Privacy Notice for Volunteers, Employees and Workers

This notice explains what personal data (information) we hold about you, how we collect it, and how we use and may share information about you during your employment and after it ends. We are required to notify you of this information under data protection legislation.

What information do we hold about you and why?

Please ensure that you read this notice and any other similar notice we may provide to you from time to time when we collect or process personal information about you. 

Who collects the information? 

The National Trust for Scotland is a ‘data controller’ and gathers and uses certain information about you. 

Data protection principles 

We will comply with the data protection principles when gathering and using personal information, as set out in our GDPR Data Protection Policy. 

About the information we collect and hold  

The table set out in the Schedule summarises the information we collect and hold, how and why we do so, how we use it and with whom it may be shared. 

We may also need to share some of the categories of personal information set out in the Schedule with other parties, such as external contractors and our professional advisers and potential purchasers of some or all of our business or on a restructuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations. 

We may also be required to share (with third parties such as with Her Majesty’s Revenue & Customs, for example) some personal information as required to comply with the law. 

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it. 

Where information may be held 

Information may be held at our offices, and third party agencies, service providers, representatives and agents as described above. 

The following third parties may have access to your personal information and, in some circumstances, your special category data (if applicable), for the purposes noted below: 

Our IT support providers:

  • PwC (for the development of replacement of IT systems [this will cease February 2019]) 
  • Microsoft (for general software packages) 
  • CoreHR (Human Resources Information System provider) 
  • CARE (customer relationships management system) 
  • Bottomline (for the enablement of money transfers through BACS for eg pay and expenses) 
  • Payrite (payroll system) 
  • Estateman (property data in relation to let-properties)
  • Axiell (data relating to the loans to us and from us of our historic collections)

Our waste management company, Shred It, who deal with shredding and waste disposal requirements.

Our Human Resources Information System provider CoreHR, who provides the IT software and infrastructure for the storage, tracking, analysis and reporting of individual and management information about you as part of our workforce.

Our financial adviser LEBC who administer our pension scheme(s), and broker other employee benefits such as income protection on ill-health, or life assurance – in particular circumstances where an insurance/assurance claim is made we may liaise directly with that insurer about your case.

Our occupational health provider Salus, who undertake pre-employment medical assessments, routine health monitoring and ad hoc medical referrals on our behalf – Salus may, in turn, contact your General Practitioner or other health-provider(s) on our behalf to support your ‘case’.

Our benchmarking and survey partners Investing in Volunteers, Investors in People, Investors in Young People, Agenda Consulting, who undertake independent surveys and assessments of our people management approach against recognised benchmarks, and/or for research and engagement purposes. 

Our external partners, such as the Institute of Conservators and Project Scotland, with whom we have formal relationships for the management of internships, apprenticeships and skills/CV development (as they apply to you). 

Our employee benefits provider Reward Gateway, who enable employees to access benefits such as online retail/leisure discount schemes through a web portal. 

Our outplacement provider LHH Penna who support us with change programmes that affect people.

We have security measures in place to seek to ensure that there is appropriate security for information we hold. 

How long we keep your information

We keep your information during and after your employment for no longer than is necessary for the purposes for which the personal information is processed. Further details on this are available in the National Trust for Scotland Retention Schedule.

Your rights to correct and access your information and to ask for it to be erased

Please contact our Data Protection Officer (DPO), who can be contacted by email at dataprotection@nts.org.uk if (in accordance with applicable law) you would like to correct or request access to information that we hold relating to you or if you have any questions about this notice. You also have the right to ask our Data Protection Officer for some but not all of the information we hold and process to be erased (the ‘right to be forgotten’) in certain circumstances. Our Data Protection Officer will provide you with further information about the right to be forgotten, if you ask for it.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. 

How to complain 

If you have any queries or concerns about this notice or about our use of your personal information, please contact our Data Protection Officer.  

If our Data Protection Officer is not able to address your query or concern, you can contact the Information Commissioner at ico.org.uk/concerns or telephone 0303 123 1113 for further information about your rights and how to make a formal complaint. 

The Schedule 

About the information we collect and hold 

Swipe to view table

The information we collect How we collect the information Why we collect the informationHow we use and may share the information 
Your name, contact details (i.e. address, home and mobile phone numbers, email address) and emergency contacts (i.e. name, relationship and home and mobile phone numbers) ☐ From youTo enter into/perform the employment contract, the worker contract, or the volunteer registration   
Legitimate interest: to maintain employment records and good people management practice 
To enter into/perform the employment contract, worker contract or volunteer registration 
Details of salary and benefits, bank/building society, National Insurance and tax information, your age ☐ From you To perform the employment contract or worker contract  including payment of salary and benefits, and for the payment of legitimate expenses for volunteers, employees, and workers 
 
Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice 
To ensure you receive the correct pay and benefits 
 
Information shared with our pension/benefits provider LEBC administrators and with HM Revenue & Customs (HMRC) 
Details of your spouse/partner and any dependants ☐ 

From youTo perform the employment contract including employment related benefits, eg private medical insurance, life assurance and pension To ensure you receive the correct pay and benefits  
 
Information shared with our pension/benefits provider LEBC administrators, income protection and life assurance insurers in the case of a claim, our childcare voucher partner The Co-operative and with HM Revenue & Customs (HMRC) 
Your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information ☐ From you and, where necessary, the Home Office To enter into/perform the employment contract, the worker contract, or the volunteer registration 
 
To comply with our legal obligations 
 
Legitimate interest: to maintain employment records 
To carry out right to work checks 
 
Information may be shared with the Home Office 
[A copy of your driving licence ] ☐ where driving is a requirement of the role for which you undertake From you.

As verified through the DVLA digital license checking system. 
To perform the employment contract, the worker contract, or the volunteer registration 
 
To comply with our legal obligations 
 
To comply with the terms of our insurance 
To ensure that you have a clean driving licence 
 
Information may be shared with our insurer.
Details of your pension arrangements, and all information included in these and necessary to implement and administer them ☐ From you, from our pension administrators LEBC and (where necessary) from your own pension fund administrators To perform the employment contract including employment related benefits 
 
To comply with our legal obligations 
 
Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice 
To administer your pension benefits AND/OR To comply with our auto-enrolment pension obligations 
 
Information shared with our pension administrators LEBC and with HMRC 
Information in your sickness and absence records (including sensitive personal information regarding your physical and/or mental health) ☐ From you, from your doctors, from medical and occupational health professionals we engage and from our insurance benefit administrators LEBC and Unum To perform the employment contract including employment related benefits 
 
To comply with our legal obligations 
 
Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice, to ensure safe working practices 
To maintain employment records, to administer sick pay entitlement, to follow our policies and to facilitate employment related health and sickness benefits 
 
To comply with our legal obligations to you as your employer Information shared with your doctors, with medical and occupational health professionals we engage and with our insurance benefit administrators LEBC 
 
For further information, see * below 
Your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs From youTo comply with our legal obligations and for reasons of substantial public interest (equality of opportunity or treatment) To comply with our equal opportunities monitoring obligations and to follow our policies 
 
For further information, see * below 
Criminal records information, including the results of Disclosure Scotland and/or Disclosure and Barring Service (DBS) checks ☐where this is relevant to the role for which you have appliedFrom you and the DBS or Disclosure Scotland To perform the employment contract, or worker contract, or volunteer registration 
 
To comply with our legal obligations 
 
For reasons of substantial public interest (preventing or detecting unlawful acts, and protecting the public against dishonesty) 
To carry out statutory checks 
 
Information shared with DBS, Disclosure Scotland and other regulatory authorities as required 
 
For further information, see * below 
Information on grievances or complaints raised by or involving you From you, from other colleagues (volunteers, employees, workers) and from consultants we may engage in relation to the grievance procedure To perform the employee contract, the worker contract, or the volunteer registration; 
 
 
To comply with our legal obligations 
 
Legitimate interests: to maintain volunteer, employment, worker records and to comply with legal, regulatory and corporate governance obligations and good people management practice 
For people administration, to follow our policies and to deal with grievance matters 
 
Information shared with relevant managers, People Department personnel and with consultants we may engage 
Information on conduct issues involving you From you, from colleagues (volunteers, employees, workers) and from consultants we may engage in relation to the conduct procedure To comply with our legal obligations 
 
Legitimate interests: to maintain people records and to comply with legal, regulatory and corporate governance obligations and good employment practice, to ensure safe working practices 
For people administration and assessments, to follow our policies, to monitor staff performance and conduct and to deal with disciplinary and grievance matters 
 
Information shared with relevant managers, People Department personnel and with consultants we may engage 
Details of your appraisals and performance reviews From you, from other colleagues (volunteers, employees, workers) 
 
To comply with our legal obligations 
 
Legitimate interests: to maintain people records and to comply with legal, regulatory and corporate governance obligations and good people management practice, to ensure safe working practices 
 
For people administration and assessments, to follow our policies, to monitor staff performance and conduct and to deal with disciplinary and grievance matters 
 
Information shared with relevant managers, People Department personnel and with consultants we may engage 
Details of your performance management/improvement plans (if any) From you, from other colleagues (volunteers, employees, workers), and from consultants we may engage in relation to the performance review process 
 
To comply with our legal obligations 
 
Legitimate interests: to maintain people records and to comply with legal, regulatory and corporate governance obligations and good employment practice, to ensure safe working practices 
For people administration and assessments, to follow our policies and to monitor staff performance 
 
Information shared with relevant managers, People Department personnel and with consultants we may engage 
Details of your time and attendance records From you and from your manager 
 
To perform the employment contract, the worker contract, or the volunteer registration; 
 
Legitimate interest: to monitor and manage staff access to our systems and facilities and to record people absences 
For payroll and people administration and assessments, to follow our policies and to monitor staff performance and attendance 
 
Information shared with relevant managers, People Department personnel, and with consultants we may engage with 
Information in applications you make for other positions within our organisation From you To enter into/perform the employment contract, the worker contract, or the volunteer registration; 
 
To comply with our legal obligations 
 
Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice 
To process the application 
 
Information shared with relevant managers, People Department personnel [and with consultants we may engage] 
Information about your use of our IT, communication and other systems Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, remote access systems, email and instant messaging systems, intranet and internet facilities, telephones, voicemail, mobile phone records  Legitimate interests: 
 
to monitor and manage staff access to our systems and facilities; 
 
to protect our networks, and personal data of employees and customers/clients, against unauthorised access or data leakage; 
 
to ensure our business policies, such as those concerning security and internet use, are adhered to for operational reasons, such as maintaining employment records, recording transactions, training and quality control; 
 
to ensure that commercially sensitive information is kept confidential; 
 
to check that restrictions or restrictive covenants on your activities that apply after your employment or worker contract has ended, or volunteering has ceased
To protect and carry out our legitimate interests (see adjacent column 
 
Information shared with relevant managers, People Department personnel, and ICT personnel 
 
For further information, see ** below)
Details of your use of business-related social media, such as LinkedInFrom relevant websites and applications Legitimate interests: 
 
to monitor and manage people access to our systems and facilities; 
 
to protect our networks, and personal data of employees, workers, volunteers, and customers/clients, against unauthorised access or data leakage; 
 
to ensure our business policies, such as those concerning security and internet use, are adhered to; 
 
for operational reasons, such as maintaining people records, recording transactions, training and quality control; 
 
to ensure that commercially sensitive information is kept confidential; 
 
as part of investigations by regulatory bodies, or in connection with legal proceedings or requests 
To protect and carry out our legitimate interests (see adjacent column) 
 
Information shared with relevant managers, People Department personnel and ICT personnel For further information, see ** below 
Your use of public social media (only in very limited circumstances (a) to check specific risks for specific functions within our organisation; you will be notified separately if this is to occur or (b) exceptionally, where justified and relevant to an alleged breach of employment contract or relevant policy)From relevant websites and applications Legitimate interests: 
 
to monitor and manage staff access to our systems and facilities; 
 
to protect our networks, and personal data of employees, workers, volunteer, and customers/clients, against unauthorised access or data leakage; 
 
to ensure our business policies, such as those concerning security and internet use, and representing the Trust, are adhered to; 
 
for operational reasons, such as maintaining people records, recording transactions, training and quality control; 
 
to ensure that commercially sensitive information is kept confidential 
 
to check that restrictions on your activities that apply after your employment or worker contract has ended, or volunteering ceased (post-termination restrictions or restrictive covenants) are being complied with; 
 
as part of investigations by regulatory bodies, or in connection with legal proceedings or requests 
To protect and carry out our legitimate interests (see adjacent column) 
 
Information shared with relevant managers, People Department personnel [and with consultants we may engage] 
 
For further information, see ** below 
Details in references about you that we give to others From your personnel records, our other employees To comply with  a contract with you (where applicable in certain limited circumstances) 
 
Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice 
To provide you with the relevant reference
To comply with legal/regulatory obligations 
 
Information shared with relevant managers, People Department personnel and the recipient(s) of the reference 

You are required (by law or under the terms of your contract of employment, or in order to enter into your contract of employment or by law or under the terms of your contract as a worker, or in order to enter into your contract as a worker) to provide the categories of information marked ‘☐’ above to us to enable us to verify your right to work and suitability for the position, to pay you, to provide you with your contractual benefits, such as e.g. contractual sick pay and to administer statutory payments such as statutory sick pay (SSP). If you do not provide this information, we may not be able to employ you, to make these payments or provide these benefits. 
 
* Further details on how we handle sensitive personal information and information relating to criminal convictions and offences are set out in our Criminal Records Checks (Disclosure Scotland) policy, available through the Employee Handbook A-Z on TrustNet, or where this access is not possible, from the People Department. 
 
** Further information on the monitoring we undertake in the workplace and how we do this is available in our Social Media and IT Security policies available from the Policy Department.