The SPCB may also act as a data processor by communicating between a third party service provider and MSP staff in circumstances where it is necessary for the SPCB to facilitate communication between these parties in order that MSPs staff may take up or enrol with an external service as part of their employment.
We will process your personal information to
We will process normal category personal data and *special category personal data about you. Personal data is information that relates to an identified or identifiable individual.
Normal category data includes information such as your title, name, date of birth, gender, national insurance number, home address, email address and telephone number.
Special category data that we may process includes information relating to sickness absence and health or disability where an adjustment to work is required.
*Special category personal data includes information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Personal data will be provided to us from your employing Member of the Scottish Parliament (MSP) and directly from you, however, there may be occasion when information is provided from the following sources:
Data protection law states that we must have a legal basis for handling your personal data.
In the circumstances referred to above the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) UK General Data Protection Regulation (UK GDPR)).
The legal basis for processing personal data relating to disabilities with a view to making reasonable adjustments is that it is necessary to comply with our legal obligations under the Equality Act 2010 (Article 9(2)(g) UK GDPR, section 10(3) and paragraph 6(1)(b), of Part 2, Schedule 1 to the Data Protection Act 2018 (DPA)).
The legal basis for processing personal data in order to assess entitlement to benefits such as Childcare vouchers and the cycle to work scheme is consent of the data subject (Article 6 (1)(a) UK GDPR).
The legal basis for processing personal data for the purposes of providing advice to your employing Member in relation to disputes that may arise out of or in the context of your employment with them and in relation to advice on your health and welfare is that the processing is necessary for the performance of a task in the public interest (Article 6(1)(e) UK GDPR). The tasks is to ensure that the Parliament is provided, with the property, staff and services required for the Parliament’s purposes in terms of section 21(3) of the Scotland Act 1998.
For the processing of special category data relating to health and welfare the processing is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment law (Article 9(2)(b)).
The processing may also be necessary for legitimate interests (Article 6(1)(f) UK GDPR). The legitimate interest is to have all relevant information in case of a legal dispute.
We may share your personal information with the following third parties if this is required by law:
We do not share any of your personal data outside the EEA.
We will retain all of your personal information during your engagement up until age 100 for the purposes of pension administration and to allow us to assist the employing Member to establish, exercise or defend legal claims.
In line with the principles underlying the National Guidance for Child Protection in Scotland, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
You have the right to request a copy of the personal information about you that we hold.
Request personal information about you that we hold
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
Please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent.
The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject.
The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.
You have the right to ask us to delete personal information about you where:
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 11 June 2024.
If you are concerned that we have not handled your personal information properly you can make a complaint to the Information Governance Team of the Scottish Parliament at the following address: [email protected]. We will respond to your complaint without undue delay and within one month. If, having made a complaint, you are still concerned that your personal information has not been handled properly, you can make a complaint to the Information Commissioner's Office.
If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance and Data Protection Officer at:
The Scottish Parliament
Edinburgh
EH99 1SP
Email: [email protected]
Please contact us if you require information in another language or format