This is the Corporate Privacy Statement of the Scottish Parliamentary Corporate Body ('the SPCB'). We must comply with data protection laws when we collect and handle personal data. When handling personal data the SPCB complies with the General Data Protection Regulation and the UK Data Protection Act 2018. We take our data protection requirements very seriously in order to protect the rights and freedoms of data subjects (the individuals whose personal data we collect and hold).
Personal data is information relating to an individual and may identify them directly or indirectly.
The SPCB collects and handles personal data to carry out the following broad functions and activities of the Scottish Parliament:
- Parliamentary functions
- Education and learning
- Legal services including legal advice to the SPCB and MSPs
- Licensing and registration including registration of Members’ Interests
- Supporting and managing employees
- Engagement and outreach
- Financial records
- Information management and governance
- Management of the Scottish Parliament building and grounds at Holyrood.
- Security including prevention of crime
Categories of personal data:
The categories of personal data the SPCB processes include normal category personal data and special category personal data. Special category personal data includes information about an individual’s race; ethnic origin; political or religious views; sex life or sexual orientation; trade union membership; physical or mental health; genetic or biometric data. The SPCB undertakes to handle this type of personal data in line with all data protection laws in a way that reflects the greater risk to individuals when special category personal data is handled.
Individual privacy notices:
The SPCB handles many different types of personal data in order to fulfil a wide range of activities and other functions. In order to be clear about the details of particular areas of personal data processing we have developed a series of individual privacy notices to describe and explain how personal data will be collected and handled in particular circumstances.
Sources of personal data:
When the SPCB collects personal data we will always provide information about the source of the personal data and explain the reasons why we are processing it.
Legal basis for processing personal data:
The SPCB must provide and explain the legal basis for collecting and handling personal data and details about this are provided in each of our individual privacy notices. The legal basis for collecting and storing personal data depends on the type of personal data being processed and the reasons for it being collected and handled. Sometimes there can be more than one legal basis for processing personal data and if that is the case it will be clearly explained in the individual privacy notice where it applies.
Sharing Personal Data:
If the SPCB will share any personal data in order to carry out its functions or activities, the reasons for this will be explained in the associated privacy notices in a way that is clear and understandable.
Retaining Personal Data:
The SPCB will only retain personal data for a specific period of time in order to carry out the particular activities described in an individual privacy notice. There are legal or other requirements for the SPCB to retain information for a particular period of time and this is explained in individual privacy notices. The SPCB will not retain information for a period of time that exceeds the purpose for which the personal data is being collected or handled. If it is not possible to provide a specific time period, the reason for this will be explained in the individual privacy notice.
The SPCB takes the security of personal data very seriously and applies rigorous technical and other organisational measures to protect personal data. Further proportionate information about this is explained in individual privacy notices.
Using our website
Freedom of Information (Scotland) Act 2002
Please Note: The Scottish Parliament is covered by the Freedom of Information (Scotland) Act 2002. The Act requires us to disclose information we hold to the requester unless we are permitted to withhold it by an exemption. This includes personal data we hold. If the request covers personal data, the interests of the data subject must be considered but ultimately, we may be required by law to release the information to the person who has made the request.
For more information on the Freedom of Information (Scotland) Act 2002, please visit the website of the Office of the Scottish Information Commissioner.
Children and Young People Safeguarding and Child Protection
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
The GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below, although whether you will be able to exercise each of these rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place (see the individual privacy notices for further details in relation to specific processing activities).
Access to your information - You have the right to request a copy of the personal information about you that we hold. For further information, see our Data Subjects' Access Request Policy.
Correcting your information - We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Deletion of your information - You have the right to ask us to delete personal information about you where:
- You consider that we no longer require the information for the purposes for which it was obtained.
- We are using that information with your consent and you have withdrawn your consent - see Withdrawing consent to using your information below
- You have validly objected to our use of your personal information - see Objecting to how we may use your information below
- Our use of your personal information is contrary to law or our other legal obligations
Objecting to how we may use your information - You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
Restricting how we may use your information - in some cases, you may ask us to restrict how we use your personal information. This right may apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Automated decision-making - if we use your personal information on an automated basis to make decisions which significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision. This right only applies where we use your information with your consent or as part of a contractual relationship with you.
Withdrawing consent using your information - Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
Please contact us in any of the ways set out in the Contact information and further advice section if you wish to exercise any of these rights.
Specific privacy statements
The following privacy statements contain detailed information on how we handle personal data in relation to each of our specific functions and activities.
Visiting and contacting the Scottish Parliament
COVID-19 Test and Protect
Events and Exhibitions
Festival of Politics
Business in the Parliament Conference
Using our website and our use of social media
Requests to use our Corporate Identity
Health and Safety
Parliamentary business - general
Parliamentary business - Petitions
Parliamentary business - Committees
Parliamentary business - Private Bills
Data protection and Freedom of Information
Media and Broadcasting
Information about external visitors
Contractors, Suppliers and Customers
Review of privacy notices
The SPCB regularly reviews all privacy notices and aims to do this every 12 months. The date when each privacy notice was last updated is included in each notice. Paper copies of privacy notices may be obtained using the contact information below.
This privacy statement was last updated on 26 November 2020.
Contact information and further advice
If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Telephone: 0131 348 6913 (Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL).
Email: [email protected]
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office online at: https://ico.org.uk/make-a-complaint/ Or by phone at: 0303 123 1113.