Secondees, Contractors, Freelancers and Agency Workers privacy notice

Who we are

The Board of Trustees of the National Galleries of Scotland is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:

National Galleries of Scotland
73 Belford Road

0131 624 6200
[email protected]

National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82

We are a data ‘controller’, which means we are responsible for deciding how we hold and use your personal information.

This notice explains how and why we will collect and use your personal information and your rights in relation to your personal information. We may amend this notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.

What personal data do we collect and what do we do with it?

NGS collects data about secondees, contractors, freelancers and agency workers during the engagement process, either directly from you or sometimes from your employer, an employment agency, intermediary or background check provider. We may sometimes collect additional information from third parties including former employers or clients.

We will collect additional personal information in the course of work-related activities throughout the period of your engagement with us.

The categories of personal data that we may collect, store and otherwise process include:

  • Personal contact details
  • Date of birth
  • Gender
  • Emergency contact information
  • National insurance number
  • Copy of identification (Passport/driving licence)
  • Bank account details
  • Tax status information
  • Disclosure/ PVG status*
  • Start date
  • Terms of engagement/ contract
  • Location of workplace
  • Right to work documentation
  • References and confirmation of professional accreditations etc
  • CV or cover letter, employment history etc submitted during tendering or engagement process
  • CCTV footage and other information obtained through electronic means such as swipe card records
  • Information about your use of our information and communications systems
  • Photographs for security passes
  • Images of you taking part in or delivering NGS activities


*This may include criminal convictions data. An appropriate policy document is in place for processing this data, as required by the Data Protection Act 2018.

Legal Basis/ Condition for Processing

Most of the data we gather and process about you will be necessary for us to enter or carry out our contract with you.  For example, if you don’t provide your bank details, we may not be able to pay you.

Some information, such as PVG status and right to work documentation, is required to meet legal obligations.  Disclosure information is processed on the basis of substantial public interest to enable us to fulfil our statutory obligations.

Emergency contact details are required to protect your vital interests.

Some processing, such as requiring photographs for security purposes, sharing your contact details with other freelancers, is undertaken as a task in the public interest.  Records of your attendance and participation in meetings, involvement in NGS activities etc, are also part of our public task.  We may gather and use images of you to record and publicise our activities (also part of our public task).  A member of NGS staff will ask for your consent if we intend to use an image or recording of you in a way which could be used to identify you (such as by publishing your name alongside the image).

Failure to provide, create or compile some other types of personal information may prevent us from discharging our functions where these are part of our public task or we believe we have a legitimate interest.

Automated decision-making and Profiling

We do not currently take, and do not envisage taking, any decisions about you based solely on automated processing (i.e. without human involvement), which have a legal or similarly significant effect on you.

Who sees my data?

Your name and the most appropriate contact details (which may be provided by you for this purpose or assigned by us when you begin your work for the organisation) will be available internally to NGS employees.  Education freelancers’ names and contact details are made available to other freelancers to enable those delivering a session together to plan effectively or otherwise coordinate plans.

If you are on secondment to NGS, details may be shared with your employer in accordance with the terms of your secondment agreement.

Depending on your role, your name, job title, contact details and other information may be shared externally to enable us to perform our functions as an organisation effectively, promote our work and raise the profile of those undertaking work for us. This may include publication on the NGS website of a named contact for a particular aspect of our work and may include sharing your name and contact details to enquirers, partners or other stakeholders as appropriate.

We may also share your personal information with the following third parties if this is required by law; necessary to enter or carry out our contract with you or administer the working relationship with you; where we have another legitimate or public interest in doing so; or where it is necessary to protect your vital interests or those of another person:

  • Scottish Government
  • HMRC
  • Health and safety executive
  • Health professionals and occupational health providers involved in your care
  • Relevant regulators and accreditation bodies
  • Our professional advisors
  • Any person specified by you, where you ask us to provide a reference to that person
  • Other third parties as necessary to comply with the law

In some limited circumstances, we use third party service providers to process relevant personal data on our behalf, including IT service providers.  All third party processing activity is undertaken on the basis of a processing agreement with documented instructions.

We will always ensure that any personal information we share is necessary and kept to a minimum.

International Transfers

We do not currently transfer or intend to transfer your personal information to any country outside of the EU, or to any international organisation.  Some third party systems that we use are hosted outside the EU but we will always ensure appropriate safeguards are in place.

How long will we keep the data?

We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal, accounting or reporting requirements.

We will retain all of your personal information during your engagement and for no longer than is necessary after the completion/ termination of your contract to fulfil the terms of your contract and allow us to establish, exercise or defend legal claims.

What are my rights over access to the data you hold on me?

Subject to some legal exceptions, and depending on the legal basis for processing, you have the right:

  • To access the data we hold about you and to know what we are doing with it
  • To have any inaccuracies corrected
  • To have your personal data erased
  • To place a restriction on our processing of your data
  • To object to processing
  • To request your data to be ported (data portability)

To learn more about these rights, please visit, the website of the UK Information Commissioner’s Office (ICO).

If we are processing your data on the basis of your consent, you also have the right to withdraw your consent at any time.  For processing based on Public Task or Legitimate Interest, you have the right to object to the use of your personal data at any time, but if we believe that this would interfere with the performance of our functions and/or your contractual obligations, we will inform you that this is the case.

How to contact us about your personal data or this privacy notice

If you have any questions about this privacy notice or about your personal data, please contact: 

Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road

Tel: 0131 624 6473

Email: [email protected]


As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.

You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.