Some of the language used in privacy notices can be specialised. The Information Commissioner's website provides a useful introduction to key terms and concepts.
Scottish Parliament committees receive a large volume of formal correspondence. This privacy notice explains how we deal with any related personal information connected with this correspondence.
If you send correspondence to a Scottish Parliament committee we will process the contact information which you have included. This may include your name, address, phone number and email address. This is considered as standard or normal category personal data.
Depending on the content of the correspondence it may be considered as special category personal data. This would apply whether it was about you or any other named individual.
Special category personal data includes information about:
The Scottish Parliamentary Corporate Body (SPCB) processes any personal data you send to it under the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Personal data consists of data that relates to an identified or identifiable individual. The SPCB will hold any personal data securely, will use it only for the purposes it was collected for and will only pass it to any third parties with your consent or according to a legal obligation.
Further information about the data protection legislation and your rights
The Code of Conduct places further obligations on all Members of Parliament in terms of how they handle material containing personal data in the course of their Committee work.
Data protection law states that we must have a legal basis for handling your personal data. The legal basis for collecting, holding, sharing and publishing your personal data is that the processing is necessary for the performance of a task carried out in the public interest (for normal category data) or substantial public interest (for special category data), in accordance with Art 6(1)(e) UK GDPR and section 8(d) DPA (for normal category data) or Art 9(2)(g) UK GDPR and section 10(3) and paragraph 6(2)(b), part 2, schedule 1 DPA (for special category data). The task is to inform and support the running of a parliamentary Committee which is part of the core function of the SPCB and therefore a Crown function in accordance with section 8(d) DPA.
The legal basis for sharing personal data (as set out below) is that it is necessary for the purposes of the performance of a legitimate interest of the Scottish Parliament Corporate Body (SPCB), in accordance with Article 6(1)(f) UK GDPR. The legitimate interest is the safety and security of the building and its occupants.
For the transfer of data to the National Records of Scotland (as set out below), the legal basis is that it is necessary for archiving purposes in the public interest (Art 6(1)(e) UK GDPR and section 8(d) DPA or Art 9(2)(j) UK GDPR and section 10(2) DPA).
The data sharing and retention of correspondence will depend on its nature and content. Correspondence sent to committee clerks may be circulated to committee members. It may also be seen by committee members’ staff.
Correspondence may also be shared with the police and security forces if it contains threats, abusive language or indications of illegal activities.
Correspondence may form part of the public record. Personal information contained within a public record will be retained in accordance with the Scottish Parliament records management policy and may be transferred to the Scottish Parliament archive at National Records of Scotland where it will be publicly available.
Correspondence which does not form part of the public record will generally be destroyed after two years.
If you have any questions about what will happen to your correspondence, please contact the recipient.
The Parliament is covered by the Freedom of Information (Scotland) Act 2002. This affects the way that we deal with your correspondence. In particular, you should be aware that if we receive a request for information under the Freedom of Information (Scotland) Act 2002, we may be required legally to release any correspondence which you have sent us.
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below, although whether you will be able to exercise data subject rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
For example, the rights allowing for deletion or erasure of personal data, data portability and objecting to the processing of personal data do not apply in cases where personal data is processed for the purpose of complying with a legal obligation – these particular rights will therefore not apply to any personal data processed by us for the purpose of fulfilling our legal obligations under the Lobbying (Scotland) Act 2016.
The following rights apply:
You have the right to request a copy of the personal information about you that we hold. For further information, have a look at our page on Making a Subject Access Request.
We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
You have the right to ask us to delete personal information about you where:
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 17 December 2020.
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113
If you have any further questions about the way in which we process personal data, or
about how to exercise your rights, please contact the Head of Information Governance
at:
The Scottish Parliament
Edinburgh
EH99 1SP
Telephone: 0131 348 6913
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Email: dataprotection@parliament.scot
Please contact us if you require information in another language or format