Privacy Notice

 1 Introduction
1A The Scottish Public Services Ombudsman is committed to protecting the privacy and security of your information.

This privacy notice explains in detail the types of personal data we may collect about you when you interact with us.  It also explains how we’ll store and handle that data, and keep it safe

It is likely we’ll need to update the privacy notice from time to time.  We will publicise any significant changes but you’re welcome to ask us questions about the notice or check the online version at any time.
1B We will comply with data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about.

6. Kept securely.
1C We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:

1. We have been given responsibility and duties by law and we need to use personal information to comply with those obligations.

2. We have been given an important function or job by law and need to use personal information to fulfill that function.

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

4. When we have your consent to do so.

5. Where we need to protect your interests (or someone else’s interests).

Some personal information has been given higher protection, this is called Special Category Information, we will only use that category of information when we have additional reasons.  Most commonly this will be because:

1.  There is a substantial public interest in us fulfilling our legal duties and responsibilities

2. We need to comply with social security law

3. Where we need to protect your interests (or someone else’s interests) and that person is not able to give consent

4.  We will also only process this type of information for archiving or undertaking scientific or other research when we know we have appropriate protections in place.
2 When do we collect your personal data?
2A We collect information that you give to us when you contact us and we also collect information we need to allow us to do the jobs that we have been given by the Scottish Parliament.  We collect information when:

  • you contact us to ask for advice
  • you bring a complaint to us
  • we are looking at a complaint and need more information to make a decision
  • you ask us to review a welfare fund decision
  • we’re reviewing a welfare fund decision and need more information to make a decision
  • you ask us to change any decision we’ve made
  • you complaint to use about our service
  • you use our website
  • you respond to any surveys
  • you give us information about your background to help us understand who is coming to us and what their needs are (this is often called equalities monitoring information)
  • you visit our office and we use our CCTV to store information for security
  • you sign up for our monthly newsletter or any of our mailing lists
  • your organisation tells us you will be our key contact.
3 What do we collect and how do we use it?
3A When you contact us to ask for advice about complaining about an organisation we may collect information about you, the organisation you are unhappy about and the advice we give you.  This allows us to:

  • refer back to the advice if you contact us again.
  • report at the end of the year the number of people and the types of issues they have raised about that organisation.
3B When you contact us to ask for advice about making a welfare fund review we may collect information about you, the Council you are unhappy about and the advice we give you.  This allows us to:

  • refer back to the advice if you contact us again.
  • report at the end of the year the number of people and the types of issues they have raised about that organisation.
3C When you contact us to ask for advice about how your organisation handles complaints or conducts reviews, we may collect information about you, your organisation and the advice we give you.  This allows us to:

  • refer back to the advice if you contact us again.
  • report at the end of the year the number of people and the types of issues they have raised about that organisation.
3D When you contact us to ask for advice about a welfare fund matters we may collect information about you, your local Council and the advice we give you.  This allows us to:

  • refer back to the advice if you contact us again.
  • report at the end of the year the number of people and the types of issues they have raised about that organisation
3E When you bring a complaint to us we will collect the information you give us about yourself, the organisation and the complaint.  This allows us to:

  • start looking at your complaint and
  • report at the end of the year about the complaints we have had and who we have had them about.
3F We need information to do the job Parliament has given us to consider and investigate complaints.  When we are looking at a complaint and need more information to make a decision we may collect information:

  • from you
  • the organisation you have complained about.
  • anyone else who may hold information we need.

Some of this information may be personal to you or others.
3G We need information to do the job Parliament has given us to review welfare fund decisions.  When we are looking at a welfare fund review and need more information to make a decision we may collect information:

  • from you
  • the Council who made the decision about your welfare fund application
  • anyone else who may hold information we need.

Some of this information may be personal to you or others.
3H When you ask us to change a decision we have made, we will collect the information you give us about the reasons why you want that decision changed and that we received a request to change a decision. This allows us to:

  • consider your request and
  • report at the end of the year how many people asked us to change a decision and what we did.

We will usually already have all the information we need to look at your request.  If we need more information we may collect information:

  • from you
  • the organisation you have complained about.
  • anyone else who may hold information we need.

Some of this information may be personal to you and others.
3I When you complain to us about our service we will collect the information you give us about the reasons why you are unhappy with our service. This allows us to:

  • consider your complaint about our service  and
  • report at the end of the year how many people asked us to change a decision and what we did.

We will usually already have all the information we need to look at your request.  If we need more information we may collect information:

  • from you
  • the organisation you have complained about.
  • anyone else who may hold information we need.

Some of this information may be personal to you and others
3J When you complain to the independent complaint review service about our service to you, we will share information with them about our service in order to let them come to a decision.
3K We monitor and assess all the work we do to improve the quality of our work and to help us know when we need to put training in place.
3L When you use our websites we collect information to help us understand how our website is being used.  We also use cookies to help make our website easier to use by

  • enabling a service to recognise your device so you don’t have to give the same information during one task, for example to remember the information you entered on the first page of a multi-page form.
  • remembering settings so you don’t have to re-enter them every time you visit a new page.
  • measuring how many people are using the website and how they navigate the website, so that we can identify ways to make it easier to use and make sure that there is enough capacity for the website to perform well and respond quickly.

Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these small files as you wish.  We provide more information about our cookies, how they are used and how long they are stored for directly on each website.
3M When you respond to any surveys we will collect and analyse the responses you give us to help us improve our service.  We will not process any data that is included in any response to a survey that could identify an individual.  Personal information will be destroyed as soon as we become aware of it.  We may use third party services such as Survey Monkey.
3N When you give us information about your background to help us understand who is using our services and what their needs are (this is often called equalities monitoring information), we will collect the information you give us to understand and improve our service.  We do not collect any personal information such as your name or other information that could identify you with this data.
3O When you visit our office and we use our CCTV to store information for security we will collect your image and the time you visited our office.  This information is only accessed if we identify a security issue.  Otherwise it is destroyed without anyone accessing it.
3P When you sign up for newsletters, regular communications or any of our mailing lists we will collect the contact details we need to send these to you.  We also collect information about the category of subscriber and any organisation you are subscribing on behalf of.  This allows us to understand who is signing up to our services and helps us to improve those services.
3Q When your organisation tells us you will be our key contact we will collect your contact details and will use them when we need to contact your organisation.
3R When we compile statistics and undertake research and analysis. There may be public interest reasons for undertaking this work and whenever possible information is completely anonymised for these purposes.
4 Here are some examples of the types of information we may hold and use when looking at a complaint
4A When we are looking at a complaint we will normally let you know what types of information we are asking for and why.  For example this may include:

  • your name
  • your contact details
  • details of anyone you have chosen to represent you
  • your relationship to other people who are mentioned in the complaint
  • information you have told us about our needs to help us make our service accessible
  • correspondence with the organisation
  • notes the organisation holds about the complaint
  • information about other people which we need to make a decision
  • information held by other people which we need to make a decision.
5 Here are some examples of the types of information we may hold and use when reviewing a welfare fund decision? 
5A
  • Your name
  • Your contact details
  • Details of anyone you have chosen to represent you
  • Your relationship to other people who are mentioned in the complaint
  • Information you have told us about our needs to help us make our service accessible
  • Correspondence with the organisation
  • Notes the organisation holds about the review
  • Information about other people which we need to make a decision
  • Information held by other people which we need to make a decision.
6 Special Category Information
6A Some of the information we collect may be what the data protection law calls “special categories” of  information.  Special Categories include information about someone’s:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation.

Sometimes we will need information in these categories to look at complaints or review welfare fund decisions.  We will only process this type of information if it is relevant to the decision we need to make.

We ask people to share some of this information with us to help us monitor our service and meet our commitments on equality.
7 When do we share information with others?
7A We need to share information with others to do the jobs under the powers and duties Parliament gave us

  • Considering and investigating complaints
  • Reviewing welfare fund decisions
  • Sharing best practice and monitoring complaints handling by others
  • Reporting about our work to Parliament and the public

Note: if you bring us a complaint or a request for a review we will normally share information with the organisation you complained about or the Council who made the welfare fund decision.  If you have concerns about this please contact us as soon as possible.
7B The law says we need to share information:

  • To let the organisation or person complained about respond to the complaint
  • When we decide not to investigate a complaint we must share information with the people and organisation directly involved
  • When we start to investigate a complaint but decide we can come to a decision without conducting a full investigation we must share information with the people and organisation directly involved.  We also may report to Parliament but must not name people when we do so.
  • When we complete an investigation we must share information with the people and organisation directly involved.  In complaints about GPs, Opticians, and pharmacists this will include the Board they hold a contract with.  We must also send a report to Parliament but must not name people when we do so.
7C We will also need to share information to:

  • receive comments about that information that we need to make a decision
  • receive expert advice from someone
  • obtain a translation or provide a translation of information (We use Languageline and they also have their own privacy policy.
  • obtain further information we need to make a decision
  • provide the Independent complaint review service with the information they need to make a decision on a complaint about our service.
7D When that information shows there may be a risk to someone’s health or safety
7E When that information is important to some named organisations for their work.  Those organisations are named by law and the law also names the reasons we can share information with them they include:

  • Audit Scotland (for purposes relating to audit)
  • The Care Inspectorate (for purposes relating to their role as a regulator of care homes)
  • The Scottish Social Security Council (for purposes relating to their role as the registrar for care workers)
  • The Scottish Information Commissioner (for purposes relating to their role as regulator for Freedom of Information)
  • The Information Commissioner (for purposes relating to their role as the regulator for Data Protection)
  • Other UK Public Services Ombudsman (when the issue may be a cross-border issue).
7F If a court or a law tells us we need to release information.
7G We sometimes use third parties to provide us with services and they may need to process information to do so.  This may include people or organisations who provide us with:

  • IT services
  • legal services
  • Professional advisers and consultants
  • Independent complaints review services
  • courier and secure shredding services
  • Survey management and processing services
8 How do we keep your information safe?
8A Data Protection law protects your information.  There are rules in our legislation which add additional legal protections by

  • limiting when we can share information and
  • ensuring if information is made public we are not allowed to include names
8B We also take steps to protect the information given to us.

  • We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Additionally, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
  • We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
  • Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We can provide more details of these measures and procedures if you ask for them and they are also available on our website.
9 Keeping Special categories of data safe
9A We take additional steps to protect special categories of data.   We clearly identify when we hold special category data and have set out specific procedures for ensuring this is held securely and only held for as long as we need to.

When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it can never be traced back to an individual.

When we collect information held by social work or about your health we will normally contact you about this before doing so.
10 What are your rights?
10A You have the right to:

  • know when we are processing your data
  • see the data we process about you
  • correct any information
  • object to processing
  • ask for the information to be destroyed
  • Withdraw consent where this has been provided
  • Lodge a complaint with the ICO

We respect these rights.  If you have any concerns about our handling of your personal information, please let us know.
10B Fee NOT usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
10C What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

To do the jobs we have been given by Parliament and the law that applies to us effectively means that sometimes we may not be able to let you know when we process data or agree with you the steps you may want us to take.

We have a process that allows you to challenge any decision we make about your data and you can also contact the ICO.
10D We will have a Data Protection Officer who is independent of the SPSO and can also give you advice and listen to concerns.  Their contact details will be below.
11 Where we process your data
11A We do not transfer the personal information we collect about you outside the European Economic Area without your consent, except where we ensure that your personal information will receive an adequate level of protection by putting in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.
12 How long do we keep your information for?
12A We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for.  This includes for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For example, we destroy most information on a complaint or a review 14 months after the last date of contact.  We will then only keep minimal information (surname and organisation complained about) indefinitely to make sure we have an archive of our work.