Some of the language used in privacy notices can be specialised. The Information Commissioner's website provides a useful introduction to key terms and concepts.
During the course of our work we collect/use personal data for the purpose of processing sales invoices and credit notes in order to receive income in return for goods or services provided. Any outstanding debts will become subject to debt recovery procedures. If the debt is unrecoverable then write off action through the losses process will be followed. Any overpayments of invoices are refunded to the debtor or with the debtor’s agreement offset against other current debts.
Normal category data is processed which includes: name, address, telephone number, email address for customers including employees, contractors, businesses which are not limited companies including sole traders, recreational groups (e.g. musicians) and individuals. Additionally, in the event of a sales invoice overpayment bank details would be required.
All sales invoices and credit notes issued by the SPCB must be raised by the Finance Office. Sales invoice and credit note requests which can contain personal data can be made by any business area of the SPCB via a variety of means:
In addition, personal data may be contained within documentation which provides notification of changes to customer contact details, or in supporting documentation relating to the generation of sales invoices or credit notes e.g. the name and total costs associated with a secondee.
Where business areas obtain personal data for the sole purpose of requesting a sales invoice or credit note; the personal data stored by these business areas will be deleted as soon as the invoice or credit note has been processed.
Personal data may be obtained either directly from the individual e.g an event organiser or indirectly from the individual e.g. details taken from a secondment agreement and supporting documentation.
Data protection law states that we must have a legal basis for handling your personal data.
The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the UK General Data Protection Regulation (UK GDPR)).
The legal basis for sharing personal data relating to sales invoices, credit notes and debtors with internal audit and external auditors in terms of note 2 below, is that processing is necessary for a task carried out in the public interest (Article 6(1)(e) UK GDPR, section 8(d) of the Data Protection Act 2018 (DPA)).
The legal basis for sharing personal data with Banks and Building Societies in terms of note 3 below, is that processing is necessary to refund overpayments of sales invoices (Article 6(1)(b) UK GDPR).
Should the data subject not provide the required information we would be unable to provide the goods or services requested.
Where necessary, personal data is shared both internally within the Scottish Parliamentary Corporate Body (SPCB); and externally with other government agencies and organisations. We share your data with the following:
Customer data is shared internally with the relevant business areas in order to:
Where relevant, customers personal data is restricted to Finance, the business area, and financial accounting system users.
All data relating to the sales invoices, credit notes and debtors can be shared (usually on a sample basis) with both internal audit (and support) and external auditors in order to ensure they are processed demonstrating good governance, accountability, integrity and ensure the relevant control measures are in place to reduce risk.<
Personal data is shared with the relevant bank or building society in order to refund any overpayments of sales invoices.
The financial accounting system is provided by a third-party government agency (Scottish Government) and the SPCB is a user. The government agency can view and access customer details in order to provide administrative, system and technical support. The Scottish Government is acting as a data processor on behalf of the SPCB in this instance.
Personal data is retained in both paper and electronic format, in accordance with the Scottish Parliament records management policy, and access is limited as appropriate. All documentation relating to the set-up of customers and any subsequent changes to details is retained for a period of 2 years. All sales invoices, credit notes and any supporting documentation and documentation relating to the recovery of debts is retained for the current financial year plus 6 years.
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
You have the right to request a copy of the personal information about you that we hold.
Further information on how to make a data protection 'subject access request'.
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
You have the right to ask us to delete personal information about you where:
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 27 January 2021.
If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP
Telephone: 0131 348 6913
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Email: dataprotection@parliament.scot
Please contact us if you require information in another language or format
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113