Some of the language used in privacy notices can be specialised. The Information Commissioner's website provides a useful introduction to key terms and concepts.
The purposes of the processing
The purposes of processing personal data which is subject to a data breach is to enable the SPCB to report any data breach to the Office of the UK Information Commissioner and to communicate, if appropriate, with the data subjects involved.
Categories of information processed
Normal category data, such as names, addresses and telephone numbers.
Special Category data, as defined by the UK General Data Protection Regulation (UK GDPR).
Special category personal data includes information revealing an individual’s:
- race
- ethnic origin
- political or religious views
- sex life or sexual orientation
- trade union membership
- physical or mental health
- genetic or biometric data.
Source of the information
Depending on the nature of the data breach, the source of the data can be internal and relate to employees of the Scottish Parliament Corporate Body (SPCB) or it could be provided directly or indirectly to us by an external party.
Legal basis for processing
Data protection law states that we must have a legal basis for handling your personal data.
The legal basis of processing is that it is a legal requirement for data controllers to report on any data breach within 72 hours of first becoming aware of a data breach. The processing is therefore necessary to comply with a statutory obligation to which the SPCB is subject in accordance with Article 6(1)(c) of the UK GDPR. The processing of special category data is necessary for reasons of substantial public interest in accordance with Article 9(2)(g) UK GDPR. Being able to investigate data breaches and review and respond to the breach to its full extent is in the substantial public interest.
The consequences for not processing personal data
The consequences of not processing the personal data in the event of a data breach would mean that the requirement to inform the ICO and affected data subjects could not be undertaken.
Data sharing
The data may be shared with the Information Commissioner’s Office.
Retention of data
Any normal or special categories of personal data involved in a data breach will be securely deleted immediately after reporting to the ICO or to data subjects – i.e. within 72 hours of an incident taking place unless the data needs to be held for different purposes.
Your rights
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
Access to your information
You have the right to request a copy of the personal information about you that we hold.
Further information on how to make a data protection 'subject access request'.
Correcting your information
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Objecting to how we may use your information
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
- please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
- the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
- the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you
Deletion of your information
You have the right to ask us to delete personal information about you where:
- you consider that we no longer require the information for the purposes for which it was obtained
- we are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
- you have validly objected to our use of your personal information – see Objecting to how we may use your information above
- our use of your personal information is contrary to law or our other legal obligations
- please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest
- the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you
Restricting how we may use your information
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent to using your information
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
Changes to our privacy statement
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 3 March 2021.
Contact information and further advice
If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP
Telephone: 0131 348 6913
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Email: [email protected]
Please contact us if you require information in another language or format
Complaints
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113