Privacy notice - Highlands and Islands Enterprise

HIE works with many organisations that provide goods and services. As part of our procurement process and in the course of our business relationship we will collect some personal data about bidders and suppliers and their employees, including:

• name and contact information including business address, email address and telephone numbers

• profile information including your username and password for HIE accounts

• bid information relating to individual contractors or employees of contractors including professional/trade memberships and enrolments, CVs, educational and professional qualifications, references, Source(s) of personal information, including whether it comes from publicly available resources

• the content of business correspondence and communications with suppliers and bidders

• criminal convictions data relating to applicant organisations or to key individuals within those organisations to meet our duties under the Procurement (Scotland) Regulations 2016 (regulation 8)

• (in the case of sole traders) financial information about the business including financial standing, bank account details and financial statements

• (in the case of sole traders) transaction information including details about payments to and from the supplier and other details of goods and services provided to us

• (in the case of sole traders) evaluation of bids and feedback following evaluation

HIE receives the personal data from tendering businesses when they contact us or provide a quote or a bid and when they become a supplier. Depending upon the due diligence checks required for the specific contract, we also collect information from other sources such as:

• from publicly accessible sources, for example, Companies House and the electoral roll

• credit reference agencies

• other third parties (e.g. references)

• your bank or building society, another financial institution or adviser

Purposes

The information we collect is used for purposes relevant to our business relationship and includes:

• processing and evaluation of the quote or bid. (This information may be shared with third parties for evaluation purposes)

• managing the contract and the provision of goods and/or services to HIE

• preparing research and statistics about the economic, community and social wellbeing of the Highlands and Islands

• taking appropriate measures to counter fraud

Lawful basis

The processing of personal data in the context of working with our suppliers and contractors is necessary to carry out tasks in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e). Where we are engaged in audit and management activities outside our statutory role, HIE will process personal data where necessary to fulfil these legitimate interests to operate effectively as an organisation and ensure best value (UK GDPR article 6(1)f).

Where HIE is processing information relating to a sole trader, personal information will also be processed to enable HIE to enter into and manage a contract (UK GDPR article 6(1)(b).

We process criminal convictions data relating to key individuals within tendering organisations to meet our duties under the Procurement (Scotland) Regulations 2016 (regulation 8), which is a legal obligation (UK GDPR, article 6(1)c) and meets a substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

We will process and share information related to suspected or actual criminal or dishonest acts to prevent fraud and protect public funds as part of our statutory task (UK GDPR, article 6(1)e) and to meet the substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

Recipients

Where required, we provide personal data relating to suppliers and bidders and their employees to:

• audit Scotland for audit and for counter-fraud measures

• partner organisations

• our auditors or accountants

Banks and financial service providers for the purposes of payments and accounting.

HIE works with many organisations to provide support in the form of advice, financial support, property and infrastructure to promote the economic, community and social development of the Highlands and Islands. 

Some organisations will have a more formal ongoing relationship with HIE, which we refer to as client engagement. When an organisation is engaged with HIE, they will receive a notification referring them to HIE’s privacy statement.

Categories of personal data processed by HIE:

• contact information for the client organisation including names of contacts and employees, business address, email address and telephone numbers

• profile information including username and password for HIE accounts

• business correspondence

• marketing and communications preferences

• information relating to attendance at events and meetings including information about dietary or access requirements

Most information we hold relates to businesses and organisations rather than to individuals. However, in the case of sole traders, much business information will also be personal data, such as:

• financial information including bank account details, payment card details and financial statements

• transaction information includes details about payments to and from you and other details of services you have received from us

Sources of information

HIE receives data relating to the officials, employees and members of the organisations we work with, when the organisations contact us or make an enquiry, when they browse our website, through attendance at meetings, seminars, or events and through ongoing communication. Organisations should inform their employees or members when passing their data to us and may link to this privacy notice.

HIE also obtains information about organisation from third party sources, such as Companies House, local councils, referees identified to us by you, banks and credit reference agencies. This will normally be organisational information but will include some personal data.

Purposes

We will use the data as necessary for providing advice, services and support to your organisation, for managing our relationship – including financial accounting, fair work conditionality, audit and the detection and prevention of fraud – and to meet our reporting and evaluation responsibilities.

Lawful basis

The processing of personal data in the context of our support to businesses and community organisations is necessary in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands. (UK GDPR article 6(1)e) At times we partner with other organisations to deliver services outside the Highlands and Islands region and in these situations, data is processed in exercising our legitimate interest to assist the Scottish Government and other public and voluntary sector partners. (UK GDPR article 6(1)f). Where we directly send marketing information to individuals by email or text message, we do son on the basis of individual consent.  (UK GDPR article 6(1)a)

Where appropriate and necessary, we use special category data relating to individuals (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under social protection law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).  We will also use special category data (such as disability, race, religion, sexual orientation) to monitor equality of opportunity or treatment. This is necessary for us to fulfil our public task (UK GDPR, article 6(1)e) and meets a substantial public interest (UK GDPR, article 9(2)g), Data Protection Act 2018, schedule 1, part 1, paragraph 8).

We will process and share information related to suspected or actual criminal or dishonest acts to prevent fraud and protect public funds as part of our statutory task (UK GDPR, article 6(1)e) and to meet the substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

Recipients

Depending on the nature of the advice and support we are providing to a organisation, we will share individual contact information and other limited personal data with external third parties including Scottish Development International, Scottish Manufacturing Advisory Service, the Scottish Government, Scottish Funding Council, Scottish Enterprise, Skills Development Scotland, Business Gateway and other Government Agencies, funding and grant award bodies, research organisations or education and training providers.  We will always have a lawful basis to share any personal information.

HIE publishes an approvals list detailing financial assistance awarded to businesses, community groups, public sector partners and other organisations to deliver specific projects.

HIE administers funding and loan programmes. While most of the funding and loan awards are to businesses and organisations, this will involve the processing of some personal data relating to individuals making the application on behalf of an organisation, other officers and contacts of the organisation named in the application including:

• contact information for the applicant organisation including names of contacts and employees, business address, email address and telephone numbers

• profile information including username and password for HIE accounts

• contents of the correspondence and communications we receive from you

• marketing and communications information including your preferences in receiving marketing from us and our third parties and your communication preferences

• information relating to attendance at events and meetings including information about dietary or access requirements

Most information we receive and hold about funding applications relates to businesses and organisations rather than to individuals. However, in the case of sole traders and individual applicants, other business information will also be personal data, such as:

• financial information including bank account details, payment card details and financial statements and (in the case of loans) details or repayments and arrears

• transaction information includes details about payments to and from you and other details of services you have received from us

Exceptionally, HIE may require further personal information about you to determine whether you meet the criteria of a particular support scheme and this may include special category personal data. This type of information will always be kept to a minimum and it will always be made clear to you exactly what you need to provide.

Failure to provide personal data

If you do not provide accurate personal data as requested by HIE, please be aware that your funding application may be invalidated.

Purposes

We will use the information for confirming eligibility to apply, assessing applications, administering payments, accounting, reporting and taking appropriate measures to counter fraud.

Lawful basis

The processing of personal data in the context of managing funding and loans to businesses and community organisations is necessary in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands. (UK GDPR article 6(1)e) At times we partner with other organisations to deliver services outside the Highlands and Islands region and in these situations, data is processed in exercising our legitimate interest to assist the Scottish Government and other public and voluntary sector partners. (UK GDPR article 6(1)f).

Where you are a sole trader, we will also process personal information that is necessary to enable us to enter into and manage our contract with you (UK GDPR article 6(1)(b).

We process criminal convictions data relating to key individuals within tendering organisations to meet our duties under the Procurement (Scotland) Regulations 2016 (regulation 8), which is a legal obligation (UK GDPR, article 6(1)c) and meets a substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

We will process and share information related to suspected or actual criminal or dishonest acts to prevent fraud and protect public funds as part of our statutory task (UK GDPR, article 6(1)e) and to meet the substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

Where HIE is required to collect additional personal information to determine whether you meet certain funding criteria, this will usually be processed to allow us to enter into and manage our contract with you (UK GDPR article 6(1)(b).

We may sometimes process special category personal data using consent or substantial public interest and the condition being used will always be made clear to you at the time your personal information is being collected. (UK GDPR, articles 9(2)a and 9(2)(g), Data Protection Act 2018, schedule 1, part 2, paragraph 8).

Recipients

To process and administer funding and loans, we may share applicant information with:

• partner organisations such as Scottish Government, Scottish Enterprise and councils

• credit reference agencies

• funding bodies, such as the Big Lottery Fund

• external assessors and advisers, who are subject to duties of confidentiality

• audit Scotland and our internal auditors

When people apply for a job with HIE, we will hold a range of their personal data including:

• name and contact information

• qualifications, education and experience

• assessments of applications and interview performance

• details of personal requirements to allow arrangements to be made for interview and reasonable adjustments for employment

• evidence of citizenship and eligibility to work in the UK

• equality and diversity information, for monitoring purposes

For preferred and successful candidates, we will obtain further personal data including:

• references

• bank details

HIE processes a wider range of personal data relating to employees. This is explained in a separate staff privacy notice on the HIE intranet.

Failure to provide personal data

If you do not provide accurate personal data as requested by HIE, please be aware that your job application may be invalidated.

Purposes

We will use the information for confirming eligibility to apply, assessing applications, administering payments, accounting, reporting and taking appropriate measures to counter fraud.

Lawful basis

HIE processes the personal data of job applicants as this is necessary to perform or enter into an employment contract (UK GDPR article 6(1)(b). We will also carry out checks on identity and eligibility to work in the UK to meet our legal obligations (UK GDPR article 6(1)c).

Where appropriate and necessary, we use special category data relating to job applicants (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under employment law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).  We will also use special category data (such as disability, race, religion, sexual orientation) to monitor equality of opportunity or treatment in recruitment. This is necessary for us to fulfil our public task (UK GDPR, article 6(1)e) and meets a substantial public interest (UK GDPR, article 9(2)g), Data Protection Act 2018, schedule 1, part 1, paragraph 8).

We process information about applicant criminal convictions and offences where this is necessary for the performance of our public task (UK GDPR article 6(1)e) and in the public interest (UK GDPR article 9(2)g and Data Protection Act 2018, Schedule 1, part 2, paragraph 6(2)(a)). 

Recipients

Depending upon your circumstances, to process and administer funding, we share applicant information with:

• partner organisations such as Scottish Government, Scottish Enterprise and councils

• credit reference agencies

• funding bodies, such as the Big Lottery Fund

• external assessors and advisers, who are subject to duties of confidentiality

HIE is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of this authority. It is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation.

No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Audit Scotland for matching for each exercise, and these are set out in the Audit Scotland's instructions, which can be found at https://www.audit-scotland.gov.uk/our-work/counter-fraud.

The use of data by the Audit Scotland in a data matching exercise is carried out with statutory authority under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the General Data Protection Regulation of the Data Protection Act.

Data matching by the Audit Scotland is subject to a Code of Practice. This may be found at: https://www.audit-scotland.gov.uk/our-work/counter-fraud.

For further information on the Audit Scotland’s legal powers and the reasons why it matches particular information, see www.audit-scotland.gov.uk/our-work/national-fraud-initiative
For further information on data matching at this authority email customer.service@hient.co.uk

When you subscribe to receive newsletters or other regular communications from HIE we will use the following personal data to manage our communications:

• name and contact information including address, email address and telephone numbers

• subscription preferences

We will only retain the data while it is in current use and you may object or withdraw consent to receive communications at any time.

Lawful basis

For marketing to businesses and organisations (corporate subscribers), we consider this to be necessary to carry out tasks in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e) or to meet the legitimate interest HIE has in promoting our services and community engagement (UK GDPR article 6(1)f).

We will only send digital marketing communications to personal email addresses or phone numbers with your consent (UK GDPR, article 6(1)a).

Recipients

We share personal data relating to communications with:

• for physical mail, with mail fulfilment companies

• for digital communications, with digital marketing platform providers. Currently HIE uses Mailchimp, a US-based company, and limited personal data (name, email address and communication preferences) are transferred overseas. HIE has a contract in place with Mailchimp including the required Standard Contractual Clauses. See also Mailchimp’s Privacy Policy

When you book to attend HIE events or training, or participate in a mentorship programme, we will use personal data such as:

• name and contact information including business address, email address and telephone numbers

• profile information including your username and password for HIE accounts

• records of events and training attended

• information relating to the individual’s particular requirements at an event

• equality and diversity information for monitoring purposes

Purposes

The information we collect is used for purposes relevant to the administration of events and training and includes:

• administration of the event, mentorship or training course

• the payment of fees, where relevant

• evaluation of training and events

• telling you about similar events in future

• monitoring of equality and diversity

Lawful basis

The processing of personal data in the context of running events and training is necessary to carry out tasks in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e). At times we partner with other organisations to deliver services outside the Highlands and Islands region and in these situations, data is processed in exercising our legitimate interest to assist the Scottish Government and other public and voluntary sector partners. (UK GDPR article 6(1)f)

Where appropriate and necessary, we use special category data relating to individuals attending events or training (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under social protection law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).  We will also use special category data (such as disability, race, religion, sexual orientation) to monitor equality of opportunity or treatment. This is necessary for us to fulfil our public task (UK GDPR, article 6(1)e) and meets a substantial public interest (UK GDPR, article 9(2)g), Data Protection Act 2018, schedule 1, part 1, paragraph 8).

Recipients

We share personal data relating to events and training with:

• event organisers, venues and training providers

• other attendees to facilitate networking

When people visit HIE premises, we will hold personal data including:

• name and organisation of visitors provided to reception

• CCTV images

• information about personal support requirements

Purposes

The information we collect is used to:

• manage access to our offices and facilitate visits and meetings

• maintain security and health and safety

• make reasonable adjustments to ensure our offices are safe and accessible for all visitors

Lawful basis

HIE processes the personal data of visitors in support of its legitimate interests to ensure a safe and health working environment (UK GDPR article 6(1)f).

Where appropriate and necessary, we use special category data relating to individuals (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under social protection law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).

Recipients

Personal data of visitors may also be held by our facilities management providers.

Wave Energy Scotland (WES) is a subsidiary of HIE. Its privacy policy is available at https://www.waveenergyscotland.co.uk/legal/privacypolicy/.

CMSL is a subsidiary of HIE. Its privacy policy is available at https://www.cairngormmountain.co.uk/privacy/