Privacy Statement for Glasgow Life
This privacy statement details the information we collect from you, what we do with it, and who it might be shared with. It was last updated on April 2020.
Previous Privacy Statements
If you would like to download a copy of our previous Privacy Statements you can do so below:
Who we are: Glasgow Life, the operating name of Culture and Sport Glasgow, is the controller of any personal information collected by us that is necessary for our processing purposes. Please see our Contact Us section below for details of our data protection officer.
Glasgow Life as a charity delivers cultural, sporting and learning activities on behalf of Glasgow City Council, inspiring Glasgow’s citizens and visitors to lead richer and more active lives.
Glasgow Life (and its sub-brands) are operating names of Culture and Sport Glasgow (“CSG”) a Scottish charity (No SCO37844) incorporated under the Companies Acts and limited by guarantee, registered in Scotland with Company No SC313851. Culture and Sport Glasgow (Trading) CIC (“CSG CIC”) is a trading subsidiary of CSG, a community interest company, registered in Scotland with Company No SC313850. CSG and CSG CIC (registered office at Commonwealth House, 38 Albion Street, Glasgow, G1 1LH) are collectively referred to by CSG’s operating name “Glasgow Life” for the purposes of our privacy statement and privacy notices (available at: www.glasgowlife.org.uk/privacy).
Culture and Sport Glasgow is registered with the Information Commissioner's Office under registration number: Z9838695
Culture and Sport Glasgow (Trading) CIC is registered with the Information Commissioner's Office under registration number: Z9838741
Why do we need your personal information and what do we do with it?
We only ask for the minimum personal data necessary to provide the service you request or are entitled to, and in most cases, this includes but is not limited to, your name and contact details and other personal data required.
The purpose of processing is the service or entitlement for which the information is being collected, and your personal data will not be used for another purpose, unless further specified on the form collecting the information, or otherwise provided to you as appropriate, or as provided for by law.
Please refer to the specific purposes on the form for further processing of your information.
We also use your information to verify your identity where required, contact you by post, email or telephone and to maintain our records.
Also, in the event of an emergency or civil incident, it may be necessary to collect your personal information to assist you, or protect you or others from harm.
For a number of areas of activity, we also receive information from third parties. For the majority, this is from other public authorities, such as the police and court service, NHS, HM Revenues and Customs and the Department for Work and Pensions. However, it could also be from other local authorities, Regulators and from members of the public.
Where possible, new IT systems and the development of existing IT systems will make use of system generated or anonymised data in test environments. However, there may be circumstances in which test environments, their users and their developers appointed by Glasgow Life/Glasgow City Council, such as CGI, may be required to utilise your personal data in a test environment. In such circumstances, Glasgow Life/Glasgow City Council require that development and test activity comply with data protection legislation, taking reasonable steps to protect your personal data.
Details of how this information is passed between us all is given in the specific privacy notices, relating to functions where we routinely receive personal information from third parties.
For using your information: The precise legal basis for us using your personal information will vary depending on which service we are providing to you. However, in most cases this will be because it is necessary for us to use your personal information to perform a task carried out in the public interest by us. If we are using your personal information on a different basis to this, this will be explained in the specific privacy notices, relating to those functions.
Processing non-sensitive personal information is carried out under one or more of the following:-
a) Necessary for the performance of a task carried out in the public interest by Glasgow Life
b) Necessary for the performance of a contract with you (or to take steps to enter into a contract with you)
c) Necessary for compliance with a legal obligation to which Glasgow Life is subject
d) On the basis of your consent
e) Necessary to protect the vital interests of you or another person
f) Necessary for the legitimate interests of Glasgow Life or a third party, except where such interests are overridden by your interests, rights or freedoms
If we are using your information because:
- it is required for us to have a contract with you
- we are providing a service to you under a public task
then if you do not provide us with the information we have asked for, we may not be able to provide that service to you.
Sensitive information: For some activities, we also need to process more sensitive personal information about you for reasons of substantial public interest as set out in the Data Protection Act 2018. It is necessary for us to process this more sensitive information for a number of reasons, these include:
- To carry out key functions as set out in law
- In order to meet our legal obligations in relation to employment, social security and social protection law
- In order to protect your vital interests or the vital interests of others in circumstances where we will not be able to seek your consent
- Where this is necessary for the establishment, exercise or defence of legal claims
- For purposes of the provision of social care and the management of health and social care systems and services where this is necessary in the public interest in the area of public health
- For archiving, research and statistical purposes.
If any apply: Almost all Glasgow Life data is held within the UK. Any overseas data transfers require additional internal approvals and we only send data overseas where we have been able to put in place measures to make sure that your personal information is as safe and respected in the overseas country, or countries in question, as it is in the UK. If we need to transfer your personal information overseas in relation to a particular activity, this will be explained in the specific privacy notice relating to that function along with a description of the protective measures we have put in place to keep it secure.
How long do we keep your information for? We only keep your personal information for the minimum period necessary. Sometimes this time period is set out in law, but in most cases it is based on business need.
We maintain a records retention schedule which sets out how long we hold different types of information. You can view this on our website at www.glasgowlife.org.uk/rrs or you can request a hard copy.
Information: Most of the personal information we hold relates to people we are providing services to. However, we also hold information about other people as well, where this is necessary for us to carry out particular functions.
In some cases we will contact these other people directly to inform them:
- that we have been provided with information about them
- to also tell them about their rights under data protection law
- to advise them about the terms of this privacy statement and any specific privacy notice.
However, in many cases this is impractical.
The details of what we do with this sort of information and why we hold it is provided in the specific privacy notice relating to functions where we routinely hold information about people who are not our service users.
Profiling or automated decision-making: We make some use of automated decision-making and profiling for personalisation of our direct marketing. Where these techniques are used elsewhere, this will be explained in the specific privacy notices relating to those functions, together with a description of the reason involved in any automated decision-making.
Depending on age requirements or the nature of service requested, where it is necessary to process a child’s personal information on the basis of consent, we may need the consent of the person with parental responsibility for the child. This will be specified on the form if applicable.
Emergency Response Management
In the event of an emergency or civil incident we may use data matching to help us or the Council family identify people who need additional support, or if an incident affects the Council family, we may also need to share information with partner organisations in order to respond to it.
Contact with you
Contact with you and personalisation preferences for direct marketing purposes: You may choose to opt in or to restrict the collection or use of your personal information for direct marketing purposes, which includes personalisation. Whenever you are asked to fill in a form, look for the box that you can tick to indicate that you consent to hear from us. If you have previously consented for marketing purposes, you can withdraw your consent by contacting us, or for every electronic marketing message we send you, there is also an unsubscribe link, and where applicable, a link where you can update all your preferences and personalisation options in a user preferences control portal.
Keep in mind, even if you unsubscribe, we may still need to contact you (for service notification purposes).
We do not intentionally contact children under 13 without the consent of the person with parental responsibility (see Children section above).
Monitoring and Statistical Research
A payment card or direct debit instruction can be presented by a user, to a payment processing service or device which we subscribe to. We do not process the card number details directly but do store bank account details where you have requested that we collect payment by direct debit. For one-off card payments on behalf of a cardholder, our staff may occasionally enter payment card details into a payment processing service or device. If our staff enter cardholder details on behalf of the user, it is entered only as instructed and not recorded or stored in any permanent form.
Our security / Promise
Our promise around how we handle your data: We understand that you care about your privacy and we take this responsibility seriously. Glasgow Life will always respect and treat your personal information with the due care that you have entrusted us. We promise to take all reasonable steps to keep your details secure by ensuring appropriate technical and organisational measures are in place to safeguard your information.
Your rights under data protection law:
Access to your information – you have the right to request a copy of the personal information that we hold about you.
Correcting your information – we want to make sure that your personal information is accurate, complete and up to date. Therefore you may ask us to correct any personal information about you that you believe does not meet these standards.
Deleting your information – you have the right to ask us to delete personal information about you where:
- You think that we no longer need to hold the information for the purposes for which it was originally obtained
- We are using that information with your consent and you have withdrawn your consent – see the ‘withdrawing consent to using your information’ section below. Please note that in general we do not rely on consent as the legal basis for processing your personal information, except when it is appropriate or lawful to do so, e.g. direct marketing
- you have a genuine objection to our use of your personal information – see ‘objecting to how we may use your information’ below
our use of your personal information is contrary to law or our other legal obligations.
Objecting to how we may use your information – you have the right at any time to tell us to stop using your personal information for direct marketing.
Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information that we hold about you or we are assessing the objection you have made to our use of your information. This right might also apply if we no longer have a basis for using your personal information - but you don’t want us to delete the data. Where this right is realistically applied will mean that we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent to use your information – Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
You can see a summary of how your rights are implemented for each legal basis used here.
Please contact us if you wish to carry out any of these rights.
You can contact our data protection officer about any data protection matter by:
c/o Data Protection, GCC, City Chambers, George Square, Glasgow G2 1DU, United Kingdom
Telephone: 0141 287 1055
For any other Glasgow Life enquiry or service complaint (not about a data protection matter) you can submit:
Telephone: 0141 287 8977 (for service complaints) or 0141 287 4350 (for general enquiries).
Postal Address (for any other services): Admin, Commonwealth House, Glasgow Life, 38 Albion Street, Glasgow G1 1LH
Our data protection officer aims to directly resolve all complaints about how we handle personal information (see Contact Us above).
However, you also have the right to lodge a complaint about a data protection matter with the Information Commissioner’s Office, who can be contacted by:
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Phone: 0303 123 1113 (local rate) or 01625 545 745.
You can visit their website for more information at https://ico.org.uk/concerns
For more details on how we process your personal information please click on any of the links below for any of our services.
If you need this information in another format, please visit www.glasgowlife.org.uk/privacy or see Contact Us as above.
A full list and explanation of all the terminology listed in this privacy statement can be viewed here.
Data Subject: A living individual who can be identified, directly or indirectly, by information.
Controller: A natural or legal person who determines the purposes for which (and the means by which) personal data are processed. Controllers must comply with the data protection principles.
Processor: A natural or legal person which processes personal data on behalf of the controller under an agreement that provide written instructions for the processing. The processor cannot use the data for their own purposes.
Processing Purposes: Defined very widely. It means any operation (or set of operations) performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (including dissemination or transmission), alignment or combination, restriction, erasure or destruction, (processing operation). All of which to achieve an intended objective (business purpose).
Personal Data: Any information relating to a data subject by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject.
Special Category Data: Data relating to the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, sexual orientation, and identifying genetic and biometric data. The processing of the special categories of personal data is subject to tighter restrictions than other personal data.
Criminal Convictions and Offences Data: Criminal convictions and offences or related security measures of personal data is subject to tighter restrictions than other personal data.