The purpose of the processing is to identify any potential online threats and abuse to MSPs and to work with MSPs and partner organisations, including Police Scotland, to ensure MSP safety.
The data processed will consist of information made publicly available by users of social media platforms. This may include personal data such as social media usernames (which may or may not be real names) and opinions. This may include special category personal data such as political or philosophical beliefs and additional biographical information which social media users have disclosed on social media platforms.
Where threats and abuse to MSPs are identified this may result in the processing of criminal offence data, which includes information in relation to criminal offences such as the suspicion or allegations of criminal activity.
The data processed is provided by social media users in the form of publicly available social media posts on platforms such as X and Facebook. This publicly available information is gathered using a commercially available social media monitoring tool. SPCB staff create insight reports which show comments or posts from social media users which are deemed to be threatening or abusive towards MSPs. Only these reports, which consist solely of comments or posts which are threatening or abusive towards MSPs, are held by the SPCB. Individuals are not monitored, and private information is not accessed.
For the purposes of carrying out social media monitoring we use a third-party processor, Maltego.
Read the Maltego privacy notice
Data protection law states that we must have a legal basis for handling your personal data.
The processing is necessary for the performance of a task that is carried out in the public interest or the exercise of official authority of the SPCB in terms of Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR).
For the processing of special category data, the processing is necessary for reasons of substantial public interest in terms of Article 9(2)(g) of the UK GDPR and paragraph 10 of Part 2 to Schedule 1 of the Data Protection Act 2018 (DPA) where the processing is necessary for the purposes of the prevention or detection of an unlawful act.
For the processing of criminal offence data, the processing is in terms of Article 10 of the UK GDPR and paragraph 10 of Part 2 to Schedule 1 of the DPA.
Insight reports will be shared with Police Scotland and the relevant MSP(s) if it is reasonable to assume that a criminal threshold has been breached.
Insight reports will be stored in an EU based data centre which is managed by a third party contracted to the social media monitoring supplier. This data will be available for audit and review for a period of 12 months before being deleted.
In line with the principles underlying the National Guidance for Child Protection in Scotland, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
You have the right to request a copy of the personal information about you that we hold.
Request personal information about you that we hold
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 12 May 2026.
If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP
Please contact us if you require information in another language or format
If you are concerned that we have not handled your personal information properly you can make a complaint to the Information Governance Team of the Scottish Parliament at the following address: [email protected]. We will respond to your complaint without undue delay and within one month. If, having made a complaint, you are still concerned that your personal information has not been handled properly, you can make a complaint to the Information Commissioner's Office.