Combined Shape Created with Sketch. !

Privacy Notice


Social Security Scotland holds and processes personal data, in compliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy notice explains your rights and tells you how we will look after and use your personal data.

For information on how we process our clients’ personal data, please see the following privacy information: Privacy notice and data protection - Social Security Scotland -

We may provide additional specific privacy information to you in addition to this notice when necessary, for example if you take part in a survey or apply for a job with us.

We only process personal data to carry out our legal and official functions:

  • when the law allows or requires us to
  • where it is necessary and proportionate to do so, for example to carry out functions under the Social Security (Scotland) Act 2018
  • to administer our organisation (for example in the employment of our colleagues)

Social Security Scotland is an executive agency of the Scottish Government and acts on behalf of the Scottish Ministers in processing personal data. Scottish Ministers are registered as a controller with the Information Commissioner (registration number Z4857137).

Social Security Scotland has a Data Protection Officer.

You can contact the Data Protection Officer for more information about what we do with your personal data, email: or write to:

Data Protection Officer
PO Box 10298

Who we might collect personal data about

We may need to process personal data about you if you are a client, prospective client or someone supporting a client’s application.

Unless where otherwise specified, the remainder of this privacy notice concerns processing for purposes other than delivery of benefits to clients.

We may also process personal data about you if you are:

  • a candidate for employment at Social Security Scotland
  • a colleague
  • a contractor or supplier providing services to us
  • a representative of an organisation we engage with to carry out our functions

We may also process your personal if you correspond with us, submit a request under freedom of information or data protection legislation, including through our website, subscribe to a newsletter or engage in a survey.

Privacy information regarding processing of personal data for our colleagues is provided on our intranet.

Our reasons for processing your personal data

We may need to process personal data to:

  • process applications for Scottish social security benefits
  • recruit and employ staff
  • engage with our stakeholders
  • engage with contractors and suppliers who provide us with services
  • manage correspondence we receive or deal with requests under freedom of information or data protection legislation

We may also process personal data in order to:

  • fulfil legal obligations to help prevent and detect benefit fraud
  • carry out quality and compliance monitoring
  • carry out research
  • compile and report statistics

In exceptional circumstances we may process your information to protect you, your community or the wider public.

How we collect your personal data

We collect your personal data in circumstances such as:

  • through communication with you online, by phone, by post or face to face
  • when you apply for a job in Social Security Scotland
  • when we receive information from other organisations to fulfil legal obligations to help prevent and detect fraud, protect public funds or to support the prosecution of offences relating to fraud
  • on CCTV when you visit one of our buildings

Visitors to our website

When you visit our website we may use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. The cookies are turned off by default.

If you choose to switch these cookies on, we collect information about:

  • the pages you visit and how long you spend on each page
  • how you got to Social Security Scotland's website
  • what you click on while you're visiting Social Security Scotland's website

We use this information to understand how visitors to our website interact with it in order to monitor and improve the service it provides.

Any information we get is received in a way that we can't identify anyone by it. For example, we never receive your name or address.

We do not make, and do not allow Google Analytics to make, any attempt to find out the identities of those visiting our website.

Legal basis for processing your personal data

The legal basis for processing your personal data will, in most cases, be Article 6 (1)(e) of the UK GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). When processing personal data for recruitment and employment purposes, the legal basis is Article 6 (1) (c) (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

In order to process information for employment purposes, we may process special category data. The legal bases for this will in most cases be Article 9 (2) (b) (processing is necessary for the purposes of carrying out the obligations and exercising of specific rights of the controller or the data subject in the field of employment and social security and social protection law).

In the majority of circumstances, we will not require your consent to process your personal data, however where any processing of your personal data is based upon consent (including explicit consent as set out in Article 9 of the UK GDPR), you will be specifically informed of this, and you may withdraw that consent at any time.

How we protect your personal data

We have a duty to make sure your personal data is secure.

We do that by limiting access to your personal data and preventing unauthorised disclosure. We only hold your data for as long as necessary.

Staff who access personal data must:

  • have appropriate security clearance 
  • only access personal data if there is a business need to do so 
  • complete mandatory data protection training

We audit and review the activities of staff who access personal data.

As required by the Data Protection Act 2018, we have an appropriate policy document which details the lawful basis and conditions for processing and safeguards we have put in place when we process special category data, criminal offence data, and sensitive data for law enforcement purposes. If you would like a copy of the policy, please contact our Data Protection Officer.

Organisations and we may share personal data with

In some circumstances we will share your information with other organisations. We will only do this when it is necessary for one of our functions or another legal obligation and in accordance with the obligations of data protection legislation.

Where we process personal data

The personal data we process is mostly held within the UK. If we process personal data in another country we will only do so where there are strong data protection safeguards in place. We use cloud computing service providers to host much of our personal data and ensure we only enter into contracts with suppliers who are able to protect personal data on our behalf in line with our requirements and in accordance with data protection legislation.

How long we will keep your personal data

We keep your information for no longer than is necessary. This period varies depending on the reasons we process your personal data.

For more information on how long we hold your data for, contact our Data Protection Officer.

Automated decision making

We do not carry out automated decision making other than in the circumstances set out in our client information privacy notice.

Your rights and how to get a copy of your personal data

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 provide individuals with rights around the use of their personal data. You have the right to:

  • ask us to confirm what personal data we hold about you and to provide you with a copy
  • object to the use of your personal data
  • ask us to restrict the use of your personal data  
  • ask us to correct your personal data 
  • ask us to delete your personal data 

Please note there may be legal reasons why we cannot carry out your request.

If you want to exercise these rights, please contact our Data Protection Officer.

How to complain

You also have the right to complain to the Information Commissioner’s Office about the way we:

  • handle your personal data
  • respond to your request to exercise your other rights under the UK GDPR or the Data Protection Act 2018

To contact the Information Commissioner’s Office:

The Information Commissioner
Wycliffe House
Water Lane

Sign up to our newsletter

If you are an organisation or individual who works with people who may need information or support on any of our benefits, sign up to our stakeholder newsletter.

We'll never send you content you haven’t asked for and you can opt out at any time.

Please enter a valid email address

Read our privacy policy