Guidance

Office of the Secretary of State for Scotland Privacy Policy

Published 24 May 2018

Date Last Modified: 24/05/2018

1. Who we are

The Office of the Secretary of State for Scotland is part of the UK Government and part of the UK Governance Group.

The Office of the Secretary of State for Scotland represents the interests of Scotland across Whitehall and champions the UK Government in Scotland. The Office of the Secretary of State for Scotland looks to strengthen and maintain the Union.

As part of our role we receive, record and respond to correspondence and Freedom of Information requests from members of the public.

The Office of the Secretary of State for Scotland is a data controller for some of the information that it holds and processes – a data controller determines the purposes and means of processing personal data. For more information see the Information Commissioner’s Office (ICO) Data Protection Public Register.

2. What data we need

The personal data we collect from you may include: Name, Address, Email Address and other information you may choose to provide as part of your request or engagement with us such as Phone number and Date of Birth.

Office of the Secretary of State for Scotland will only process your personal data under a lawful basis set out at Article 6 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for processing your personal data. When you correspond with us, the lawful basis will normally be that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

When you have made a Freedom of Information request, the lawful basis for processing your personal data is that “processing is necessary for compliance with a legal obligation to which the controller is subject”.

Personal information including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, will not be processed by us unless its processing falls under one of the exceptions in Article 9(2) GDPR.

3. Why we need it

We need this information in order to interact with you and deal with correspondence and Freedom of Information requests in an accurate and timely manner.

What we do with it Your information will be logged on our system as appropriate and will be used for the purpose intended and as an administrative record that requests have been properly and fully actioned.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

4. How long we keep your data

We will only retain your personal data for as long as it is needed for the purposes set out in this document or for as long as is required by law. In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

5. Children’s privacy protection

We understand the importance of protecting children’s privacy online. Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.

6. Where it might go

Your data will be recorded on our system and will also be shared with the officer/s dealing with your request . Our IT infrastructure and technology has been validated from inception to delivery with supporting contracts to ensure compliance with all data sharing activities.

Your personal data may, throughout the course of its processing at GDS, be transferred outside of the European Economic Area (EEA). Where this is the case all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.

7. How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you – for example, we protect your data using varying levels of encryption. We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.

8. What are your rights

You have the right* to:

  • request information about how your personal data are processed and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data are completed, including by means of a supplementary statement
  • request that your personal data are erased if there is no longer a justification for them to be processed
  • request that the processing of your personal data is restricted in certain circumstances – for example, where accuracy is contested.

If your personal data is processed on the basis of consent, you have the right to:

  • withdraw consent to the processing of your personal data at any time
  • request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format

*These rights are subject to exemptions in the GDPR and the Data Protection Act 2018.

9. Changes to this notice

We may modify or amend this privacy notice at our discretion at any time. When we make changes to this notice, we will amend the last modified data at the top of this page. Any modification or amendment to this privacy notice will be applied to you and your data as of that revision date. We encourage you to periodically review this privacy notice to be informed about how we are protecting your data.

10. How to contact us

The data controller for your personal data is the Office of the Secretary of State for Scotland. If you have any questions about anything in this document or if you consider that your personal data has been misused or mishandled you can contact the Data Protection Officer (DPO) at SO-and-OAG-DPO@scotlandoffice.gsi.gov.uk.

Or by post at: Office of the Secretary of State for Scotland 1 Melville Crescent Edinburgh EH3 7HW

Data Protection Officer: Victoria Bowman

You may also make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: casework@ico.org.uk or on 0303 123 1113.

Or by post at: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF