0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Silver Cloud Privacy Notice

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

SilverCloud Health is the provider of the SilverCloud platform.

Why are we collecting it, and what are we doing with it (Purpose)?

SilverCloud is a digital platform used to provide online packages of mental health and wellbeing support for individuals. It is provided by SilverCloud Health. SilverCloud can be used by Edinburgh College Students and Staff. Your personal data is used to enable you to sign up to and access the available resources.

Your personal data is also used, with your agreement, by Edinburgh College Wellbeing staff to contact students to offer an introductory session to the platform. The College’s Occupational Health (OH) Nurse may also make available to staff with certain health conditions hidden resources on the platform related to that specific condition.

What personal data do we collect?

Edinburgh College will not collect your personal data directly for you accessing SilverCloud.

If you are a student and agree to sign up to receive support to access the platform, SilverCloud will share your name and contact details with the Wellbeing Team so they can get in touch. If you are a member of Staff who wishes to access specialised resources, the OH Nurse will use your email address to allow access.

Further personal data will be processed by SilverCloud directly. The type of personal data will depend on how you use the resources available on SilverCloud; this may include special category personal data, such as health data. Please refer to their Privacy Notice for further information.

Administrators at Edinburgh College will have access to anonymised usage and evaluation information via the SilverCloud platform for reporting purposes only.

The lawful basis for the processing

Students: Edinburgh College is providing the health and well-being service as part of its duty of care to students, as set out in the Post-16 Education (Scotland) Act 2013 and the Further and Higher Education (Scotland) Act 2005. Therefore, for the information directly processed by the College, the lawful basis for processing is

  • Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

Staff: Edinburgh College is providing a health and well-being service as part of its duty of care to its employees under the Employment Rights Act 1996. Therefore, for the information directly processed by the College, the lawful basis for processing is

  • Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract”

However, as Edinburgh College does not ‘refer’ students or staff to this service, nor receive data on who uses explicitly it, and because users have a genuine choice as to whether to use this self-help tool, it is believed that the lawful basis for processing personal data, and special category data, in this instance, would be:

  • Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
  • Article 9(2)(a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”.

Who we share the information with

The majority of your personal data, for this service, will be processed by SilverCloud Health (third party), the provider of the SilverCloud platform and a ‘data processor’ for Edinburgh College.

We may also need to share your personal data outside the College if required by law.

How long do we hold the personal data? 

If a student wishes to receive support to use SilverCloud, their name and contact details will be retained by the Edinburgh College Wellbeing team for the current academic year, then securely deleted.

Personal data and any special category personal data provided by students or staff on the SilverCloud platform will be retained by SilverCloud Health for the duration of the contract with Edinburgh College, and then it will be securely deleted.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF