We take data protection very seriously at the Drinking Water Quality Regulator for Scotland. Here's how we handle your information.
Last updated: February 2021
1. Who we are
This policy applies to the Drinking Water Quality Regulator for Scotland (DWQR), who in this case is acting as a Data Controller for your personal data. For the purposes of this policy DWQR will be referred to as we, us and our.
2. Legal Basis and purpose for processing your personal data
If you are getting in touch with us with regards to water quality, our legal basis for processing your personal data is the Drinking Water Quality Regulator’s statutory obligations based on the Water Industry (Scotland) Act 2002 to:
- seek to ensure that the drinking water quality duties imposed on a public water supplier are complied with, and
- supervise the enforcement by local authorities of the drinking water quality duties which it is their responsibility to enforce
If you are getting in touch with us for queries not relating to DWQR’s statutory obligations or public task with regards to water quality, then we rely on your consent for processing your personal data. You are giving use your consent by voluntarily providing your personal information when contacting us.
We are committed to protecting your personal information and respecting your privacy. We process your personal data when you access our Services. These include:
- Viewing or subscribing to our websites and social media platforms.
- Corresponding with us using services such as web contact forms, telephone, email or written letter.
We use your personal data in the following ways:
- Respond to your enquiries and complaints;
- Working with our stakeholders in order to investigate your complaints;
- Customer satisfaction surveys.
3. Categories of personal data you give to us
The personal data you give us includes:
- Telephone number;
- Email address;
- Location information;
- Information you include in your correspondence with the DWQR
4. Information we pass to third parties and other data sharing
In order to facilitate your use of our Services, we may have to share your personal data with third parties who help us provide elements of our Services to you. We will provide your personal data to third parties when they need the data to perform particular functions in delivering our Services to you or as part of our regulatory compliance. These include:
- Regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
- If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request
- If you have raised a complaint with regards to your water quality with Scottish Water (public supplies) or a Local Authority (private supplies) and you are not satisfied with the outcome, you can ask the DWQR to undertake a second tier investigation. In this case, the DWQR may share your personal data with the body you originally complained to (Scottish Water or Local Authority) in order to investigate your complaint.
5. Signposting to other organisations
Generally, if an enquiry or complaint is sent to us which would be more appropriate for a different scrutiny or complaints organisation, we will provide contact details for the relevant body and it is for the enquirer or complainant to decide if they want to send their issue of concern to that alternative organisation.
DWQR and the Scottish Public Services Ombudsman (SPSO) have a potentially overlapping jurisdiction in terms of one specific category of complaints. DWQR is responsible for ensuring the quality of drinking water in Scotland and will consider complaints from members of the public about drinking water quality. The SPSO can consider complaints from members of the public about their water supply where there is a claim of sustained injustice or hardship as a result of maladministration or service failure on the part of an authority within the SPSO's jurisdiction.
- If DWQR receives a complaint that they consider both organisations will need to deal with, they will discuss the circumstances with SPSO on how to approach this before informing the complainant.
- In most cases the complainant will be informed to redirect part of their complaint to the body they have not yet approached. In some limited cases it may be appropriate to have a lead organisation pursue the complaint with input from the other body. These cases are likely to be led by SPSO.
- DWQR will not send a complaint or personal data received by them direct to SPSO unless it has been agreed with the complainant that this will occur and it appears appropriate in all the circumstances for them to do so.
- At all times, DWQR will ensure that the transfer of any information is in line with our obligations towards protection and use of your personal data.
6. Data security
Once it is within our control, we will do our utmost to ensure your personal data is processed in a way that ensures appropriate security from unauthorised or unlawful processing, accidental loss, destruction or damage.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Retaining your personal information
We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may also retain your personal data for a reasonable period afterwards to allow us to respond to any follow up enquiries or complaints, or for as long as you remain a registered user of our products and services.
To determine appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use or store this information indefinitely without further notice to you.
In some circumstances you can ask us to delete your data: see Right of Erasure below for further information.
8. Your data protection rights
Withdraw Consent – Where we are using your personal information on the basis of your consent, you have the right to withdraw that consent at any time.
Right to be Informed – You have the right to be told how your personal information will be used. This policy document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.
Right of Access – You can write to us asking what information we hold on you and to request a copy of that information. This is called a Subject Access Request. From 25 May 2018, we will have 30 days, from the date we receive your request, to respond to you. The request will proceed once we are satisfied you have the right to see the requested records and we have successfully confirmed your identity.
Right of Erasure – From 25 May 2018, you have the right to be forgotten (i.e. to have your personally identifiable data deleted).
Right of Rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data provided to us.
Right to Restrict Processing – In certain situations you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.
Right to Data Portability – Where we are processing your personal data under your consent, the law allows you to request data portability from us to another service provider. This right is largely seen as a way for people to transfer their personal data from one service provider to another. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
9. Changes to this policy
10. Contacting us
Call: 0131 244 0190
Post: Drinking Water Quality Regulator for Scotland, Victoria Quay, Edinburgh, EH6 6QQ
Or contact the Scottish Government Data Protection Officer:
Post: Data Protection Officer, Victoria Quay, Commercial Street, Edinburgh, EH6 6QQ
If, for any reason, you have a complaint, please contact us to discuss your concerns. Following this, if you are still dissatisfied, you are able to contact the Information Commissioner’s Office directly.
Contact telephone number: 0303 123 1113
Website: ICO website https://ico.org.uk/