Standard Life Foundation is committed to protecting your personal information.
Who we are
Standard Life Foundation (“the Foundation”) was incorporated in the name of Standard Life Charitable Trust, and is registered as a charity with the Office of the Scottish Charity Regulator ("OSCR”) under charity number SC040877. It is part of the Standard Life Aberdeen plc group, one of the world’s largest investment companies. The Foundation focuses specifically on research into the issues surrounding financial well-being in the UK.
How to contact us
FAO Data Protection Officer
Standard Life Foundation,
1 George Street,
Information we collect and use
Information about you that we collect and use includes:
- Information about who you are e.g. your name, date of birth and contact details
- Information connected to your relationship with us e.g. your organisation’s bank account details
- Information about your contact with us e.g. meetings, phone calls, emails / letters
- Information that is automatically collected e.g. via cookies when you visit one of our websites
- Information if you visit one of our offices e.g. visual images collected via closed circuit television (CCTV)
Where we collect your information
We may collect your personal information directly from you, from a variety of sources, including:
- Phone conversations with us
- Emails or letters you send to us
- Participating in research surveys to help us understand the issues surrounding financial well-being within the UK
We may also collect personal information on you from places such as business directories and other commercially or publicly available sources e.g. to check or improve the information we hold (like your address) or to give better contact information if we are unable to contact you directly.
Why we collect and use your information
We take your privacy seriously and we will only ever collect and use information which is personal to you where it is necessary, fair and lawful to do so. We will collect and use your information only if are able to satisfy one of the lawful processing conditions set out in the data protection laws.
This will be the case where:
- You have given us your permission (consent) to use your information
- You can withdraw your consent at any time by emailing: email@example.com
- It’s necessary for us to meet our legal or regulatory obligations e.g. for the detection and prevention of fraud
- It’s in the legitimate interests of the Foundation e.g.
- Where we need to process your information to better understand you and your needs so we can send you more relevant communications.
- To conduct research and collate management information to ensure that the Foundation’s resources are deployed where they can most usefully have a positive impact.
- It’s in the legitimate interests of a third party e.g. where we share information about the Foundation’s funding and research activities with a third party.
Where the processing is in our legitimate interests or those of a third party, we will always conduct an assessment to ensure that this use of your personal information is not excessive or unnecessary or otherwise more intrusive than it needs to be.
Who we may share your information with
We may share your information with third parties for the reasons outlined in ‘Why we collect and use your information’
We may share your information with:
- Companies within Standard Life Aberdeen plc who provide support to the Foundation, e.g. processing invoices for payment.
- Companies we have chosen to support us in our communications with you e.g. research, consultancy or technology companies.
- Our regulators; including OSCR and the Information Commissioner’s Office for the UK (the ICO).
- Law enforcement and other appointed agencies who support us (or where they request the information) in the prevention and detection of crime.
- HM Revenue & Customs (HMRC) e.g. where we make a payment to you.
Whenever we share your personal information, we will do so in line with our obligations to keep your information safe and secure.
Where your information is processed
The majority of your information is processed in the UK and European Economic Area (EEA).
However, some of your information may be processed by us or the third parties we work with outside of the EEA, including countries such as the United States and India.
Where your information is being processed outside of the EEA, we take additional steps to ensure that your information is protected to at least an equivalent level as would be applied by UK / EEA data privacy laws e.g. we will put in place legal agreements with our third party suppliers and do regular checks to ensure they meet these obligations.
How we protect your information
We take information and system security very seriously and we strive to comply with our obligations at all times. Any personal information which is collected, recorded or used in any way, whether on paper, online or any other media, will have appropriate safeguards applied in line with our data protection obligations. An example of this is that internal and external audit and specialist third party consultants conduct regular, independent assurance and benchmarking exercises across our business to ascertain the effectiveness of our security control environment and our security strategy.
Your information is protected by controls designed to minimise loss or damage through accident, negligence or deliberate actions. Our employees also protect sensitive or confidential information when storing or transmitting information electronically and must undertake annual training on this.
Our security controls are aligned to industry standards and good practice; providing a control environment that effectively manages risks to the confidentiality, integrity and availability of your information.
How long we keep your information
To meet our legal and regulatory obligations, we keep your personal information and copies of records we create (e.g. calls with us) while you have a relationship with the Foundation.
Even when you no longer have a relationship with us, we are required to keep information for different legal and regulatory reasons. The length of time will vary and we regularly review our retention periods to make sure they comply with all laws and regulations.
You have a number of rights under Data Protection laws which may be exercised in certain circumstances. These are:
Right to be informed about how and why we are processing your personal information.
Right of access to personal information relating to you.
You have the right of access to your personal information. If you wish to receive a copy of the personal information we hold on you, you may make a data subject access request (DSAR).
Right to request rectification of inaccurate or incomplete personal information.
If your personal information is inaccurate or incomplete, you can request that it is corrected.
Right to request erasure of your personal information.
You can ask for your information to be deleted or removed if there is not a compelling reason for the Foundation to continue to have it.
Right to restrict processing of your personal information.
You can ask that we block or suppress the processing of your personal information for certain reasons. This means that we are still permitted to keep your information – but only to ensure we don’t use it in the future for those reasons you have restricted.
Right to data portability.
You can ask for a copy of your personal information for your own purposes to use across different services. In certain circumstances, you may move, copy or transfer the personal information we hold to another company in a safe and secure way.
Right to object to processing of your personal information.
You can object to the Foundation processing your personal information where: it’s based on our legitimate interests (including profiling); for direct marketing (including profiling); and if we were using it for scientific/historical research and statistics.
Right to not be subject to automated decision making including profiling.
You have the right to ask the Foundation to:
- give you information about its processing of your personal information
- request human intervention or challenge a decision where processing is done solely by automated processes
- carry out regular checks to make sure that our automated decision making and profiling processes are working as they should.
More information can be found on your rights here https://ico.org.uk/for-the-public
If you want to talk to us about any of the individual rights, please contact us.
How to make a complaint
While we hope that we can resolve any complaints for you, you do have the option to complain to the ICO (whether or not you have exhausted our complaints procedure).
Their contact details are as follows:
Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.