We’re an executive agency of the Scottish Government. As a regulator, funder and policy advisor, we work to achieve the sustainable management and expansion of forests and woodlands to deliver more for Scotland.
In order to do this, we gather and process data, including personal information, to carry out our legal and statutory obligations. We do this in line with the Data Protection Act 2018 and UK GDPR requirements.
What is personal data?
Personal data is described by the Information Commissioner’s Office (ICO) as “information that relates to an identified or identifiable individual”. It can also include special categories of personal data such as information about a person’s health, ethnicity or sexual orientation or criminal conviction and offences data.
The data we gather
The personal information we gather will vary according to the task. Depending on service we are fulfilling it could include:
- personal details such as a person’s title, name or alias, and contact details including home address
- business information such as an address, Ordance Survey (OS) location, GPS reference, location code, business reference number, agent and/or legal representative, and business ownership details
- personal identifiers such as a person’s signature, visual images or filmed footage
- financial information such as customer name, supplier name, account number and/or sort code, copies of invoices and bank statements, title deeds and/or tenancy agreements, and business accounts
- special category information may be collected in specific cases such as part of an investigation into unauthorised fellings
We’ll seek to keep your personal information accurate and up to date.
To ensure it's reliable, please inform us as soon as possible if there are any changes.
Why we process your personal data
We must have a valid lawful basis to process your personal data. Mostly, we process personal data to perform a task in the public interest and to carry out our official functions, where the task or function has a clear basis in law. Sometimes, we may also have consent from an individual to process personal data for a specific purpose or to fulfil a contract.
The personal information we gather will only be kept and used for clear, limited purposes and it'll be adequate and relevant to the task.
How we use your data
We’ll use your data for a range of purposes. For example:
- to pay grant claims
- to consult on and process grant applications
- to approve felling permission applications and forest management plans
- to investigate unauthorised fellings
- to undertake plant health surveillance and regulation duties
- to co-ordinate the UK Land Carbon Registry
- to map information to Geostore
- to fulfil contractual obligations and to make payments
- to respond to enquiries
- to use images across internal and public facing platforms
If you do not provide us with your personal information, we'll be unable to fulfil our statutory obligations and provide the services needed.
Who we share your personal information with
We may share our information internally across our organisation or Scottish Government.
We may share your personal information with other public and regulatory bodies to ensure we are meeting our legal and statutory obligations. This may include:
- Police Scotland
- Rural Payments and Services Division (RPID)
- Scottish Environment Protection Agency (SEPA)
- Health and Safety Executive (HSE)
- Historic Environment Scotland (HES)
- Nature ScotForest Research
- Forest and Land Scotland
- Scottish Government
- Forestry Commission
- Science and Advice for Scottish Agriculture (SASA)
- Animal and Plant Health Agency (APHA)
- Appointed contractors
- Local authorities
We may also share your information with third parties to meet our business requirements, such as undertaking surveys and carrying out assessments. We may request other agencies or businesses to process personal information on our behalf, through service level agreements or contracts.
In all these situations, UK GDPR requirements are adhered to.
How we store your personal information
Hard copies of personal information is kept in secure file storage at our local offices in filing cabinets with access limited to office staff as necessary.
Personal information stored electronically is on secure networks accessible only through the use of an encrypted laptop. Some case management systems are used which are password protected. Sensitive information is stored in areas with restricted user access.
Personal information which is shared is done so in a variety of secure ways. This could include using systems which require password protection and two-factor authentication. Information is provided to named staff members and may be shared on a system which is accessible by invitation only or through an encrypted laptop.
How long we keep your personal information
Personal information is kept for a minimum period based on business need, as well as statutory, regulatory and legal requisites. Once this period has passed, arrangements are made to securely delete or destroy it.
Transfer of personal data outside of the European Economic Area (EEA)
If your personal information is going to be processed outside the UK or European Economic Area (EEA), you’ll be informed of this and the safeguards that are in place.
Links to other websites and cookies
Where we provide links to other websites, we're not responsible for the content of these websites.
Cookies are pieces of data that are often created when you visit a website. Visit our 'Cookies' web page for more information.
Your rights in relation to your personal information:
• You’ve a right to request access to, and copies of, the personal information that we hold about you by making a 'subject access request'
• If you believe that any of the personal information that we hold about you is inaccurate or incomplete, you’ve a right to request that we correct or complete your personal information
• You’ve a right to object to and/or request that we restrict the processing of your personal information for specific purposes
• Where you’ve given consent to the processing of your personal information, you’ve the right to withdraw that consent
Any requests received by us will be considered under applicable data protection legislation.
You can email the Data Protection Officer to exercise any your rights.
Your right to complain
We're committed to protecting your personal information and privacy. If you have queries or concerns, please contact us.
If you remain dissatisfied, you've a right to raise a complaint with the Information Commissioner's Office.
Changes to this privacy notice
We keep this privacy notice under regular review to make sure it's up to date and accurate.
This privacy notice was last updated on 1 October 2021.