Privacy Notice - Highlands and Islands Enterprise

Last updated in June 2022.

Highlands and Islands Enterprise (HIE) is one of Scotland's economic development agencies and a non-departmental public body of the Scottish Government.

Our Data Protection Officer can be contacted at: Data Protection Officer, An Lòchran, 10 Inverness Campus, Inverness, IV2 5NA, Scotland, dataprotectionofficer@hient.co.uk,  01463 245245.

How we use your personal data

HIE collects and uses personal data in order to provide its public services to individuals and businesses, for example to:

  • Deliver its services and meet its legal responsibilities
  • Stay in touch by post, email or telephone
  • Process financial transactions
  • Carry out and provide research
  • Prevent fraud or corruption and ensure compliance with sanction regimes.

HIE may also share personal information with service delivery partners to enable them to do any of these things for HIE and also with other public-sector organisations such as the Scottish Government, Business Gateway, Scottish Enterprise and Skills Development Scotland to pursue their objectives.

The purposes of the processing

Most commonly, we will use personal data in the following circumstances:

  • Providing advice, information or support to a business or community group;
  • Assessing applications for and providing grants and funding;
  • Administering events or training;
  • Conducting research, evaluation or analysis of HIE’s activities and about the economic, community and social wellbeing of the Highlands and Islands.  We may also undertake research, evaluation and analysis activities to continual develop and improve HIE’s performance and its ability to serve the Highlands and Islands;
  • Sending communications, information and updates;
  • Responding to enquiries, requests or complaints, including providing information in response to a Freedom of Information request.

For more details of what personal data we use and the purposes in specific situations, please go to the relevant heading below.

Business suppliers and bidders

HIE works with many organisations that provide goods and services. As part of our procurement process and in the course of our business relationship we will collect some personal data about bidders and suppliers and their employees, including:

  • Names and contact information including business address, email address and telephone numbers.
  • Profile information including your username and password for HIE accounts. 
  • Bid information relating to individual contractors or employees of contractors including professional/trade memberships and enrolments, CVs, educational and professional qualifications, references, Source(s) of personal information, including whether it comes from publicly available resources.
  • The content of business correspondence and communications with suppliers and bidders.
  • Criminal convictions data relating to applicant organisations or to key individuals within those organisations to meet our duties under the Procurement (Scotland) Regulations 2016 (regulation 8).
  • (In the case of sole traders) Financial information about the business including financial standing, bank account details and financial statements.
  • (In the case of sole traders) Transaction information including details about payments to and from the supplier and other details of goods and services provided to us.
  • (In the case of sole traders) evaluation of bids and feedback following evaluation. 

HIE receives the personal data from tendering businesses when they contact us or provide a quote or a bid and when they become a supplier. Depending upon the due diligence checks required for the specific contract, we also collect information from other sources such as:

  • From publicly accessible sources, for example, Companies House and the Electoral Roll;
  • Credit reference agencies;
  • Other third parties (e.g. references);
  • Your bank or building society, another financial institution or adviser.

Purposes

The information we collect is used for purposes relevant to our business relationship and includes:

  • Processing and evaluation of the quote or bid. (This information may be shared with third parties for evaluation purposes);
  • Managing the contract and the provision of goods and/or services to HIE;
  • Preparing research and statistics about the economic, community and social wellbeing of the Highlands and Islands, and;
  • Taking appropriate measures to counter fraud.

Lawful basis

The processing of personal data in the context of working with our suppliers and contractors is necessary to carry out tasks in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e). Where we are engaged in audit and management activities outside our statutory role, HIE will process personal data where necessary to fulfil these legitimate interests to operate effectively as an organisation and ensure best value (UK GDPR article 6(1)f).

Where HIE is processing information relating to a sole trader, personal information will also be processed to enable HIE to enter into and manage a contract (UK GDPR article 6(1)(b).

We process criminal convictions data relating to key individuals within tendering organisations to meet our duties under the Procurement (Scotland) Regulations 2016 (regulation 8), which is a legal obligation (UK GDPR, article 6(1)c) and meets a substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

We will process and share information related to suspected or actual criminal or dishonest acts to prevent fraud and protect public funds as part of our statutory task (UK GDPR, article 6(1)e) and to meet the substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

Recipients

Where required, we provide personal data relating to suppliers and bidders and their employees to:

  • Audit Scotland for audit and for counter-fraud measures;
  • Partner organisations
  • Our auditors or accountants;

Banks and financial service providers for the purposes of payments and accounting.

Employees of businesses and members of community organisations

HIE works with many organisations to provide support in the form of advice, financial support, property and infrastructure to promote the economic, community and social development of the Highlands and Islands. 

Some organisations will have a more formal ongoing relationship with HIE, which we refer to as client engagement. When an organisation is engaged with HIE, they will receive a notification referring them to HIE’s privacy statement.

Categories of personal data processed by HIE

  • Contact information for the client organisation including names of contacts and employees, business address, email address and telephone numbers.
  • Profile information including username and password for HIE accounts. 
  • Business correspondence
  • Marketing and communications preferences
  • Information relating to attendance at events and meetings including information about dietary or access requirements.

Most information we hold relates to businesses and organisations rather than to individuals. However, in the case of sole traders, much business information will also be personal data, such as:

  • Financial information including bank account details, payment card details and financial statements.
  • Transaction information includes details about payments to and from you and other details of services you have received from us.

Sources of information

HIE receives data relating to the officials, employees and members of the organisations we work with, when the organisations contact us or make an enquiry, when they browse our website, through attendance at meetings, seminars, or events and through ongoing communication. Organisations should inform their employees or members when passing their data to us and may link to this privacy notice.

HIE also obtains information about organisation from third party sources, such as Companies House, local councils, referees identified to us by you, banks and credit reference agencies. This will normally be organisational information but will include some personal data.

Purposes

We will use the data as necessary for providing advice, services and support to your organisation, for managing our relationship – including financial accounting, fair work conditionality, audit and the detection and prevention of fraud – and to meet our reporting and evaluation responsibilities.

Lawful basis

The processing of personal data in the context of our support to businesses and community organisations is necessary in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands. (UK GDPR article 6(1)e) At times we partner with other organisations to deliver services outside the Highlands and Islands region and in these situations, data is processed in exercising our legitimate interest to assist the Scottish Government and other public and voluntary sector partners. (UK GDPR article 6(1)f). Where we directly send marketing information to individuals by email or text message, we do son on the basis of individual consent.  (UK GDPR article 6(1)a)

Where appropriate and necessary, we use special category data relating to individuals (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under social protection law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).  We will also use special category data (such as disability, race, religion, sexual orientation) to monitor equality of opportunity or treatment. This is necessary for us to fulfil our public task (UK GDPR, article 6(1)e) and meets a substantial public interest (UK GDPR, article 9(2)g), Data Protection Act 2018, schedule 1, part 1, paragraph 8).

We will process and share information related to suspected or actual criminal or dishonest acts to prevent fraud and protect public funds as part of our statutory task (UK GDPR, article 6(1)e) and to meet the substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

Recipients

Depending on the nature of the advice and support we are providing to a organisation, we will share individual contact information and other limited personal data with external third parties including Scottish Development International, Scottish Manufacturing Advisory Service, the Scottish Government, Scottish Funding Council, Scottish Enterprise, Skills Development Scotland, Business Gateway and other Government Agencies, funding and grant award bodies, research organisations or education and training providers.  We will always have a lawful basis to share any personal information.

HIE publishes a list of clients we engage with and our approvals list on our website on a quarterly basis. The approvals list provides details on financial assistance awarded to businesses, community groups, public sector partners and other organisations to deliver specific projects.

Funding and loan applicants and recipients

HIE administers a number of funding and loan programmes. While most of the funding and loan  awards are to businesses and organisations, this will involve the processing of some personal data relating to individuals making the application on behalf of an organisation, other officers and contacts of the organisation named in the application including:

  • Contact information for the applicant organisation including names of contacts and employees, business address, email address and telephone numbers;
  • Profile information including username and password for HIE accounts; 
  • Contents of the correspondence and communications we receive from you;
  • Marketing and communications information including your preferences in receiving marketing from us and our third parties and your communication preferences;
  • Information relating to attendance at events and meetings including information about dietary or access requirements.

Most information we receive and hold about funding applications relates to businesses and organisations rather than to individuals. However, in the case of sole traders and individual applicants, other business information will also be personal data, such as:

  • Financial information including bank account details, payment card details and financial statements and (in the case of loans) details or repayments and arrears.
  • Transaction information includes details about payments to and from you and other details of services you have received from us.

Failure to provide personal data

If you do not provide accurate personal data as requested by HIE, please be aware that your funding application may be invalidated.

Purposes

We will use the information for confirming eligibility to apply, assessing applications, administering payments, accounting, reporting and taking appropriate measures to counter fraud.

Lawful basis

The processing of personal data in the context of managing funding and loans to businesses and community organisations is necessary in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands. (UK GDPR article 6(1)e) At times we partner with other organisations to deliver services outside the Highlands and Islands region and in these situations, data is processed in exercising our legitimate interest to assist the Scottish Government and other public and voluntary sector partners. (UK GDPR article 6(1)f).

Where you are a sole trader, we will also process personal information that is necessary to enable us to enter into and manage our contract with you (UK GDPR article 6(1)(b).

We process criminal convictions data relating to key individuals within tendering organisations to meet our duties under the Procurement (Scotland) Regulations 2016 (regulation 8), which is a legal obligation (UK GDPR, article 6(1)c) and meets a substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

We will process and share information related to suspected or actual criminal or dishonest acts to prevent fraud and protect public funds as part of our statutory task (UK GDPR, article 6(1)e) and to meet the substantial public interest in preventing unlawful acts and preventing fraud. (UK GDPR, article 9(2)g, Data Protection Act 2018, schedule 1, part 2, paragraphs 10 and 14).

Recipients

To process and administer funding and loans, we may share applicant information with:

  • Partner organisations such as Scottish Government, Scottish Enterprise and councils;
  • Credit reference agencies,
  • Funding bodies, such as the Big Lottery Fund;
  • External assessors and advisers, who are subject to duties of confidentiality;
  • Audit Scotland and our internal auditors.

Note about COVID-19 Funds

Some of the funding schemes being made available to assist businesses with the impact of COVID-19 are being managed slightly differently to the processes described above, and HIE may receive an application via a third party.

HIE is receiving information from Scottish Enterprise in relation to the Creative, Tourism and Hospitality Hardship Fund and the Pivotal Enterprise Resilience Fund for the purposes of reviewing and appraising applications. The lawful basis for processing any personal information is that this process is a task in the public interest. A limited amount of information from applications will be shared with other public authorities offering Covid 19 grant funding schemes to verify eligibility. Once a decision has been reached, the outcome will be passed back to Scottish Enterprise to conclude the process.

Job applicants

When people apply for a job with HIE, we will hold a range of their personal data including:

  • Names and contact information;
  • Qualifications, education and experience;
  • Assessments of applications and interview performance;
  • Details of personal requirements to allow arrangements to be made for interview and reasonable adjustments for employment;
  • Evidence of citizenship and eligibility to work in the UK;
  • Equality and diversity information, for monitoring purposes.

For preferred and successful candidates, we will obtain further personal data including:

  • References;
  • Bank details.

HIE processes a wider range of personal data relating to employees. This is explained in a separate staff privacy notice on the HIE intranet.

Failure to provide personal data

If you do not provide accurate personal data as requested by HIE, please be aware that your job application may be invalidated.

Purposes

We will use the information for confirming eligibility to apply, assessing applications, administering payments, accounting, reporting and taking appropriate measures to counter fraud.

Lawful basis

HIE processes the personal data of job applicants as this is necessary to perform or enter into an employment contract (UK GDPR article 6(1)(b). We will also carry out checks on identity and eligibility to work in the UK to meet our legal obligations (UK GDPR article 6(1)c).

Where appropriate and necessary, we use special category data relating to job applicants (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under employment law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).  We will also use special category data (such as disability, race, religion, sexual orientation) to monitor equality of opportunity or treatment in recruitment. This is necessary for us to fulfil our public task (UK GDPR, article 6(1)e) and meets a substantial public interest (UK GDPR, article 9(2)g), Data Protection Act 2018, schedule 1, part 1, paragraph 8).

We process information about applicant criminal convictions and offences where this is necessary for the performance of our public task (UK GDPR article 6(1)e) and in the public interest (UK GDPR article 9(2)g and Data Protection Act 2018, Schedule 1, part 2, paragraph 6(2)(a)). 

Recipients

Depending upon your circumstances, to process and administer funding, we share applicant information with:

  • Partner organisations such as Scottish Government, Scottish Enterprise and councils;
  • Credit reference agencies,
  • Funding bodies, such as the Big Lottery Fund;
  • External assessors and advisers, who are subject to duties of confidentiality;

National Fraud Initiative

HIE is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of this authority. It is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation.

No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Audit Scotland for matching for each exercise, and these are set out in the Audit Scotland's instructions, which can be found at https://www.audit-scotland.gov.uk/our-work/counter-fraud.

The use of data by the Audit Scotland in a data matching exercise is carried out with statutory authority under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the General Data Protection Regulation of the Data Protection Act.

Data matching by the Audit Scotland is subject to a Code of Practice. This may be found at: https://www.audit-scotland.gov.uk/our-work/counter-fraud.

For further information on the Audit Scotland’s legal powers and the reasons why it matches particular information, see www.audit-scotland.gov.uk/our-work/national-fraud-initiative
For further information on data matching at this authority email customer.service@hient.co.uk

Subscribers to newsletters and other communications

When you subscribe to receive newsletters or other regular communications from HIE we will use the following personal data to manage our communications:

  • Names and contact information including address, email address and telephone numbers.
  • Subscription preferences

We will only retain the data while it is in current use and you may object or withdraw consent to receive communications at any time.

Lawful basis

For marketing to businesses and organisations (corporate subscribers), we consider this to be necessary to carry out tasks in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e) or to meet the legitimate interest HIE has in promoting our services and community engagement (UK GDPR article 6(1)f).

We will only send digital marketing communications to personal email addresses or phone numbers with your consent (UK GDPR, article 6(1)a).

Recipients

We share personal data relating to communications with:

  • For physical mail, with mail fulfilment companies
  • For digital communications, with digital marketing platform providers. Currently HIE uses Mailchimp, a US-based company, and limited personal data (name, email address and communication preferences) are transferred overseas. HIE has a contract in place with Mailchimp including the required Standard Contractual Clauses. See also Mailchimp’s Privacy Policy

Training and event attendees

When you book to attend HIE events or training, or participate in a mentorship programme, we will use personal data such as:

  • Names and contact information including business address, email address and telephone numbers.
  • Profile information including your username and password for HIE accounts. 
  • Records of events and training attended.
  • Information relating to the individual’s particular requirements at an event.
  • Equality and diversity information for monitoring purposes.

Purposes

The information we collect is used for purposes relevant to the administration of events and training and includes:

  • Administration of the event, mentorship or training course;
  • The payment of fees, where relevant;
  • Evaluation of training and events;
  • Telling you about similar events in future
  • Monitoring of equality and diversity.

Lawful basis

The processing of personal data in the context of running events and training is necessary to carry out tasks in the public interest and to exercise HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e). At times we partner with other organisations to deliver services outside the Highlands and Islands region and in these situations, data is processed in exercising our legitimate interest to assist the Scottish Government and other public and voluntary sector partners. (UK GDPR article 6(1)f)

Where appropriate and necessary, we use special category data relating to individuals attending events or training (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under social protection law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).  We will also use special category data (such as disability, race, religion, sexual orientation) to monitor equality of opportunity or treatment. This is necessary for us to fulfil our public task (UK GDPR, article 6(1)e) and meets a substantial public interest (UK GDPR, article 9(2)g), Data Protection Act 2018, schedule 1, part 1, paragraph 8).

Recipients

We share personal data relating to events and training with:

  • Event organisers, venues and training providers;
  • Other attendees to facilitate networking.

Visitors to HIE premises

When people visit HIE premises, we will hold personal data including:

  • Names and organisation of visitors provided to reception;
  • CCTV images;
  • Information about personal support requirements.

Purposes

The information we collect is used to:

  • Manage access to our offices and facilitate visits and meetings;
  • Ensure adherence with COVID track and trace requirements;
  • Maintain security and health and safety;
  • Make reasonable adjustments to ensure our offices are safe and accessible for all visitors.

Lawful basis

HIE processes the personal data of visitors in support of its legitimate interests to ensure a safe and health working environment (UK GDPR article 6(1)f).

Where appropriate and necessary, we use special category data relating to individuals (such as health or disability) to make reasonable adjustments for them as required under the Equalities Act 2010. This is a legal obligation (UK GDPR, article 6(1)c) meeting our obligations and individuals’ rights under social protection law (UK GDPR article 9(2)b and Data Protection Act 2018, schedule 1, part 1, paragraph 1).

Recipients

Personal data of visitors may also be held by our facilities management providers.

Wave Energy Scotland (WES)

WES is a subsidiary of HIE. Their privacy policy is available on the WES website.

Cairngorm Mountain Scotland Ltd (CMSL)

CMSL is a subsidiary of HIE. Their privacy policy is available on the CMSL website.

Our legal basis for processing personal data

In most cases, HIE processes personal data where it is necessary:

  • In the performance of tasks carried out in the public interest or in the exercise of HIE’s official authority under the Enterprise and New Towns (Scotland) Act 1990 for the purpose of preparing, concerting, promoting, assisting and undertaking measures for the economic and social development of the Highlands and Islands (UK GDPR article 6(1)e);
  • To comply with a legal obligation (UK GDPR article 6(1)c); or
  • To meet a legitimate interest of HIE or another organisation (UK GDPR article 6(1)f).

A legitimate interest is when there is a reasonable commercial or operational reason to use personal data, as long as this is does not impact unfairly on individuals. Our legitimate interests include:

  • Delivering services or functions in the public interest outside the Highlands and Islands, at the request of the Scottish Government or another public sector partner;
  • Managing our Information, system, network and cyber security purposes, including the monitoring and protection of our IT systems;
  • System development and enhancement, including website analytics.  This includes the continuous improvement of service provision;
  • Defending legal claims;
  • Preventing and detecting fraud;
  • Credit control.

Recipients of personal data, including service delivery partners

Where necessary for the purpose, we share personal data with other organisations such as:

  • External third parties including the Scottish Government, Scottish Enterprise, Skills Development Scotland, Business Gateway and other Government Agencies;
  • Internal and external auditors and statutory regulators including the Information Commissioners Office, the Scottish Information Commissioner and the Scottish Public Services Ombudsman;
  • Third party product and service providers;
  • Financial and non-financial intermediaries;
  • Third sector support agencies;
  • Educational bodies;
  • Research organisations; and
  • Funding bodies, for example, the Big Lottery Fund.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

International transfer

For most of our activities, all personal data will remain within the UK on our servers and premises. However, in some of our programmes HIE works with international partners or suppliers and some limited personal data may be transferred outside the UK and EU. We will ensure any such transfer complies with data protection law and has the necessary and appropriate safeguards in place.

Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, audit or reporting requirements.

Our retention schedule is available on request.

Your personal data rights

You have a range of rights over your personal data, including:

  • A right of access and to receive a copy of any personal data we hold about you,
  • A right of rectification of any inaccurate data,
  • In certain limited circumstances, rights of erasure or of restriction of data HIE should no longer hold.
  • A right to object to how your data is used,
  • A right to withdraw your consent in the rare circumstances where HIE is using your data on this basis.

For more information about these rights go to Your data matters | ICO

To exercise any of these rights contact HIE at: Data Protection Officer, An Lòchran, 10 Inverness Campus, Inverness, IV2 5NA, dataprotectionofficer@hient.co.uk,  01463 245245.

If you believe HIE has not complied with our legal duties with regard to your personal data, you can complain to the ICO at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. 0303 123 1113 (local rate) or 01625 545 745.  https://ico.org.uk/concerns