Skip to main content

Language: English / GĂ idhlig

Loading…

Provision of IT Equipment, Services and Support

This privacy statement explains how we collect and use personal information as a data controller for the following process: BIT provision of IT Equipment, Services and Support.

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.

The purposes of the processing

It is necessary to retain personal information to enable the Business Information Technology (BIT) Office to provide and manage IT equipment, services and support to users. This includes:  

  • Recording internal and external contact information for users on the IT Helpdesk system;
  • Management of the mobile phone contract for SPCB Staff, Members and their staff; 
  • Provision and management of broadband services for constituency offices and home working users;  
  • Supporting the provision of access to our Microsoft Windows domain for staff and authorised partners;   
  • Maintaining core parliamentary data used by applications across the organisation, 
  • The transfer of data to AvePoint who provide a cloud backup and recovery solution for SharePoint (SP) Online and OneDrive. The privacy notice for AvePoint can be accessed here https://www.avepoint.com/uk/company/privacy-policy; and 

AvePoint's privacy notice

  • The provision and tracking of IT equipment, support and services for SPCB staff Members and their staff and all home working users. 

Categories of information processed

  • Normal category data such as names, addresses, post codes and telephone numbers, etc required to deliver IT equipment, services and support to users either directly or by using third parties to obtain and distribute goods or services to our users.

Normal category data including names and contact details are provided to the SPCB directly from individuals using our IT equipment, support and services.

Data held in SP online and OneDrive will include special category and/or criminal offence data that the SPCB receives. 

  • Special category data, includes more sensitive personal data about an individual revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership. It also includes data concerning a person’s health, sex life and sexual orientation. 
  • Criminal offence data, includes information about criminal convictions and offences.

Legal basis for processing

The legal basis for processing is that it is necessary for the performance of a task carried out in the public interest in accordance with Article 6(1)(e) of the General Data Protection Regulation (GDPR) and section 8(e) of the Data Protection Act 2018 (DPA). The processing is necessary to provide IT equipment, services and support for Members, their staff and to SPCB staff. Providing resources and services to Members and to SPCB staff is an activity that supports or promotes democratic engagement in terms of section 8(e) of the DPA.

For the transfer of data to Avepoint, the legal basis for processing is for the purposes of a task carried by the SPCB as data controller in the public interest, notably to provide a backup and recovery solution for data held on SharePoint Online and OneDrive. Regarding special category data processed for this purpose, the processing is necessary for reasons of substantial public interest in terms of Article 9(2)(g) UK GDPR and paragraph 6(2)(b), Part 2 of Schedule 1 to the DPA. 

For criminal offence data processed for this purpose, the processing is necessary for reasons of substantial public interest in terms of Article 10 UK GDPR and paragraph 6(2)(b), Part 2 of Schedule 1 to the DPA – processing is necessary for reasons of substantial public interest 

Data sharing

The data will only be shared outwith the SPCB with suppliers where it is necessary to enable the delivery of IT equipment, support and services directly by third parties. 

Retention of data 

Generally user account data is securely deleted within 10 working days of users leaving the organisation.

Personal data  held as part of contract documentation may be held until the contract ends. 

Broadband consent forms for consistuency offices and home working users are retained till the end of the agreement plus 5 years in accordance with the Scottish Parliament records management policy 

Data held in cloud back up and recovery solution is retained for a period of 2 years. 

Your rights

The GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below. Exercising these rights will depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place. 

For example, the rights allowing for deletion or erasure of personal data (right to be forgotten) and data portability do not apply in cases where personal data is processed for the purpose(s) of the performance of a task carried out in the public interest. The right to object to the processing of personal data for the purpose(s) of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject.

This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data would pose to you.

The following rights may apply: 

Access to your information

You have the right to request a copy of the personal information about you that we hold.   

Further information on how to make a data protection subject access request.

Correcting your information

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. 

  • please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
  • the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.

Please contact us in any of the ways set out below if you wish to exercise any of these rights.

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website.  Paper copies of the privacy statement may also be obtained using the contact information below. 

This privacy statement was last updated on 4th May 2020 and will be reviewed within 12 months if not updated prior to that. 

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913

(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: [email protected]

Please contact us if you require information in another language or format

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.

Or by phone at: 0303 123 1113

Share this page

Share this page on x Share this page on pinterest Share this page on linkedin