Edinburgh Office
Grant House
7 Palmerston Place Lane
EH12 5AE
Tel. 0131 220 6660

Glasgow Office
10 Newton Place
G3 7PR
Tel. 0141 229 1166



Stephen Grant, F.I.P.I

1. Nature of work – Investigation in the private sector
2. Date: 25 May 2018
3. Description of processing

3.1 The following is a broad description of the way this organisation processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received with the data controller, check any privacy notices that organisation has provided or contact the organisation to ask about your personal circumstances. 

3.2 Reasons/purposes for processing information

We process personal information to enable us to:

  • provide investigatory services on the written instructions of a data controller (our client)
  • to maintain our own accounts and records
  • to support and manage our employees.
4. Type/classes of information processed

4.1 We process information relating to the above reasons/purposes. This information may include:

  • personal details
  • the investigation brief, results and related information
  • lifestyle and social circumstances
  • family details
  • goods and services
  • financial details
  • education and employment and/or business details

4.2 We also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • trade union membership
  • religious or other beliefs
  • criminality
5. Who the information is processed about

5.1. We process personal information about:

  • customers and clients, including prospective clients
  • witnesses
  • the subjects of investigations
  • business contacts
  • advisers and other professional experts
  • suppliers
  • employees
6. Who the information may be shared with

6.1.We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons. 

6.2.  Where necessary or required we share information with:

  • financial organisations
  • credit reference, debt collection and tracing agencies
  • police forces
  • professional investigators
  • government
  • specific client
  • business associates and other professional bodies and advisers
  • suppliers
  • current, past or prospective employers
  • education and examining bodies
  • family, associates or representatives of the person whose personal data we are processing
  • regulatory and statutory bodies
  • certification bodies for audit purposes
7. Trading and sharing personal information

7.1   Personal information is traded and shared as a primary business function. For this reason, the information processed may include name, contact details, family details, financial details, employment details, and goods and services. This information may be about customers and clients.

7.2. The information may be traded or shared with business associates and professional advisers, agents, service providers, customers and clients, and traders in personal data.

8. Undertaking research

8.1. Personal information is also processed in order to undertake research.

8.2. For this reason, the information processed may include name, contact details, family details, lifestyle and social circumstances, financial details, good and services.

8.3. The sensitive types of information may include physical or mental health details, racial or ethnic origin and religious or other beliefs.

9.     Consulting and advisory services

9.1. Information is processed for consultancy and advisory services that are offered.

9.2. For this reason, the information processed may include name, contact details, family details, financial details, and the goods and services provided.

9.3. This information may be about customers and clients.

9.4. Where necessary this information is shared with the data subject themselves, business associates and other professional advisers, current, past or prospective employers and service providers.

10. Transfers

10.1. It may sometimes be necessary to transfer personal information overseas.

10.2. When this is needed information may be transferred to countries or territories around the world.

10.3. Any transfers made will be in full compliance with all aspects of the Data Protection Act.

11.  Sources of Personal Data

11.1. The data we process originates from legally compliant publicly available and open source information, and personal data manifestly made public by the data subject.  In addition, it is supplied by clients under the lawful basis of legitimate interests.

12.  Lawful Basis

12.1. Grant & McMurtrie processes all personal data lawfully, fairly and in a transparent manner when providing investigatory services under the following lawful bases stated in The General Data Protection Regulation GDPR: 


Article 6(1)(f)
Necessary for the purposes of legitimate interests pursued by the controller or a third party

Secondary (where appropriate)
Article 6(1)(c) Processing is necessary for compliance with a legal obligation

  12.2.  Grant & McMurtrie processes all sensitive data/special categories data lawfully, fairly and in a transparent manner when providing investigatory services under the following lawful bases stated in the General Data Protection Regulation:

GDPR (special categories)

Article 9(2)(e)
Processing relates to personal data which are manifestly made public by the data subject

Article 9(2)(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

12.3.       Where Legitimate Interests is relied upon as a lawful basis a Legitimate Interest Assessment is conducted.

13.  Client Information

13.1. Prior to any business relationship, we will request from clients personal information such as name, address, telephone number and email.  We also obtain consent to process said information to confirm the accuracy of such details.  In the event we do not proceed with an assignment, the information will be destroyed when the client advises they do not wish to proceed.

14.  Handling of personal data – Security, Protection and Retention

14.1. Grant & McMurtrie adheres to the requirements and individual’s right contained in The Data Protection Act 1998 and The General Data Protection Regulation 2018 and ensures that personal data is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

14.2. Grant & McMurtrie takes all reasonable technical and organizational precautions to prevent the loss, misuse or alteration of personal information.  We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed, including the following by way of example:

  • Securely storing hard copy files that are strictly accessible only by the Grant & McMurtrie employees
  • Complying with the data protection principal that data is kept for no longer than is necessary, after which it is securely disposed of
  • Encrypting emails and attachments containing personal and sensitive data
  • Not collecting or storing personal data from or on our website
  • Maintaining and reviewing data protection policies, procedures and assessments
  • Having firewalls, malware/anti-virus and recommended cyber security measures in place
  • Holding British Standards Institution BS102000:2013 for the provision of investigator services, certificated annually via UKAS by means of an external audit
15.  Individual’s Rights

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access Request”).  This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information.  This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information.  This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, please submit your request in writing to: The Data Controller, Grant & McMurtrie, 7 Palmerston Place Lane, Edinburgh EH12 5AE.  Please note under the DPA & GDPR, Grant & McMurtrie are required to verify the identity of the person submitting an objection, therefore all such requests must include the individual’s full name, address and telephone number.  The sender may also be requested to supply paper evidence of their identify.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights).  However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.  Alternatively, we may refuse to comply with the request in such circumstances.

16.  Data Controller

16.1. The data controller responsible for your personal data is Grant & McMurtrie.  Our data protection registration number is Z5619795.  If you have any questions about this privacy notice or how we handle your personal information, please contact The Data Controller, Grant & McMurtrie, 7 Palmerston Place Lane, Edinburgh EH12 5AE.

16.2  The Data Protection Officer for Grant & McMurtrie is currently Stephen Grant.

17.  Right to complain

You have right to lodge a complaint with the Information Commissioner’s Officer (ICO).  The ICO can be contacted by telephone on 0303 123 113 – Monday to Friday, between 9am and 5pm – or by email at casework@ico.org.uk.  You can also visit the ICO’s website by following this link: https@//ico.org.uk/.

18.  Changes to our Privacy Information Notice

We may change, modify or adjust this Privacy Information Notice from time to time, however we will not reduce your rights under the Privacy Information Notice.

Any changes we make to our Privacy Information Notice in the future will be found on our website, at www.grantec.co.uk/privacynotice.  Copies are also available from us by post.  Please contact us if you require a copy.

How we use cookies
What is a cookie?

Cookies are files containing small amounts of information which are downloaded to the device you use when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie.

First and third party cookies

Whether a cookie is a first or third party cookie depends on which website the cookie comes from. First party cookies are those set by or on behalf of the website visited. All other cookies are third party cookies. We only use first party cookies on our website.

Performance cookies

These cookies collect information about how visitors use a web site, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don't collect information that identifies a visitor although they may collect the IP address of the device used to access the site. All information these cookies collect is anonymous and is only used to improve how a website works, the user experience and to provide us with information to help our search engine optimisation strategy. By using our website you agree that we can place these types of cookies on your device, however you can, if you wish, block these cookies using your browser settings.

Cookies on this site

The only cookies on our website are used for Google Analytics. Google Analytics tracking (and most web tracking software) uses cookies in order to provide meaningful reports about our site visitors. However, Google Analytics cookies do not collect personal data about our website visitors. It only provides us with general information on the browsing habits of our visitors, i.e. pages most frequently visited, how long a visitor stays on a page, the visitor's country, how many visitors we get, what keywords they use to find us etc.

This information helps us to tailor our Search Engine Optimisation Strategy so that more people are likely to find our website.

What if I don't want to accept cookies?

If you wish to restrict or block the cookies which are set by any website including ours, you should do this through the web browser settings for each web browser you use, on each device you use to access the Internet.

You can allow cookies from specific websites by making them "trusted websites" in your web browser. For more information on how to do this you may wish to visit www.allaboutcookies.org which contains comprehensive information on how to do this on a wider variety of browsers.