The Scottish Public Services Ombudsman is committed to protecting the privacy and security of your information.

 

This privacy notice explains in detail the types of personal data we may collect about you when you interact with us.  It also explains how we’ll store and handle that data, and keep it safe.

 

It is likely we’ll need to update the privacy notice from time to time.  We will publicise any significant changes but you’re welcome to ask us questions about the notice or check the online version at any time.

 

Privacy Commitment

We will comply with data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about.

6. Kept securely.

 

We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:

1 We have been given responsibility and duties by law and we need to use personal information to comply with those obligations.

2. We have been given an important function or job by law and need to use personal information to fulfil that function.

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

4. When we have your consent to do so.

5. Where we need to protect your interests (or someone else's interests).

Some personal information has been given higher protection, this is called Special Category Information, we will only use that category of information when we have additional reasons.  Most commonly this will be because: 

  1.   There is a substantial public interest in us fulfilling our legal duties and responsibilities

2. We need to comply with social security law

3. Where we need to protect your interests (or someone else’s interests) and that person is not able to give consent

  1.   We will also only process this type of information for archiving or undertaking scientific or other research when we know we have appropriate protections in place.

Collecting and using information

Making a complaint

We collect information when

  • you contact us to ask for advice
  • you bring a complaint to us
  • we are looking at a complaint and need more information to make a decision
  • you ask us to change any decision we’ve made
  • you complain to us about our service

 

We will normally let you know what types of information we are asking for and why.  For example this may include:

  • your name
  • your contact details
  • details of anyone you have chosen to represent you
  • your relationship to other people who are mentioned in the complaint
  • information you have told us about our needs to help us make our service accessible
  • information you tell us about your complaint
  • correspondence with the organisation
  • notes the organisation holds about the complaint
  • information about other people which we need to make a decision
  • information held by other people which we need to make a decision
  • information about your background

 

We use this information to:

  • provide you with advice
  • refer back to the advice if you contact us again
  • investigate and make decisions on complaints
  • respond to complaints about our service
  • monitor and assess the quality of our work
  • monitor and assess the quality of complaint handling and service provision by organisations
  • report on individual decisions to Parliament (we do not name individuals in any reports)
  • report on trends and statistics
  • learn more about our users and what their needs are
  • ask you about our service

 

Requesting a review of a welfare fund decision

We collect information when

  • you contact us to ask for advice
  • you bring a request for a review to us
  • we are looking at a review and need more information to make a decision
  • decision
  • you ask us to change any decision we’ve made
  • you complain to us about our service

 

We will normally let you know what types of information we are asking for and why.  For example this may include:

  • your name
  • your contact details
  • details of anyone you have chosen to represent you
  • your relationship to other people who are mentioned in the complaint
  • information you have told us about our needs to help us make our service accessible
  • information about your review
  • correspondence with the organisation
  • notes the organisation holds about the complaint
  • information about other people which we need to make a decision
  • information held by other people which we need to make a decision
  • information about your background

 

We use this information to:

  • provide you with advice
  • refer back to the advice if you contact us again
  • investigate and make decisions on complaints
  • respond to complaints about our service
  • Sharing best practice and monitoring complaints handling by others
  • Reporting about our work to the Scottish Parliament and the public  (we do not name individuals in any reports)
  • monitor and assess the quality of complaint handling by organisations
  • compile statistics and undertake research and analysis. There may be public interest reasons for undertaking this work and whenever possible information is completely anonymised for these purposes.
  • learn more about our users and what their needs are
  • ask you about our service
  • protect our staff from unacceptable behaviour

For professionals

When your organisation tells us you will be our key contact we will collect your contact details and will use them when we need to contact your organisation.

If you attend a training session we will collect information we need to provide that training and to assess the quality of our training

If you contact us for advice about complaint handling we will keep a record of that contact so we can return to that advice and also monitor trends.

Responding to consultations or surveys or signing up to our mailing lists and newsletters

When you respond to any surveys we will collect and analyse the responses you give us to help us improve our service.  We will not process any data that is included in any response to a survey that could identify an individual.  Personal information will be destroyed as soon as we become aware of it.  We may use third party services such as Survey Monkey their privacy notice is here: https://www.surveymonkey.com/mp/legal/privacy-policy/

When you respond to a consultation, the responses will be analysed and we may produce a report of consultation responses. Where permission is given, we may publish responses. We may include personal data where permission has been given to do so. We never publish email or postal addresses. Where permission is given, we may contact respondents for further comment.

When you sign up to a newsletter or mailing list. We will collect the contact details we need to send these to you.  We also collect information about the category of subscriber and any organisation you are subscribing on behalf of.  This allows us to understand who is signing up to our services and helps us to improve those services.  We use mailchimp for our newsletter and they have their own privacy policy here: https://mailchimp.com/legal/privacy/

Using our website

We collect information to help us understand how our website is being used.  We also use cookies to help make our website easier to use by

  • enabling a service to recognise your device so you don’t have to give the same information during one task, for example to remember the information you entered on the first page of a multi-page form.
  • remembering settings so you don’t have to re-enter them every time you visit a new page.
  • measuring how many people are using the website and how they navigate the website, so that we can identify ways to make it easier to use and make sure that there is enough capacity for the website to perform well and respond quickly.

Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these small files as you wish.  We provide more information about our cookies, how they are used and how long they are stored for directly on each website.

Making an information request

When you make an information request to us we need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations. We will consult with any third parties we may have received the information being requested from for their views on disclosure.

Collecting Special Category Information

Some of the information we collect may be what the data protection law calls “special categories” of  information.  Special Categories include information about someone’s:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.

Sometimes we will need information in these categories to look at complaints or review welfare fund decisions.  We will only process this type of information if it is relevant to the decision we need to make.  We ask people to share some of this information with us to help us monitor our service and meet our commitments on equality.  We do not collect any personal information such as names or other information that could identify you with this data.

When do we share information with others?

We need to share information with others to do the jobs under the powers and duties the Scottish Parliament gave us

  • Considering and investigating complaints
  • Reviewing welfare fund decisions
  • Reporting about our work to the Scottish Parliament and the public

 

This may include:

  • Sharing and asking for comments on information we have collected
  • Explaining our decision to people involved.  In complaints about GPs, opticians, and pharmacists this will include the Board they hold a contract with.
  • Publicly Reporting our decisions to the Scottish Parliament (reports do not name individuals)
  • Receiving expert advice from someone
  • Obtaining a translation or providing a translation of information (We use languageline and they also have their own privacy policy which is here: https://www.languageline.com/uk/privacy-policy)
  • providing the Independent complaint review service with the information they need to make a decision on a complaint about our service 

 

Note: if you bring us a complaint or a request for a review we will normally share information with the organisation you complained about or the Council who made the welfare fund decision.  If you have concerns about this please contact us as soon as possible.

 

We may also share information.

  • When that information shows there may be a risk to someone’s health or safety
  • When that information is important to certain other organisations for their work. 

 

The law includes a list of named organisations and the information we can share with them:

  • Audit Scotland (for purposes relating to audit)
  • The Care Inspectorate (for purposes relating to their role as a regulator of care services)
  • The Scottish Social Services Council (for purposes relating to their role as the registrar for care workers)
  • The Scottish Information Commissioner (for purposes relating to their role as regulator for Freedom of Information)
  • The Information Commissioner (for purposes relating to their role as the regulator for Data Protection)
  • Other UK Public Services Ombudsman (when the issue may be a cross-border issue)

 

We would also share information if a court or a law tells us we need to release information.

 

We sometimes use third parties to provide us with services and they may need to process information to do so.  This may include people or organisations who provide us with:

  • IT services
  • legal services
  • Professional advisers and consultants
  • Independent complaints review services
  • courier and secure shredding services
  • Survey management and processing services 

How do we keep your information safe?

Data Protection law protects your information.  There are rules in our legislation which add additional legal protections by

  • limiting when we can share information and
  • ensuring if information is made public we are not allowed to include names

 

We also take steps to protect the information given to us.

  • we have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Additionally, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality
  • we have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so
  • third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

 

We can provide more details of these measures and procedures if you ask for them and they are also available on our website.

Keeping Special categories of data safe

We take additional steps to protect special categories of data.   We clearly identify when we hold special category data and have set out specific procedures for ensuring this is held securely and only held for as long as we need to.

When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it can never be traced back to an individual.

When we collect information held by social work or about your health we will normally contact you about this before doing so.

What are your rights?

The law says you have the right to:

know when we are processing your data

see the data we process about you

correct any information

object to processing

ask for the information to be destroyed

Withdraw consent where this has been provided

 

Unless there are legal reasons which mean we can't do this.

 

You always have the right to lodge a complaint with the Information Commissioner's Office (ICO).

 

We respect these rights.  If you have any concerns about our handling of your personal information, please let us know.

 

We have a Data Protection Officer who is independent of the SPSO and can also give you advice and listen to concerns. 

Where we process your data

The majority of your personal information is hosted within the European Union. However, it may be necessary to transfer your personal information to countries outside of the European Union – for example, where cloud-hosted IT software is held or supported in third countries. In doing so, we will ensure that adequate safeguards are used to secure the data – for example, by encryption and ensuring that suppliers are subject to contract clauses in respect of data security.

Where we communicate with you via email, we may not always be able to identify the destination of your information.   

Note: If you choose an email address as your preferred contact  please be aware that we may be sending you sensitive and personal information to that email.  Email security can not always be guaranteed.  If you choose this method of contact, you are confirming that you accept that risk.   

How long do we keep your information for?

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for.  This includes for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For example, we usually destroy most information on a complaint or a review 14 months after the date of last significant contact.  We will then only keep minimal information (surname and organisation complained about) on our case database indefinitely to make sure we have an archive of our work.

Details of all the retention periods for different aspects of your personal information are in our retention policy which is available on our website: https://www.spso.org.uk/spso-policies or any time you ask us for this.

Contact Details

The SPSO

The Scottish Public Services Ombudsman

Bridgeside House

99 McDonald Road

Edinburgh

EH7 4NS

Freephone 0800 377 7330

Online: www.spso.org.uk

 

The SPSO’s Data Protection Officer

Email: DPOservice@parliament.scot

Telephone: (0131) 348 6080

 

 

Updated: December 2, 2018