sites.

Cookies

We also collect certain information automatically about visitors to our websites, using cookies. Cookies are small text files that are placed on your computer by websites that you visit. When someone visits www.careinspectorate.com or any of our other websites, we use cookies to collect standard internet log information and details of visitor behaviour patterns.

We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. You can read more about how we use cookies on our Cookies page.

Links to other sites

This privacy notice applies solely to information collected by us. Our websites and social media channels may contain links to other websites. We are not responsible for the privacy practices of other sites. When you leave our site please be sure to read the privacy statements of every site that collects personal data about you.

Job applicants

We need to process personal data about people applying to work for us so that we can carry out our role, for example by ensuring that we have the right staff to perform our inspections, and so we can meet our legal and contractual responsibilities as an employer.

When you apply to work at the Care Inspectorate, we will only use the information you supply to us:

  • to process your application
  • to monitor recruitment statistics.

Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from Disclosure Scotland, we will not do so without informing you beforehand unless the disclosure is required by law.

We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Current and former employees

We need to process personal data about our own staff so that we can carry out our role, for example by ensuring that we have the right staff to perform our inspections, and so we can meet our legal and contractual responsibilities as an employer.

The personal information we hold about you includes identifiers such as names and National Insurance numbers, characteristics such as ethnic group, employment contract and remuneration details, qualifications and absence information.

Some of the data you supply will be anonymised and used for statistical purposes for:

  • improving the management of workforce data
  • enabling the development of a comprehensive picture of the workforce and how it is deployed
  • informing the development of recruitment and retention policies
  • allowing better financial modelling and planning
  • enabling ethnicity and disability monitoring.

We will not share information about you with third parties without your consent unless the law requires us to, for example we are required by law to pass on some of this personal data to the HMRC.

We retain different categories of employee personal data for different periods of time throughout and after employment, in accordance with the requirements in our retention schedule and then destroy it confidentially.

Inspection volunteers and involved people

We process the personal details of our inspection volunteers at recruitment stage, to support you in your inspection role and when you participate in other engagement activities. This includes your contact details, disclosure checks, data to enable ethnicity and disability monitoring (which is anonymised), your personal experience of using care services and any support needs you may have.

We also process the personal data of people experiencing care and carers who volunteer to take part in consultation and engagement activities as part of our Involving People Group.

Detailed privacy notices

We are developing specific privacy notices for each of our main data subject groups. These will provide more detailed information about how we process your personal data. When these are published, they will be listed below. 

Sharing your data

We regularly need to share personal information with other organisations when fulfilling our statutory functions and obligations. Where this is necessary we are required to comply with data protection legislation. We will only disclose or share confidential personal information with your consent or where it is necessary to do so to perform our regulatory functions or for another legitimate and lawful purpose such as complying with employment or health and safety legislation. 

We have memoranda of understanding and data sharing agreements with partner agencies with whom we regularly share personal information to ensure that this information is properly protected and appropriately, fairly and lawfully handled and disposed of. These include, but are not limited to:

  • COSLA
  • Disclosure Scotland
  • Education Scotland
  • Healthcare Improvement Scotland (HIS)
  • Mental Welfare Commission
  • Nursing and Midwifery Council (NMC)
  • Scottish Care (Independent Care Sector)
  • Scottish Social Services Council (SSSC)
  • Scottish local authorities

We may share any information that you provide to us, including information about your identity and the identities of others, with Police Scotland and other agencies involved in the prevention, detection, investigation or prosecution of crime or other unlawful activities. We will only do so when it is considered necessary and proportionate to do so.

The Care Inspectorate employs a number of data processors who process personal data on our behalf, for example for payroll processing.

We have contractual instructions, data processing agreements and compliance monitoring controls in place to ensure these organisations

  • only act under our instructions when they are processing your personal data on our behalf.
  • use appropriate technical and organizational measures to protect your personal data
  • delete or return data to us during the processing contract and when that contract ends
  • get our permission before engaging sub-contractors to carry out any part of the service

The Care Inspectorate will never sell or inappropriately disclose your personal data to any other external organisation or individual.

Overseas Transfers

It may sometimes be necessary to transfer your personal information overseas, out with the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of Data Protection legislation.

Protecting Your Personal Data

We are committed to ensuring that your right to privacy is respected and that your personal information is secure and only available to those who have a right to see it. Examples of some of the measures we use, where appropriate, to protect your information includes:

  • controlling access to our systems and networks to stop people who are not allowed to view your personal information from getting access to it
  • encrypting the information so that it is hidden and cannot be read without special knowledge such as a password.
  • regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)
  • training our staff so they are aware of how to handle information and how and when to report when something goes wrong
  • having joint procedures and agreements in place to protect personal information that we share, disclose or transfer to external parties, including our partners and third parties who process personal data on our behalf
  • having monitoring and incident management procedures in place to detect and resolve any personal data breaches as quickly as possible and improving our controls by addressing the underlying causes of such breaches.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

We have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents. He is supported by Information Asset Owners with responsibility for the governance of information at operational level.

Everyone working for the Care Inspectorate is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised or consented to by the individual, for example a person experiencing or providing care, or a Care Inspectorate employee, unless it is required or permitted by the law. We must also ensure that any impact on the privacy of an individual as a result of our actions is compliant with Article 8 of the Human Rights Act 1998.

How Long We Keep Your Data

We will only retain your information for as long as we consider necessary to support our statutory functions and to satisfy any legal, accounting, or reporting requirements. At the end of this period the information will be destroyed or deleted in line with our confidential destruction procedures.

We retain de-personalised statistical information to help inform our work, but no individuals are identifiable from that data.

Your rights

The law gives you a number of rights to control what personal information is used by us and how it is used by us.

Accessing your personal information

You have a right to know what personal information we hold about you and to receive a copy of it, subject to some exemptions, by making a ‘subject access request’. We try to be as open as we can be in terms of giving people access to their personal information.

To find out more, please read our Subject Access Request Procedure which provides more information about this process and includes a form for you to complete and send to us, if you would like to make a subject access request.

Requesting correction of your personal information

This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Objecting to our processing of your personal information

You have the right to object to the Care Inspectorate using your information where we are relying on a legitimate interest (or those of a third party) and we would have to stop unless we have a sound overriding reason to continue

Erasure, restriction and portability
In specific circumstances, you have the right to have your personal data deleted, to put limits on what the Care Inspectorate may do with it or to receive a copy in machine-readable form to take to another organisation;

There are also specific legal rights relating to automated decision making but the Care Inspectorate does not carry out this kind of processing.

If you want to exercise any of these rights, please contact us using the details above.

For more information on your rights under the GDPR see https://ico.org.uk/for-the-public/

Complaints or queries about how we process your personal information

If you have any complaints or queries about how we process your personal information you should contact our Data Protection Officer at This email address is being protected from spambots. You need JavaScript enabled to view it. or by calling 0345 600 9527.

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you are dissatisfied with our response to a complaint you send us, or have any concerns about our handling of your personal data, you can complain to the Information Commissioner's Office by using the details below:
Mail: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Online: https://ico.org.uk/concerns/handling/

Changes to this notice

We keep our Privacy Notice under regular review and we will place any updates on this web page. This notice was last updated on 25 May 2018.