Some of the language used in privacy notices can be specialised. The Information Commissioner's website provides a useful introduction to key terms and concepts.
Test and protect for visitors to the Scottish Parliament
For the health and safety of visitors to the Scottish Parliament we are asking you to assist the Scottish Parliamentary Corporate Body to support NHS Scotland’s Test and Protect strategy. The information you provide to the Scottish Parliament will be used to enable NHS Scotland to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread.
The Health Protection (Coronavirus) (Restrictions) (Scotland) Amendment (No. 11) Regulations 2020 make collection of information mandatory for certain hospitality services namely where visitors are buying food or drink to be consumed on the premises. Even where such data collection is not mandatory, the Parliament has taken the policy decision to collect this information from all visitors to ensure we are is taking all reasonable measures to protect passholders and visitors to the Parliament and support efforts to contain the spread of coronavirus.
More information about Test and Protect is contained in the Scottish Government Guidance on the collection of visitor contact details
Categories of information processed
Personal data, as defined by the UK General Data Protection Regulation (UK GDPR), for example, names, addresses and telephone numbers.
Type of data collected
Along with the date and time of your arrival we will collect the following personal data.
- your name, and
- contact telephone number
If you do not have a telephone number, you have the option to provide:
- a postal address, or
- an email address
No health information or any other special category personal data as defined in UK GDPR will be requested or stored by the Scottish Parliamentary Corporate Body. Special category personal data includes information about:
- an individual’s race or ethnic origin
- political or religious views
- sex life or sexual orientation
- trade union membership
- physical or mental health
- genetic or biometric data.
Source of the information
Test and protect information is provided to the Scottish Parliament directly by individuals (the data subjects). We will request information relating to a close family group from the lead individual for that group.
The purpose of the processing
The purpose for which the Scottish Parliamentary Corporate Body is processing your personal data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic. This involves gathering and, when necessary, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose.
In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland. If requested, information will be transferred securely to NHS National Services Scotland who will use the data to contact trace those who were in the establishment at the same time as the positive case, and will provide guidance and support to those who may be advised to self-isolate.
Read further information on the NHS Scotland Test and Protect strategy on the NHS website.
Legal basis for data processing
The legal basis for the processing of personal data is that it is necessary for a task carried out in the public interest (Art 6 (1)(e) UK GDPR, s8(d) DPA.) To the extent that the Parliament’s premises are covered by The Health Protection (Coronavirus) (Restrictions) (Scotland) Amendment (No. 11) Regulations 2020 the legal basis is that processing is necessary for compliance with a legal obligation to which the controller is subject (Art 6(1)(c) UK GDPR).
Data sharing
The information provided to the Scottish Parliamentary Corporate Body will only be shared, upon request, with NHS Scotland to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic. The information you provide will not be used by the Scottish Parliamentary Corporate Body for any other purpose.
Retention of data
Your personal data will be retained only for the purposes stated in this privacy notice and will be held by us for no more than 23 days. This is to ensure we retain the data for the 21-day period recommended by the Scottish Government as this allows time for the virus incubation period (14 days) and follow up contact tracing (7 days).
All personal data you provide will be held electronically and automatically disposed of in a safe and secure manner within 23 days.
Children and young people safeguarding and child protection
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Your rights
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below, although whether you will be able to exercise data subject rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights apply:
Access to your information
You have the right to request a copy of the personal information about you that we hold. For further information, have a look at our page on Making a Subject Access Request.
Correcting your information
We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Objecting to how we may use your information
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
- Please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent.
- The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject.
- The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.
Deletion of your information
You have the right to ask us to delete personal information about you where:
- You consider that we no longer require the information for the purposes for which it was obtained
- We are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
- You have validly objected to our use of your personal information – see Objecting to how we may use your information above
- Our use of your personal information is contrary to law or our other legal obligations
- Please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest. The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.
Restricting how we may use your information
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Automated processing
If we use your personal information on an automated basis to make decisions which significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision. This right only applies where we use your information with your consent or as part of a contractual relationship with you.
Withdrawing consent to using your information
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
Please contact us in any of the ways set out in the Contact information and further advice section if you wish to exercise any of these rights.
Changes to our privacy statement
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 17 December 2020 and will be reviewed within 12 months if not updated prior to that.
Contact information and further advice
If you have any further questions about the way in which we process personal data, or
about how to exercise your rights, please contact the Head of Information Governance
at:
The Scottish Parliament
Edinburgh
EH99 1SP
Telephone: 0131 348 6913
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Email: [email protected]
Please contact us if you require information in another language or format
Complaints
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113