Skip to content

Privacy Policy

On these pages you will find details of the Cairngorms National Park Authority’s privacy policy, which explains how we collect information and what we do with it

This is how we generally use information collected or obtained for various services (being updated on an ongoing basis).

This privacy policy is the privacy notice for all Park Authority services. We will use your details to provide you with the service(s) which you or someone else (with your consent) have asked us to provide. We will also use your personal details for purposes of crime prevention and crime detection and/or when required by law and will share it with other public bodies for that purpose.

The three core areas of business for the Cairngorms National Park Authority are conservation, visitor experience and rural development. These activities are supported by the corporate services and communications functions.

The Park Authority is a planning authority, with planning powers to decide all planning and related applications within the boundary of the Cairngorms National Park.

The Park Authority is also an access authority and upholds access rights in accordance with the Land Reform (Scotland) Act 2003.

The following is a broad description of the way we process personal information. To understand how your own personal information is processed, you may need to refer to any personal communications you have received, check any privacy notices we have provided or contact us to ask about your personal circumstances.

Planning – as a planning authority, personal information is processed for the consideration of planning applications, proposals for housing and tourism, and for the enforcement and monitoring of planning developments.

We process personal information to enable us to promote our goods and services, to maintain our accounts and records, to support and manage our staff and volunteers, and to guide and set the direction for the National Park.

In terms of data protection legislation, the Park Authority is the data controller of any personal information provided to or gathered by us.

This privacy policy describes what we will and will not do with the information we hold about you. It sets out the general approach we take, in each case with additional information relating to particular areas of our activity.

The Park Authority does not sell or rent your personal details to any external organisations.

For most purposes, we will only process your information with your consent. In most cases, we understand that by providing us with your details in order to obtain a service from the Park Authority you are consenting to us using those details in order to provide that service to you. Except as set out in this privacy statement, we will not use your personal details for any other purpose without first obtaining your consent to that other purpose or purposes (you may have been asked to provide this additional consent at the time when you originally contacted us, for example in an additional section on an application or other form).

We retain personal data relative to the purpose for which it was gathered, in accordance with the time periods for retention set out in our record retention schedule. Our retention schedule is maintained in accordance with the Public Records (Scotland) Act 2011. Specific details on the use and retention of your personal data will be provided at the point we collect your data and you may contact us at any time if you have any queries about your rights as an individual in terms of how we are processing your data.

External contractors who are appointed to process information on behalf of the Park Authority will do so under our instructions. All contractors which do this are appointed under written contracts requiring them to keep personal information safe and prohibiting them from doing anything with the personal data they process for us other than following the Park Authority’s instructions.

Staff information is primarily held by the Park Authority in order to fulfil its duties as an employer. In connection with this we hold information on staff relating to ethnic background, disability etc. in order to comply with our obligations relating to monitoring equality of opportunities and discrimination legislation. Earnings information is supplied to HMRC as required by law to allow for deduction of PAYE and national insurance contributions.

Information will generally be released to the police and other criminal investigation agencies on request in relation to specific investigations, provided the Park Authority is satisfied that legitimate grounds exist for doing so. It will also be released to government agencies able to compel disclosure, such as the Child Support Agency, if we receive an appropriate request.

Information will be released to courts and employment tribunals in relevant cases and may be shared with external legal advisers in these cases. It will also be released in response to an order from a court with competent jurisdiction to make such an order. It may be released (without consent) in response to investigations by external regulators such as Audit Scotland, the UK and Scottish Information Commissioners, and Scottish Public Services Ombudsman.

If the Park Authority receives a freedom of information (FOI) request which includes information relating to staff, then as a general rule such requests will be refused (or the staff information removed/redacted from the response)

However, each request will be considered on its own merits and in line with guidance issued by the Information Commissioner and Scottish Information Commissioner.

The Park Authority has a communications team which deals with queries from the press and media. In responding to these queries our communications team applies the same rules as all other officers of the Park Authority and will only release information about individuals in line with this privacy statement. Personal information held by the Park Authority will only be released to the media if there are compelling reasons for doing so.

When you send us an email we may use your email address to thank you for your comment and/or reply to your enquiry, and we will store your communication and our reply for any future correspondence in accordance with our data retention policy. Beyond our initial reply, we will never use your email address to send you any unsolicited message or information you have not consented to receive, nor will we share it with or sell it to anyone else for such use.

When you agree to receive information about our services, promotions, newsletters, press releases, and/or offers, we use your email address and any other information you give us to provide you with the information or other services, until you ask us to stop (using the ‘unsubscribe’ instructions provided with each email communication and/or on the site where you signed up, and/or as we otherwise provide), or until the information or service is no longer available.

You have a number of rights under data protection legislation in regards to how your data is processed. As a minimum, you should be given ‘fair processing’ information which is sometimes referred to as a ‘privacy’ policy or statement. This online privacy policy constitutes our general approach to how we process personal information in accordance with our approved Information Use and Privacy Policy. There may be other more specific privacy notices or statements you will have been given or made readily available for a service you are obtaining from us, eg in an online or offline form, public notice or orally, etc. You have the following rights with respect to how your data is being processed:

  1. Subject access requests (requests for copies of your personal data that we hold): the right to request (in writing) a copy of your personal data held by us, given to you in a permanent form. You are entitled to be given if requested.
    • A description of the personal data being processed
    • A description of the purposes for which it is being processed
    • A description of any likely recipients
    • Any information on the source of this data
    • Where any automated decisions have been taken, the ‘logic’ behind these decisions
  2. Automated decisions: you have the right, by notice, to prevent any automated decisions.
  3. Direct marketing: you have the right to request in writing to cease, or not begin, processing of your personal data, for the purpose of direct marketing.
  4. Preventing processing: you have a right to request to cease processing personal data if you believe it would cause you ‘damage’ or ‘distress’.
  5. Rectification, blocking, erasure and destruction: by order of a court you have the right to have any inaccurate personal data or expression of opinion which appears to be based on that inaccurate data, to be rectified, erased, blocked or destroyed.
  6. Complaints to the Commissioner: you have the right to ask the Information Commissioner to carry out an ‘assessment’ of the processing of your personal data if you believe it directly affects you (causes ‘damage’ or ‘distress’) to determine whether the processing is undertaken in accordance ith the law.ICO Scotland contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113


To make a Subject Access Request you must:

  • Supply information to prove who you are (to eliminate risk of unauthorised disclosure)
  • Supply appropriate information to help us to locate the information you require.

Your request should include details and provide evidence of who you are (eg driving licence, passport, birth certificate, utility bills). You should also provide as much detail as possible regarding the information you wish to access (eg where and by whom information is believed to be held, specific details of information required).

This list is not exhaustive and other forms of identification may be acceptable. At least one form of identification should contain the same signature that is on your application form or letter and one must include a photograph. Please note that the Park Authority will not be able to comply with any requests received unless satisfactory proof of identification is provided.

You are not required to state why you wish to access the information: the details we require are merely those that will aid the efficient location and retrieval of information.

Once we receive a Subject Access Request you will receive all the information that has been located and can be released within one calendar month and an explanation for any information that cannot be provided at that time.

Upon receipt of a request, we must provide:

  • Information on whether or not the personal data are processed
  • A description of the data, purposes and recipients
  • A copy of the data
  • An explanation of any codes/jargon contained within the data.

We must respond to Subject Access Requests within one calendar month.

Email: [email protected]

Write to:

Information Manager
Cairngorms National Park Authority
14 The Square
PH26 3HG

In terms of data protection legislation, the Park Authority is the data controller of personal data (information relating to identifiable living individuals) collected or obtained by or through our websites.

Our websites do not automatically capture or store personal information, other than logging the user’s IP address and session info such as the duration of the visit and the type of browser used. This is recognised by the web server and is only used for system administration and to provide statistics which the Park Authority uses to evaluate use of our site(s).

All marketing information will include an option for you to opt out of any future, similar correspondence. We do not contact children under 12 without the content of a legal parent or guardian.

From time to time we partner with third-party to deliver events. We may process personal data on behalf of certain events partners or clients. In such cases this should be made apparent to you in the event’s Privacy Notice.

We have a number of legal bases that mean we can use (or ‘process’) your personal information. One basis is legitimate interest, which means we can process your personal information if:

  • We have a genuine and legitimate reason
  • We are not harming any of your rights and interests.

The following are some examples of when and why we would use this approach in our work:

  • Direct marketing: from time to time we may send you information about events, publications or other materials which relate to the aims and objectives of the Cairngorms National Park Authority and/or the Cairngorms National Park.
  • Contact details: obtaining contact and position details from publicly available sources.
  • Market research: conducting market research on our audiences via approved 3rd party suppliers, in accordance with Market Research Society guidance. All personally identifiable data collected for the purposes of market research is stored securely by the Park Authority or by a third party data collection and/or processing organisation for a period of 12 months, unless stated otherwise within the terms and conditions of the research itself. In some circumstance we may ask third party research and data organisations to administer market research on behalf of the Park Authority and may pass on contact information to this company. In these cases, your data protection and privacy rights will fall under own policy documents.
  • Sharing information with NHS Test & Protect: when visiting our properties, we already collect your name, telephone number (or other relevant contact information if not available), and the date and time of your visit as part of our ticketing process. In the unlikely event of that a cluster of coronavirus cases is linked to the premises, we may share this information with NHS Scotland’s Test & Protect service. In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland and statutory partners. Your personal data will only be shared with NHS Test & Protect within 21 days of your visit. For further information on the NHS Scotland Test and Protect strategy please visit the NHS website.

When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests.

We believe that keeping personal information secure is one of our most important responsibilities.

We maintain all necessary physical, electronic and procedural security to help safeguard personal, sensitive and payment data against loss, misuse or alteration. Third parties that provide us with support or services may also receive personal, sensitive or payment information, and we require them to maintain security measures similar to ours with respect to such information.

In compliance with the Privacy and Electronic Communications Regulations 2003 (as amended) subscribers are given the opportunity to unsubscribe at any time. This process is detailed at the footer of each email campaign.

Communication, engagement and actions taken through external social media platforms that we utilise, and users participate on, are bound to the terms and conditions, and the privacy policies held with each social media platform respectively.

Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. We will never ask for personal or sensitive information through social media platforms, and encourage users wishing to discuss sensitive details to contact us through our standard primary communication channels, such as by telephone or in writing.

Some of our websites use social plugins which help share web content directly from web pages to the social media platform in question. Users are advised before using such social plugins we utilise that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

If you are aged 12 or under, please ask your parent or guardian’s permission before you provide personal information on any of our websites.

The information provided on our websites is believed to be accurate at the time of writing, but the Park Authority accepts no liability for the contents and anyone relying on these contents does so at their own risk. Nothing on our websites is to be construed as binding the Park Authority or constituting an offer on behalf of the Park Authority.

This privacy policy only covers the Park Authority website at (and the other websites operated or managed by us where they link back to this privacy policy). Links within this site to other websites are not covered by this policy and individuals should check the terms of the privacy policy of those other sites for their terms. The Park Authority is not responsible for the content of external websites.

Any changes to this privacy policy will be posted on our website.