Our privacy notice takes the form of FAQs (below) to make it easy for you to find the information you need.
The Scottish Legal Complaints Commission (‘the SLCC’) is committed to ensuring that its data processing activities are fully compliant with the data protection laws and the changes introduced by the General Data Protection Regulation (‘the GDPR’).
The SLCC is the ‘Data Controller’, which decides how your personal information is processed by us and for what reasons.
Our Privacy Notice lets you know what we will do with your personal information while we have it in our possession and how we will make sure that it is kept safe.
We were set up by the Legal Profession and Legal Aid (Scotland) Act 2007 (“the 2007 Act”) to act as the first point of contact for all legal complaints about Scottish legal practitioners, including solicitors, advocates and commercial attorneys.
Our aim is to modernise the legal complaints system and to enable to complaints to be resolved quickly and effectively.
We investigate and resolve complaints about inadequate professional service; refer conduct complaints to the appropriate professional bodies, i.e. the Law Society of Scotland, the Faculty of Advocates and the Association of Commercial Attorneys, to deal with any disciplinary matters. We also have oversight of complaint handling across the legal profession and have a role in promoting and advising on good complaint handling.
We monitor, prepare and publish reports on trends in practice about how complaints are dealt with by the legal profession. We also prepare and share statistical information about complaints, in an anonymised way, to inform the legal profession and our service users about complaints.
The SLCC’s Consumer Panel is a statutory Committee made up of representatives from various consumer organisations, currently Citizens Advice Scotland, Competition and Markets Authority, Scottish Independent Advocacy Alliance, QMU Consumer Dispute Resolution Centre, Scottish Women’s Aid and Scottish Council for Voluntary Organisations.
The Consumer Panel has an advisory role and does not have any statutory decision-making responsibilities insofar as complaints are concerned. In order for the Panel to assist us in taking into account the interests of consumers in its policy and process developments, we may need to share statistical and anonymised information about complaints with the Panel.
If you have any questions about how we use your personal information, or you would like more information, you can contact our Data Protection Officer Alison Marron:
We may contact you by post, email, telephone or by fax when we are dealing with a complaint.
We might also contact you when we are carrying out research, trend analysis and compiling statistics and reports about legal complaints.
We provide training opportunities in relation to complaint handling and may contact you to offer such services if and when these needs might be identified by us through our monitoring of complaints.
If you are a contractor, we will be contacting you about the service you provide. We contact stakeholders to seek their views, or provide information on our work.
If you want us to contact you in a particular way or you do not want us to contact you once a complaint has been dealt with by us, please let us know.
Personal information relates to a living individual who can be identified from that information. Identification can be by the information alone or along with any other information held by us.
Before we can process personal information about you, we must ensure that our use of your personal information is lawful.
The GDPR sets out a number of conditions to make sure that we can process your personal information lawfully. The conditions are:
- Consent, i.e. you agree to us using your personal information.
- Performance of a contract, e.g. to provide services or goods.
- Legal obligation, e.g. we are required by law to deal with legal complaints, to monitor trends, prepare and publish reports and to share information with certain specified organisations.
- Vital interests, e.g.to protect someone’s health/life.
- Performance of a public task or official authority, e.g. public functions or powers set out in law.
- Legitimate interest,i.e. where processing is necessary and information will be used in a way which would reasonably be expected.
You will find detailed information about the work that we do and the legal basis that we rely upon to use your personal information in our Guide to Data Protection.
Complaints must be made either online or on one of our complaint forms which is posted to us. Our forms ask you for personal information, including your name, address and contact details, together with information about your complaint and who you are complaining about, e.g. the individual solicitor/s, advocate/s or the firm. This information will be held on our computerised filing system and in a paper file which is created for each individual complaint which we receive.
If you are a practitioner or a firm complained about, then we are likely to receive personal information about you directly from the complainer. We may also ask you for personal information, or ask your firm’s Client Relations Manager for information about the complaint (as the person responsible for dealing with a complaint involving the firm). This information will be held on our computerised file and the paper file.
We are also likely to record personal information about you, such as your name, address and contact details and information about the complaint and who you are complaining about, when we speak to you on the telephone. This information may be recorded by us, even before a formal complaint has been made to us on one of our complaint forms. We do this so we know where to send a complaint form to (if you haven’t had one already), or if you want more information about the complaints process. It is helpful for us to record some information about you, in case you phone us again and so we can file your complaint form appropriately on receipt.
We also receive personal information from individuals who provide goods and services to us, for the purposes of performance of a contract. We have separate contracts which set out how we use this personal information.
Sometimes you might need to provide us with information which is particularly sensitive, e.g. medical information. We have additional checks and balances in place to make sure that we deal very carefully with this type information, to make sure that it is kept as secure as possible.
‘Special Category’ personal information relates to:
- ethnic origin
- political opinions
- religious and philosophical beliefs
- trade union membership
- biometric data
- sexual orientation
There are also specific safeguards in place about how we are to manage criminal offence and convictions information. As we are likely to need to process this data for the investigation of a complaint about a criminal case, we will make sure that we are aware of our duties regarding the security of that information.
If you are under the age of 16, we have to take extra care with the personal information which you provide to us. We have a separate Privacy Notice (see Under 16s’ Privacy Notice) which explains how we deal with your personal information.
You can visit our website without giving away any personal information. We use Google Analytics and Cookies to improve our service user experience and analyse how our website is used. You can choose whether or not these cookies are used.
Google Analytics will anonymise part of your IP address before storing it. The IP address will still give us an approximate location for you. Otherwise, most of the information collected is anonymous traffic data, including browser information, device information and language. We do not collect additional information such as your age, gender, bank details etc and do not use information on this from elsewhere in Google Analytics. The information we do collect is used to provide an overview of the visitors to our website, where they’ve come to the website from and how they use it. We do not use the information for any additional purpose.
If you complete our online complaint form, we will record the personal information that you complete in the form. If you save or submit a complaint form on our website, the information in the complaint form will be retained for 90 days. We will use the email address you’ve entered in the online complaint form to send you confirmation emails.
A full list of the cookies we use is on our website.
When we assess the eligibility of a complaint, investigate and/or determine service complaints, we do not need your consent to use your personal information as we have a legal obligation to carry out this work. The 2007 Act sets out how we should deal with complaints.
We might also have a legitimate interest to use your personal information in circumstances where we do not have a legal obligation, but where your personal information is used in ways that you would reasonably expect but has a minimum impact on your privacy rights.
Where we receive information from you in performance of a contract, we do not require consent from you to use your personal information.
In all other circumstances, we will require your consent before we can process your personal information.
We must provide you with specific information if we need to obtain your consent. Where we ask you for consent to process personal information, it is important that consent is given freely. Consent must be specific, informed and unambiguous.
This also includes the right to withdraw your consent at any time, should you wish to do so. If you want more information about when we might need your consent or about your right to withdraw consent, please contact our Data Protection Officer.
If you choose not to give us information which we ask you for, it might not be possible for us to deal with matters – this may mean we cannot process your complaint, or that we cannot work with you as a contractor. Feel free to talk to our Data Protection Officer about this if you are worried or have any questions.
If your personal information changes (for example your name, address and contact details) then please contact our enquiries team to let us know about the changes as soon as possible. We will then update the records that we hold about you.
We make sure that we:
- keep personal information up to date,
- store and destroy it safely,
- only collect or keep information that we need,
- protect personal information from loss, misuse, unauthorised access and disclosure, and
- ensure that we use appropriate technical measures to keep information safe.
We only accept complaints on one of our complaint forms which can be filled in online or posted to us. When we receive the complaint form, we will create a file on our computer system which holds your personal information. We may also open a paper file, which holds the paperwork that you provide to us.
Contractor information will be held securely in electronic or paper form, with access limited to those staff who need it (who the service is being provided to, finance, etc.)
When you call us with an enquiry about what we do, we will ask you for your name and contact details, which we usually record in our computerised case management system. If your enquiry relates to making a complaint, we might also ask you for additional information about you and/or the name of the individual(s) or firm being complained about.
When we deal with a complaint, we will usually disclose your name, contact details and the identity of any person acting on your behalf, if you are not dealing with the complaint yourself, to other persons or bodies who may be involved in the investigation of the complaint, such as the complainer, practitioner, firm or professional body.
We will also usually disclose information that you have provided to us about the complaint. This information may contain the identity of other individuals who were involved in the matter being complained about.
Personal information about any individual who is not involved in the complaint will not be disclosed or will be anonymised, where possible.
We may use your personal information to compile statistics, carry out research and analysis as part of our general oversight function. Your personal information will not be published in any of our reports, unless we have sought your consent to do so.
We may be required to share any of the information you provide to us where we are required to do so by law or to assist in the investigation of any alleged criminal offence.
The information that we receive about a complaint will be kept in our paper and computerised files for the purpose of investigating and deciding the complaint. Investigations can take a long time to complete, so it is not possible to say exactly how long we might keep your information for.
We do have a Retention and Destruction Policy, which explains how long we keep information for, once a complaint has been closed.
Personal information provided by our contractors will be retained by us in accordance with the terms of the contract and in accordance with our retention policy.
The SLCC operates in the UK and all of our computers are held in the UK. In order to allow us to carry out our legal obligations or duties set out in this Notice, we may need to send your information to businesses outside the UK.
If you complete an online complaint form, the emails sent will be operated through Mandrill. Mandrill processes data outside the EU, but is certified under the Privacy Shield scheme. We have a data processor agreement with Mandrill.
If you sign up to our email newsletter, the data you provide us will be sent to Mailchimp. Mailchimp processes data outside the EU, but is certified under the Privacy Shield scheme. We have a data processor agreement with Mailchimp.
If you agree to Google Analytics tracking, the data may be processed outside the EU. Google may process data outside the EU, but is certified under the Privacy Shield scheme. We have a data processor agreement with Google.
If you are involved in a complaint, your personal information will be accessed by our staff so that they can assess whether the complaint should be investigated by us and/or by the Law Society of Scotland, the Faculty of Advocates or the Association of Commercial Attorneys.
As part of the eligibility, investigation or determination processes, we might need to share information about you and the complaint with external Reporters, who are contractors employed by us, to prepare reports on complaints. Our Board Members are also involved in the complaints process, so your personal information and information about the complaint will also be shared with them.
We also use Mediation as a way of resolving complaints, which involves us needing to share information with external Mediators who are contracted by us for this process.
If we decide that the complaint has a conduct element to it, we will pass on copies of all of the information which we have received about the complaint to the Law Society of Scotland, the Faculty of Advocates or the Association of Commercial Attorneys to carry out the investigation.
In respect of all complaints received, we will notify the relevant professional body of the decision that we have made in respect of those complaints, i.e. if it has been accepted for investigation or rejected. This involves us emailing them copies of the completed complaint form and the decision which we have made.
Where the SLCC issues a notice that the complaint is premature or where the SLCC issues an Eligibility Decision Report or a Determination you have a right of appeal against the decision of the SLCC to the Court of Session. In these circumstances the SLCC may share your personal information with its legal advisers for the purposes of opposing the appeal.
We are also legally required to share information about service complaints that have been upheld with the Scottish Legal Aid Board (“SLAB”). Your name and information about the complaint will be sent to “SLAB” as part of this legal obligation.
If required, we might need to share information to assist in any investigation into alleged criminal or illegal conduct.
We have undertaken an audit of the personal information which we hold, so we know and we can provide details of our data processing activities. We have identified why we have personal information, whose information it, what information we process, when and where the processing occurs. Now we have this information, we can make sure that we keep that information safe.
We have various policies in place regarding the security of information, and what steps we need to take if there is an information security breach. Our Business Continuity Plan explains the steps that we will take in the event of a serious situation, which could result in personal information being lost, destroyed or inaccessible, e.g. in a fire, flood or a computer hacking situation.
The nature of our business is one which requires a culture of confidentiality. The 2007 Act requires us to keep information about complaints (including personal information) confidential, unless the law requires us to share information or where we need to do so in order to carry out our role.
We have a regularly reviewed Risk Register, which helps us to analyse the risks presented by our processing and we use this to assess what steps we need to take to keep information safe,
Our building and storage facilities are appropriately secured, e.g. controlled entry, locked doors, locked cabinets etc and our employees are regularly trained on data security, how to avoid data breaches and their confidentiality obligations.
Our computer systems are safeguarded with firewalls and antivirus software, we have regular backups of data and we use appropriate passwords and encryption of devices, such as USB sticks.
We will retain your personal information for the purposes of the employment relationship.
Your personal information will be stored in line with our Records Management policy and our Retention and Destruction Schedule.
We respect your privacy rights. Where we hold personal information about you, either in connection with a complaint or otherwise, in certain circumstances, you have rights about how we hold that information. Your rights include the right to:
- request information about or restrict processing of your personal information.
- request correction of inaccurate or incomplete personal information.
- have your personal information erased (this is known as ‘the right to be forgotten’).
- request access to your personal information.
- request that your personal information is moved, copied or transferred(this is known as ‘the right of data portability’).
- withdraw consent previously provided.
If you wish to know more about how to exercise your rights, or you wish to make a request about the personal information which we hold, please contact our Data Protection Officer. You can also find more information on the ICO’s website.
You are entitled to ask us for a copy of the personal information that we hold about you. To do this, you can email or write to us. We will usually respond within 1 month, but if the request is complex or there is a lot of information, we have up to 3 months to respond.
There is usually no charge for making a request for your personal information.
You should be aware that there are some circumstances when we don’t have to provide you with the information that you have asked for, or when we might charge a fee, e.g. the information also includes information about someone else and we do not have their permission to give it to you, the request is unfounded or excessive.
If we refuse to give you your personal information, we will explain why. If you are not happy, you have the right to contact the ICO. You must do this within one month.
This Privacy Notice was created on 24 May 2018. Its terms will be regularly monitored and formally reviewed after 6 months. Thereafter the review will take place at least every two years.
We can decide to change our Privacy Notice at any time without having to let you know first. If we make any changes or plan to use personal information for a new purpose, details will be posted on our website. If we think that it is necessary to tell you directly about changes which we have made, we will contact you.
If you are unhappy about the way that we have used/processed your personal information, feel free to contact our Data Protection Officer, who will try to help you with your concerns.
If you remain unhappy, you can make a complaint to the Information Commissioners’ Office (“the ICO”), which is the UK’s Supervisory Authority for data protection issues.
The ICO can be contacted at:
Information Commissioner's Office
Phone: 0303 123 1115