Data Protection Policy

The purpose of this policy is to ensure that all staff who process personal data on behalf of Scottish Accident do so in accordance with the principles of the General Data Protection Regulation (GDPR).

Scottish Accident is committed to protecting the rights and privacy of all staff and others in accordance with the GDPR 2016/679. This policy applies to all employees, contracted employees, and third parties who process personal data on behalf of Scottish Accident.

The GDPR sets out seven key principles that underpin all data processing activities. Scottish Accident is committed to upholding each of these principles:

1. Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Data subjects must be informed about how their data is being used.
2. Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Data Minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
4. Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure inaccurate data is erased or rectified without delay.
5. Storage Limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
6. Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
7. Accountability: The data controller is responsible for, and must be able to demonstrate compliance with, all of the above principles.

When dealing with employee data, Scottish Accident is a ‘data controller’ as defined by the GDPR. This means Scottish Accident determines the purposes and means of processing personal data relating to its employees.

Scottish Accident may also act as a ‘data processor’ when processing personal data on behalf of other organisations in the course of managing claims.

Scottish Accident appoints a Data Protection Officer (DPO) who serves as the primary point of contact with the Information Commissioner's Office (ICO) and ensures that the organisation meets its obligations under the GDPR.

Scottish Accident's Data Protection Officer is Nikki Milne, Claims Manager. The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

For any data protection queries or concerns, please contact the DPO at info@scottishaccident.co.uk.

This policy has been approved by the Director of Scottish Accident. It is reviewed on an annual basis to ensure it remains current and effective in light of any changes to legislation, guidance, or organisational practices.

Failure to comply with this policy may result in disciplinary action. Any breach of data protection obligations will be treated seriously and may lead to formal disciplinary proceedings.

All data subjects have the following rights under the GDPR:

• The right to access information held about them by Scottish Accident.
• The right to ensure the information is correct and to request rectification of any inaccurate or incomplete data.
• The right to complain if they are dissatisfied with how their personal data has been handled.

To exercise any of these rights, contact us at info@scottishaccident.co.uk . If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk .

All employees of Scottish Accident must comply with this policy and the ICO GDPR Guidelines when processing personal information. Employees are expected to:

• Only access personal data that is necessary for their role
• Not disclose personal data to unauthorised individuals
• Report any data breaches or suspected breaches immediately to the DPO
• Complete data protection training as required
• Ensure that personal data is stored securely and disposed of appropriately

Others working for or on behalf of Scottish Accident must operate in accordance with the GDPR at all times when handling personal data. Such third parties include, but are not limited to:

• Insurers
• Solicitors
• Brokers
• Referrers

All third parties who process personal data on behalf of Scottish Accident are required to enter into appropriate data processing agreements to ensure GDPR compliance.

Scottish Accident is not a Public Authority and is therefore not governed by the Freedom of Information Act. However, Scottish Accident will cooperate fully with any clients who are Public Authorities and are subject to the Freedom of Information Act, to the extent required.