Grants Data Privacy Notice

Privacy notice for Church of Scotland Office of the Assembly Trustees Grants awarded on behalf of the Church of Scotland.

The Church of Scotland Office of the Assembly Trustees is providing you with this information to comply with data protection law and to ensure that you are fully informed and we are transparent in how we collect and use your personal data.

Data controller

The Church of Scotland Office of the Assembly Trustees is the Data Controller. We have an appointed Data Protection Officer (DPO), Alice Wilson, who can be contacted by emailing:

If you have any questions in relation to the grants process, please contact the Grants Manager, David Williams, at 121 George Street, Edinburgh EH2 4YN or email him at

Purposes of collecting and processing

This Privacy Notice outlines the way in which the Church of Scotland Office of the Assembly Trustees (for the purposes of this Privacy Notice hereafter "the Church") will use personal information provided to us in connection with grants awarded on behalf of the Church of Scotland. These cover all the grants which the Church has, including, but not limited to, the Small Grants Fund, Pioneer Mission Fund and the Go For It Fund. The processing purposes are:

  • For the purposes of considering, reviewing and reaching decisions about grant applications – which may involve third parties
  • For assisting grant applicants in the application process
  • Reporting regularly on how the project, funded by the grant, is progressing and if it's achieving the aims identified in the application
  • To fulfill contractual or other legal obligations
  • To further the charitable aims of the Church.

Personal data collected and processed

We collect on grant application forms the names and contact information of grant applicants. This will include a minimum of 2 unrelated named persons for the grant application and possibly a third if there is an ecumenical partnership running the proposed project.

The data includes:

  • Name
  • Address
  • Email address
  • Telephone/Mobile number
  • Position or role in the church or project
  • The bank details of the appropriate account for payment of the grant.

With the type of grants available, it is likely that special category (sensitive) personal data is collected. This depends on what the applicant's project is and the links with their Church and Presbytery. It's also possible that other special category data is processed due to the type of projects the grants can fund. Therefore, the following could be processed:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Sex life or sexual orientation

Grant application forms may require the collection of personal data relating to others than those who are completing the application form and in those cases the person completing the application must have the consent of the other party to include their information, including a record of their consent.

Also, part of the conditions of a grant is to report regularly on progress, including whether the aims are being achieved, if the project is on budget and where possible photographs and videos showing the project progressing. It is important for this reporting that if videos or photographs are taken and subsequently shared with the Grants team that the project team have ensured that they have a record of consent of any individual in the photographs or videos and that they are fully informed prior to consenting as to the purposes of taking photographs and videos.

The Church reserves the right to use all of the case studies, images and videos supplied as part of the reporting on the projects for promotional purposes.

Source and method of data collection

We collect the data directly from the grant applicants, using various tools, including the Small Grants Fund Platform, provided by SCVO and Microsoft Office 365 software including Word for the application and Excel for the budgetary plans etc. The collection is carried out securely with appropriate safeguards in place to protect all personal data involved.

The lawful basis for the processing

The lawful basis for processing personal data is UK GDPR Article 6(1)(b) "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".

Also as special category (sensitive) personal data is involved, the lawful basis for that data is UK GDPR Article 9(2)(d) "processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects"

Data sharing

The Church will use and disclose the information within the Church of Scotland for the purposes of administering grants. The Church uses third-party data processors for the purposes of administering the grant application and decision process. These processors include The Scottish Council for Voluntary Organisations (SCVO) who provide the Small Grants Fund Platform. There is an SCVO privacy notice specifically for this platform. This platform uses Salesforce and FormAssembly to provide the platform. The three parties all have appropriate contracts in place for the Small Grants Fund Platform, ensuring all data is held securely.

The Church also uses Microsoft for other grants; there is an appropriate contract in place between the Church and Microsoft and all third parties who provide these platforms hold the data within the UK.

We may share the information to an external organisation or researcher to look at the impact of the fund and whether it is achieving its purposes. For this purpose, appropriate documentation will be in place ensuring additional safeguards are in place to protect the data.

Duration of data retention

We will keep your personal information for the period that you have contact with us through any grants process and for a period of up to seven years following the end of the purpose for which a grant is awarded. We may also keep anonymised data for statistical purposes but if so we will only use it for that purpose. When the information is no longer needed it will be securely destroyed or permanently rendered anonymous.

Individuals' rights in relation to this processing

Data protection laws have a number of rights for the individuals. This is detailed on our page on your rights and choices.

Not all rights apply; some of these rights only apply depending on the lawful basis of processing the data. For this purpose only the right to object does not apply; however the rest of the rights do apply. If you want to exercise any of these rights you can do so either verbally or in writing. The Church will require proof of identity prior to processing the request. The Church are required to process the request without undue delay and must respond within one month.

Complaints to UK Information Commissioner's Office (ICO)

If you are concerned about how your personal data is being used by the Church of Scotland, in the first instance please contact the Church of Scotland Data Protection Officer (DPO) at If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner's Office (ICO). The ICO has guidance on their website.

You can email them at or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane