Social Security Scotland holds and processes personal data, in compliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This privacy notice explains your rights and tells you how we will look after and use your personal data.
For information on how we process our clients’ personal data, please see the following privacy information: Privacy notice and data protection - Social Security Scotland - mygov.scot
We may provide additional specific privacy information to you in addition to this notice when necessary, for example if you take part in a survey or apply for a job with us.
We only process personal data to carry out our legal and official functions:
Social Security Scotland is an executive agency of the Scottish Government and acts on behalf of the Scottish Ministers in processing personal data. Scottish Ministers are registered as a controller with the Information Commissioner (registration number Z4857137).
Social Security Scotland has a Data Protection Officer.
You can contact the Data Protection Officer for more information about what we do with your personal data, email: email@example.com or write to:
Data Protection Officer
PO Box 10298
We may need to process personal data about you if you are a client, prospective client or someone supporting a client’s application.
Unless where otherwise specified, the remainder of this privacy notice concerns processing for purposes other than delivery of benefits to clients.
We may also process personal data about you if you are:
We may also process your personal if you correspond with us, submit a request under freedom of information or data protection legislation, including through our website, subscribe to a newsletter or engage in a survey.
Privacy information regarding processing of personal data for our colleagues is provided on our intranet.
We may need to process personal data to:
We may also process personal data in order to:
In exceptional circumstances we may process your information to protect you, your community or the wider public.
We collect your personal data in circumstances such as:
When you visit our website www.socialsecurity.gov.scot we may use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. The cookies are turned off by default.
If you choose to switch these cookies on, we collect information about:
We use this information to understand how visitors to our website interact with it in order to monitor and improve the service it provides.
Any information we get is received in a way that we can't identify anyone by it. For example, we never receive your name or address.
We do not make, and do not allow Google Analytics to make, any attempt to find out the identities of those visiting our website.
The legal basis for processing your personal data will, in most cases, be Article 6 (1)(e) of the UK GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). When processing personal data for recruitment and employment purposes, the legal basis is Article 6 (1) (c) (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).
In order to process information for employment purposes, we may process special category data. The legal bases for this will in most cases be Article 9 (2) (b) (processing is necessary for the purposes of carrying out the obligations and exercising of specific rights of the controller or the data subject in the field of employment and social security and social protection law).
In the majority of circumstances, we will not require your consent to process your personal data, however where any processing of your personal data is based upon consent (including explicit consent as set out in Article 9 of the UK GDPR), you will be specifically informed of this, and you may withdraw that consent at any time.
We have a duty to make sure your personal data is secure.
We do that by limiting access to your personal data and preventing unauthorised disclosure. We only hold your data for as long as necessary.
Staff who access personal data must:
We audit and review the activities of staff who access personal data.
As required by the Data Protection Act 2018, we have an appropriate policy document which details the lawful basis and conditions for processing and safeguards we have put in place when we process special category data, criminal offence data, and sensitive data for law enforcement purposes. If you would like a copy of the policy, please contact our Data Protection Officer.
In some circumstances we will share your information with other organisations. We will only do this when it is necessary for one of our functions or another legal obligation and in accordance with the obligations of data protection legislation.
The personal data we process is mostly held within the UK. If we process personal data in another country we will only do so where there are strong data protection safeguards in place. We use cloud computing service providers to host much of our personal data and ensure we only enter into contracts with suppliers who are able to protect personal data on our behalf in line with our requirements and in accordance with data protection legislation.
We keep your information for no longer than is necessary. This period varies depending on the reasons we process your personal data.
For more information on how long we hold your data for, contact our Data Protection Officer.
We do not carry out automated decision making other than in the circumstances set out in our client information privacy notice.
The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 provide individuals with rights around the use of their personal data. You have the right to:
Please note there may be legal reasons why we cannot carry out your request.
If you want to exercise these rights, please contact our Data Protection Officer.
You also have the right to complain to the Information Commissioner’s Office about the way we:
To contact the Information Commissioner’s Office:
The Information Commissioner