February 24, 2020
On these pages you will find details of the Park Authority’s Privacy Statement – how we collect information and what we do with it.
This is how we generally use information collected or obtained for various services (being updated on an ongoing basis).
This privacy statement is the privacy notice for all Park Authority services. We will use your details to provide you with the service(s) which you or someone else (with your CONSENT) have asked us to provide. We will also use your personal details for purposes of crime prevention and crime detection and/or when required by law and will share it with other public bodies for that purpose.
The three core areas of business for the National Park Authority are Conservation, Visitor Experience and Rural Development. These activities are supported by the Corporate Services function.
The Park Authority is a Planning Authority, with planning powers to decide all planning and related applications within the boundary of Loch Lomond & The Trossachs National Park.
The Park Authority is an Access Authority, and upholds access rights in accordance with the Land Reform (Scotland) Act 2003.
The following is a broad description of the way we process personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices we have provided or contact us to ask about your personal circumstances.
Planning – as a Planning Authority, personal information is processed for the consideration of planning applications, proposals for housing and tourism and for the enforcement and monitoring of planning developments.
Personal information is processed for the purposes of reporting byelaw infringements, in terms of the Camping Management Byelaws 2017.
This is in addition for the issuing of fixed penalty notices for litter or flytipping and the management of a camping booking system.
Personal information is processed for the purpose of compliance with the Loch Lomond Byelaws 2013 for all powered craft launched on Loch Lomond.
We process personal information to enable us to promote our goods and services, to maintain our accounts and records, to support and manage our staff and volunteers, and to guide and set the direction for the National Park.
In terms of data protection legislation, the Park Authority is the data controller of any personal information provided to or gathered by us.
This privacy statement describes what we will and will not do with the information we hold about you. It sets out the general approach we take, in each case with additional information relating to particular areas of our activity.
The Park Authority does not sell or rent your personal details to any external organisations.
For most purposes, we will only process your information with your consent. In most cases, we understand that by providing us with your details in order to obtain a service from the Park Authority you are consenting to us using those details in order to provide that service to you. Except as set out in this privacy statement, we will not use your personal details for any other purpose without first obtaining your consent to that other purpose or purposes (you may have been asked to provide this additional consent at the time when you originally contacted us, for example in an additional section on an application or other form).
We retain personal data relative to the purpose for which it was gathered in accordance with the time periods for retention set out in our record retention schedule. Our retention schedule is maintained in accordance with the Public Records Scotland Act 2011. Specific details on the use and retention of your personal data will be provided at the point we collect your data and you may contact us at any time if you have any queries about your rights as an individual in terms of how we are processing your data.
By law, we are obliged to provide information to certain other public bodies such as the Department for Work and Pensions, HM Revenues and Customs, courts, tribunals, hearings and other formal bodies dealing with legal processes, and various external regulatory bodies. We also have an obligation to assist in the prevention of crime and we will therefore generally supply specific information which we are asked to provide to the police or other crime detection agencies, provided we are satisfied that the request is connected to an investigation and that disclosure would be lawful and proportionate.
External contractors who are appointed to process information on behalf of the Park Authority will do so under our instructions. All contractors which do this are appointed under written contracts requiring them to keep personal information safe and prohibiting them from doing anything with the personal data they process for us other than following the Park Authority’s instructions.
Staff information is primarily held by the Park Authority in order to out its duties as an employer. In connection with this we hold information on staff relating to ethnic background, disability etc. in order to comply with our obligations relating to monitoring equality of opportunities and discrimination legislation. Where applicable we will hold information on trade union membership to allow for payment of union subscriptions deducted from pay and will share this information with the relevant unions to allow these subscriptions to be collected. We also share information where applicable with other recipients of payroll deductions such as Glasgow Credit Union or suppliers of salary sacrifice schemes such as child care voucher providers. Earnings information is supplied to HMRC as required by law to allow for deduction of PAYE and national insurance contributions.
Information will generally be released to the police and other criminal investigation agencies on request in relation to specific investigations; provided the Park Authority is satisfied that legitimate grounds exist for doing so. It will also be released to government agencies able to compel disclosure such as the Child Support Agency if we receive an appropriate request. Information will be released to courts and employment tribunals in relevant cases and may be shared with external legal advisers in these cases. It will also be released in response to an order from a court with competent jurisdiction to make such an order. It may also be released (without consent) in response to investigations by external regulators such as Audit Scotland, the UK and Scottish Information Commissioners and Scottish Public Services Ombudsman.
If The Park Authority receives a freedom of information (“FOI”) request which includes information relating to staff, then as a general rule such requests will be refused (or the staff information removed/redacted from the response) unless it relates to more senior members of staff.
However, each request will be considered on its own merits and in line with guidance issued by the Information Commissioner and Scottish Information Commissioner. Even for more senior staff, we will not release information which does not directly relate to that member of staff’s work activities, so information such as home address will not generally be released. Staff will be consulted ahead of any decision to release their personal data in response to an FOI request. The same principles apply to information relating to former members of staff (subject to the caveat that the Park Authority may be unable to readily contact such individuals to seek their views on disclosure and will generally reach a decision without making contact).
The Park Authority has a communications team which deals with queries from the press and media.
In responding to these queries, our communications team applies the same rules as all other officers of the Park Authority and will only release information about individuals in line with this privacy statement. In terms of this approach, personal information held by the Park Authority will only be released to the media if there are compelling reasons for doing so.
The Park Authority’s properties are covered by a variety of CCTV (closed circuit television) systems. These systems are designed primarily to protect the buildings from theft or vandalism; some systems are also intended to help protect staff.
An individual has a right of access to their own personal data but does not have any rights to recordings of other individuals.
Police officers or the courts may request access to recordings for evidential purposes. The courts are not required to complete a form demonstrating the right to request the footage although police officers are required to complete and submit the Park Authority’s standard request for information form for approval before they will be given consent to view or remove recordings. The Park Authority Data Protection Officer will determine whether or not they are satisfied that the justification provided by police officers is sufficient to allow access to the recordings.
All queries regarding public space CCTV should be directed to our business mailbox email@example.com.
What is ‘DIRECT marketing’? What is ‘DESTINATION marketing’?
Direct marketing is marketing which is directed at specific individuals as opposed to, for example, a newspaper advertisement which would be marketing but not direct marketing as it isn’t directed at you as a particular individual.
Controlling your personal information for direct marketing purposes:
You may choose to restrict the collection or use of your personal information for direct marketing purposes in the following ways:
View our privacy notice relating to our camping booking system in full.
When you send us an email, we use your email address to thank you for your comment and/or reply to your enquiry, and we will store your communication and our reply for any future correspondence in accordance with our data retention policy. Beyond our initial reply, we will never use your email address to send you any unsolicited message or information, nor will we share it with or sell it to anyone else for such use.
When you accept to receive information about our services, promotions, newsletters, press releases, and/or offers, we use your email address and any other information you give us to provide you with the information or other services, until you ask us to stop (using the ‘unsubscribe’ instructions provided with each email communication and/or on the site where you signed up, and/or as we otherwise provide), or until the information or service is no longer available.
Some of our website(s) use the social plugin “like” button, widgets such as “share this” button, or Facebook Pixels, provided by the social network facebook.com, operated by Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA (“Facebook”). The plugin is identifiable by the bluish and white Facebook logo “f”.
By visiting our website(s) your browser (and in some cases your mobile device) establishes a connection to Facebook servers. Facebook directly transfers the plugin, widget or other similar technologies (like pixels) content from your browser (or mobile device), enabling Facebook to receive information about you having accessed the respective page of our website(s). We have no direct influence on the data gathered by these technologies.
If you are logged into Facebook, your visit can be assigned to your Facebook account. If you interact with the plugin by clicking “Like” the corresponding information is transmitted from your browser directly to Facebook and stored by it. Even if you are not logged into Facebook, there is a possibility that the plugin transmits some data e.g. your IP-address to Facebook.
If you are a Facebook member and do not want Facebook to connect the data concerning your visit to our website with your member data already stored by Facebook, please log out of Facebook before entering our website(s).
The Park Authority does not intentionally upload any personal information to Facebook for the purposes of targeted marketing e.g. using Facebook services like Custom Audiences.
For more information about how online behavioural advertising works and what you can do to manage your privacy, please visit the pan European Interactive Digital Advertising Alliance (EDAA) website: Your Online Choices.
The Park Authority uses photographs and video footage of a wide range of people in all and any media to promote the services, mainstream activities and facilities that it provides. Such media include (but are not limited to) posters, leaflets, printed publications, display stands and banners, reports and pages on our website. None of the materials are produced for sale, and the photograph or video clip of you/your child will only be used in materials produced or commissioned by the Park Authority for the Specified Purposes and in accordance with data protection legislation from time to time in force. The Park Authority shall only store copies of the photograph or video clip for the Specified Purposes.
If you agree that the Park Authority may use photograph/video footage of you or your child (and you confirm that you are the parent/carer of the child) for the Specified Purposes in our consent form, we will store your contact details in restricted access files in case we need to contact you. The contact details you provide will only be used in the event of a query regarding the photograph or video footage. Your details will not be used for any other purpose and will not be disclosed to anyone outside of the Park Authority except where you also signify agreement on our consent form to us submitting photographs to local and national press to generate publicity for an event or service.
Rectification, Blocking, Erasure & Destruction
Complaints to the Commissioner
ICO Scotland contact details
Information Commissioner’s Office
Telephone: 0303 123 1113
How do I make a Subject Access Request?
This list is not exhaustive and other forms of identification may be acceptable. At least one form of identification should contain the same signature that is on your application form or letter and one must include a photograph. Please note that the Park Authority will not be able to comply with any requests received unless satisfactory proof of identification is provided.
You are not required to state WHY you wish to access the information: the details we require are merely those that will aid the efficient location and retrieval of information.
Once we receive a Subject Access Request, you will receive all the information that has been located and can be released within one calendar month and an explanation for any information that cannot be provided at that time.
Upon receipt of a request, we must provide:
We must respond to Subject Access Requests within one calendar month.
Data Protection Officer
National Park Authority
In terms of data protection legislation, the Park Authority is the data controller of personal data (information relating to identifiable living individuals) collected or obtained by or through our websites.
The Park Authority is registered under the Data Protection Act 1998 and as a data controller (notification number Z6815521); the register entry can be inspected in the ICO’s Register of Data Controllers.
Our websites do not automatically capture or store personal information, other than logging the user’s IP address and session info such as the duration of the visit and the type of browser used. This is recognised by the Web server and is only used for system administration and to provide statistics which the Park Authority uses to evaluate use of the site.
All marketing information will include an option for you to opt out of any future, similar correspondence. We do not contact children under 12 without the CONSENT of a legal parent or guardian.
We believe that keeping personal information secure is one of our most important responsibilities.
We maintain all necessary physical, electronic and procedural security to help safeguard personal, sensitive and payment data against loss, misuse or alteration. Third parties that provide us with support or services may also receive personal, sensitive or payment information, and we require them to maintain security measures similar to ours with respect to such information.
In compliance with the Privacy and Electronic Communications Regulations 2003 (as amended) subscribers are given the opportunity to un-subscribe at any time. This process is detailed at the footer of each email campaign.
Communication, engagement and actions taken through external social media platforms that we utilise, and users participate on, are bound to the terms and conditions, and the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. We will never ask for personal or sensitive information through social media platforms, and encourage users wishing to discuss sensitive details to contact us through our standard primary communication channels, such as by telephone or in writing.
Some of our websites use social plugins which help share web content directly from web pages to the social media platform in question. Users are advised before using such social plugins we utilise that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
If you are aged 12 or under, please ask your parent or guardian’s permission before you provide personal information on any of our websites
The information provided on our websites is believed to be accurate at the time of writing but The Park Authority accepts no liability for the contents and anyone relying on these contents does so at their own risk. Nothing on our websites is to be construed as binding the Park Authority or constituting an offer on behalf of the Park Authority.