Data protection

As a processor of personal data you must comply with the General Data Protection Regulations 2016 or other successor legislation. You can read more about how this applies to you on the Information Commissioners website.

Data sharing for Peer review

The Information Commissioner recommends putting in place Data Sharing Agreements with any third parties who you share data with or who process data on your behalf.

A Data Sharing Agreement should be agreed and signed by all relevant parties and should state why sharing is necessary and what conditions are in place to make it lawful.

A Data Sharing Agreement is considered best practice as it makes each party consider all legal implications, including the seven Data Protection Principles. In addition to the General Data Protection Regulations you should also consider any statutory prohibitions on sharing, copyright restrictions or a duty of confidence that may affect your ability to share personal data.

Other specific benefits to having a written agreement in place include:

  • Minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators
  • Better public trust by ensuring that legally required safeguards are in place and complied with
  • Better protection for individuals when their data is shared
  • Greater trust and a better relationship with the people whose information you want to share
  • Reduced reputational risk caused by the inappropriate or insecure sharing of personal data

For further information on how we will be managing data during the accreditation process please read our privacy notice.

When your agency applies for accreditation you will be sharing data about your agency with us. You must therefore sign a Data Sharing Agreement and send a copy to us. We will provide further information about these requirements before your peer review takes place.

Sharing information with us via a secure file sharing platform

If your agency chooses to share its information and/or case files with us via a secure file sharing platform you must complete and sign a Data Sharing Agreement.

Guidance notes about our file sharing platform are available here.

Sharing information via remote access to your case management system

If your case management system and internal policies allow it, you can share your data by granting the peer reviewers and the Auditor remote access.

If you use AdvicePro, you can provide the peer reviewer with remote access to your Case Management System. It will be your responsibility to set up an account for the peer reviewer and to isolate the case-files to be reviewed. Paula Beaton at AdviceUK can support you with this process.

The template for accessing Advicepro can be found here and if you would like to know how the reviewers undertake reviewing on Advicepro the guidance can be viewed here.

If you are a Citizens Advice Bureau (CAB) your peer review will be carried out by remote access to your case-files on CASTLE. Further information about this is available here.

We can possibly allow our peer reviewers remote access to other case management systems depending on the technical requirements and whether we have the resource available to undertake this.

If you have a system accessible by remote access and you’d like to find out if it’s possible for our peer reviewers to access your case management system remotely please email SNSIAP@slab.org.uk and provide the following information:

  • Outline of the case management system
  • Whether you have to have special software or add-ons to access the system remotely
  • What browsers can access the system
  • Which formats the documents attached to the system are in and briefly how it works
  • What support your organisation can provide as it would be up to your organisation to provide the IT support to allow access to your system

By choosing to share information via remote access to your case management system you will remain the data controller of the information provided to the peer reviewer and SLAB will not have any responsibility for the shared information in terms of Data Sharing Legislation. You may therefore wish to enter into a Data Sharing Agreement between your agency and the peer reviewer.

We have created a template Data Sharing Agreement for this purpose which agencies are free to use, however you should seek your own legal advice. CABx have a separate template DSA.

Please note that this guidance does not constitute legal advice and you are advised to seek your own independent legal advice in relation to your organisation’s obligations under data protection legislation.

Audit and accreditation

Data Sharing Agreement:

Scottish National Standards for Information & Advice Providers (Type I Advice Agencies or Type II/III post-Peer Review Advice Agencies).

If you are a Type I organisation or a Type II/III organisation and have completed the Peer Review process and obtained the required Peer Review compliance score through the Moderation Committee, you will be required to intimate to the audit function that you are applying to the Scottish Government, to be accredited under the standards.

When your agency applies for accreditation you will be sharing data about your agency and the audit function will provide you with an audit Data Sharing Agreement that will contain information relative to your organisation. The audit function will request your organisation to complete this agreement and sign off to progress through the Audit and Accreditation process.

Privacy notice

For further information on how we will be managing data during the Audit and Accreditation process please read our audit privacy notice.

For information purposes only the template audit Data Sharing Agreement can be found here (do not complete this form).

We will provide further information about these requirements before your audit takes place.