The Scottish Legal Aid Board is the public authority which administers legal aid in Scotland in terms of the Legal Aid (Scotland) Act 1986.
In carrying out these functions we collect, use and retain different types of personal information about you. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation as the lawful basis for processing of data, as a task carried out in the public interest or in the exercise of official authority vested in the controller. Our lawful basis for processing personal data will also include contractual obligations with service providers and suppliers.
This Privacy notice describes how we collect and use Personal Data, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any other applicable data protection law in the United Kingdom.
It applies to Personal Data provided to us, by both individuals or by others.
What information do we collect about you?
There are several different types of legal aid and the information needed can vary. The information you will be asked to provide is necessary to consider and process your application, and if legal aid is granted to administer any grant of legal aid that is made during the lifetime of the case and in relation to any relevant final or follow-up steps that arise at the end of the case in terms of legal aid regulations and our functions.
The information you will be asked to provide will be about you and your circumstances, such as household, financial and case details, so far as they are relevant to your application, such as:
Name, address, relationship status, date of birth, phone number, National Insurance Number and email address - where you have provided it to enable us to communicate with you by email.
Your income and sources of income and capital, including bank, building society details.
Statements and reports about your legal case.
Relevant information from other professionals, relatives or others who are witnesses in your case.
A record of any contacts you have with us such as phone calls and meetings.
We also have a duty to gather information about equalities.
Your personal information will be used for the purposes of administering Legal Aid and for, communicating the status of Legal Aid applications, where you are named as an opponent.
Basic details such as name, address, relationship status, date of birth, phone number and email address - where you have provided it to enable us to communicate with you by email.
If you are part of our supply chain, we will process your personal information for the purpose of procuring and consuming goods and services, and to fulfil our contract with you. This may include your personal contact information and information required for you to supply products and services to us.
Name, address, bank details, phone number and email address.
Your personal information will be used for the purposes of assessing claims from the legal aid fund for the work conducted on behalf of your client, as well as conducting periodic assurance audits on legal aid files to ensure that decisions have been made correctly and accurately, and in producing statistics and information on our processes to enable us to improve our processes and assist in carrying out our functions in terms of the Legal Aid (Scotland) Act 1986.
Name, address, bank details, phone number and email address, practitioner certificate, disclosure information.
If you contact us with an enquiry, comment or complaint, we will use the personal information you provide to us to respond and resolve your issue. We may ask you to provide additional personal information if it is necessary for this purpose.
Name, address, phone number, email address, details of complaint and enquiry.
Your personal information will be used to facilitate a visit to SLAB premises and to comply with Health and Safety Legislation and Security requirements.
Some types of personal data are defined as special. We will only collect and use these types of information where we need to and if the law allows us to. Special categories of personal data include
Racial or ethnic origin
Political opinions, religious or philosophical beliefs
Trade union membership
Genetic or biometric data used for ID purposes
Sex life and sexual orientation
Criminal convictions data
We have put in place appropriate security measures to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those people who have a business need to know.
We have put procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
In some circumstances we may anonymise or pseudonymise Personal Data so that it can no longer be associated with the Data Subject, in which case we may use it without further notice.
We will share Personal Data with third parties where we are required by law or where we have another lawful basis for doing so.
All Personal Data will be provided with adequate protection and all transfers of Personal Data outside the EU are done lawfully. Where we transfer Personal Data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for Personal Data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.
We will also share Personal Data with third-party service providers. For example, we use third parties to provide;
IT and cloud services
Professional advisory services
Credit reference agencies and debt collection agencies
All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.
We sometimes need to share the personal information we process with other organisations. When this is necessary, we will comply with all aspects of the relevant data protection laws. The organisations we may share your personal information with include:
The police and other law enforcement agencies, HMRC and other government bodies where it is necessary to do so for the purpose of administering legal aid, or where we have a legal or regulatory obligation to do so.
Relevant regulators, including the Information Commissioner's Office in the event of a personal data breach, the Scottish Legal Complaints Commission, the Law Society of Scotland and The Scottish Public Services Ombudsman.
If false or inaccurate information is provided or fraud identified, SLAB can lawfully share your personal information with fraud prevention agencies to detect and to prevent fraud and money laundering.
We may contact you for research purposes. Participation in such research is entirely voluntary: you are under no obligation to take part.
We will retain the personal information we hold about you only for as long is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the case of applications for Legal Aid, the retention period will normally be the lifetime of the case or such other period as is required to complete the administration of the grant of legal aid and its consequences, if any.
Other records, which are not required to be retained as part of our statutory function, will be kept for a period of time depending on:
The type, amount and categories of Personal Data we have collected.
The requirements of our business and the services we provide.
The purposes for which we originally collected the Personal Data.
The lawful grounds upon which we based our processing.
Any relevant legal or regulatory obligations.
We continually review our data retention policies, and we reserve the right to amend the retention periods without notice.
It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes.
Under the General Data Protection Regulation (GDPR) you have the right:
To be informed about how we collect and use your personal information through privacy notices such as this.
To request information we hold about you. This is known as a subject access request and is free of charge. We must respond within one month, although this can be extended by a further two months if the information is complex.
To rectification. You are entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner.
To erasure. You have the right to ask us to delete your information or stop using it. It will not always be possible for us to comply with your request, for example if we have a legal obligation to keep the information. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner.
To restrict processing. You have the right to restrict how your data is processed in certain circumstances, for example if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. If we decide to lift a restriction on processing we must tell you.
To data portability. If we are processing your personal data with your consent, and it is held in a structured, commonly used, machine readable form, you have a right to ask us to transmit it to another data controller so they can use it. This right does not apply if we process your personal data as part of our public task.
To object. You can object to your information being used for profiling, direct marketing or research purposes.
To be informed about any automated individual decision making, including profiling, with legal or similarly significant effects and be given an opportunity to request human intervention or challenge a decision.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer a copy of your personal information to another party or request the reconsideration of an automated decision, please contact our Data Protection Officer at DPO@slab.org.uk.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.
If you are unhappy with the response you get from us, you can ask us to look again at your request – you can write to our Data Protection Officer at SAR@slab.org.uk or using SLAB’s postal address. At any time, you are entitled to ask the Information Commissioner to review our decision or to go to court to enforce your rights.
Changes to this privacy notice
We keep this privacy notice under regular review. This privacy notice was last updated on 11/03/2019