Scottish Public Services Ombudsman

Call us on 0800 377 7330

Privacy Notice

 1

Introduction

1A

The Scottish Public Services Ombudsman is committed to protecting the privacy and security of your information.

This privacy notice explains in detail the types of personal data we may collect about you when you interact with us.  It also explains how we’ll store and handle that data, and keep it safe.

It is likely we’ll need to update the privacy notice from time to time.  We will publicise any significant changes but you’re welcome to ask us questions about the notice or check the online version at any time.

1B

We will comply with data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about

6. Kept securely.

1C

We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:

1. We have been given responsibility and duties by law and we need to use personal information to comply with those obligations.

2. We have been given an important function or job by law and need to use personal information to fulfill that function.

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

4. When we have your consent to do so.

5. Where we need to protect your interests (or someone else's interests).

Some personal information has been given higher protection, this is called Special Category Information, we will only use that category of information when we have additional reasons.  Most commonly this will be because: 

1.  There is a substantial public interest in us fulfilling our legal duties and responsibilities

2. We need to comply with social security law

3. Where we need to protect your interests (or someone else’s interests) and that person is not able to give consent

4.  We will also only process this type of information for archiving or undertaking scientific or other research when we know we have appropriate protections in place.

2

When do we collect your personal data?

2A

We collect information that you give to us when you contact us and we also collect information we need to allow us to do the jobs that we have been given by the Scottish Parliament.  We collect information when:

  • you contact us to ask for advice

  • you bring a complaint to us

  • we are looking at a complaint and need more information to make a decision

  • you ask us to review a welfare fund decision

  • we’re reviewing a welfare fund decision and need more information to make a decision

  • you ask us to change any decision we’ve made

  • you complain to us about our service

  • you use our website

  • you respond to any surveys

  • you give us information about your background to help us understand who is coming to us and what their needs are (this is often called equalities monitoring information)

  • you visit our office and we use our CCTV to store information for security

  • you sign up for our monthly newsletter or any of our mailing lists

  • your organisation tells us you will be our key contact

  • you have made an information request to us.

3

What do we collect and how do we use it?

3A

When you contact us to ask for advice about complaining about an organisation we may collect information about you, the organisation you are unhappy about and the advice we give you.  This allows us to: 

  • refer back to the advice if you contact us again.

  • report at the end of the year the number of people and the types of issues they have raised about that organisation.

3B

When you contact us to ask for advice about making a welfare fund review we may collect information about you, the Council you are unhappy about and the advice we give you.  This allows us to: 

  • refer back to the advice if you contact us again.

  • report at the end of the year the number of people and the types of issues they have raised about that organisation.

3C

When you contact us to ask for advice about how your organisation handles complaints or conducts reviews, we may collect information about you, your organisation and the advice we give you.  This allows us to:

  • refer back to the advice if you contact us again.
  • report at the end of the year the number of people and the types of issues they have raised about that organisation.

3D

When you contact us to ask for advice about a welfare fund matters we may collect information about you, your local Council and the advice we give you.  This allows us to: 

  • refer back to the advice if you contact us again.

  • report at the end of the year the number of people and the types of issues they have raised about that organisation

3E

When you bring a complaint to us we will collect the information you give us about yourself, the organisation and the complaint.  This allows us to:

  • start looking at your complaint and

  • report at the end of the year about the complaints we have had and who we have had them about.

3F

We need information to do the job the Scottish Parliament has given us to consider and investigate complaints.  When we are looking at a complaint and need more information to make a decision we may collect information:

  • from you

  • the organisation you have complained about.

  • anyone else who may hold information we need.

Some of this information may be personal to you or others.

3G

We need information to do the job the Scottish Parliament has given us to review welfare fund decisions.  When we are looking at a welfare fund review and need more information to make a decision we may collect information:

  • from you

  • the Council who made the decision about your welfare fund application

  • anyone else who may hold information we need.

Some of this information may be personal to you or others.

3H

When you ask us to change a decision we have made, we will collect the information you give us about the reasons why you want that decision changed and that we received a request to change a decision. This allows us to:

  • consider your request and

  • report at the end of the year how many people asked us to change a decision and what we did.

We will usually already have all the information we need to look at your request.  If we need more information we may collect information:

  • from you

  • the organisation you have complained about.

  • anyone else who may hold information we need.

Some of this information may be personal to you and others.

3I

When you complain to us about our service we will collect the information you give us about the reasons why you are unhappy with our service. This allows us to:

  • consider your complaint about our service  and

  • report at the end of the year how many people asked us to change a decision and what we did.

We will usually already have all the information we need to look at your request.  If we need more information we may collect information:

  • from you

  • the organisation you have complained about.

  • anyone else who may hold information we need.

Some of this information may be personal to you and others

3J

When you complain to the independent complaint review service about our service to you, we will share information with them about our service in order to let them come to a decision.

3K

We monitor and assess all the work we do to improve the quality of our work and to help us know when we need to put training in place.

3L

When you use our websites we collect information to help us understand how our website is being used.  We also use cookies to help make our website easier to use by

  • enabling a service to recognise your device so you don’t have to give the same information during one task, for example to remember the information you entered on the first page of a multi-page form.

  • remembering settings so you don’t have to re-enter them every time you visit a new page.

  • measuring how many people are using the website and how they navigate the website, so that we can identify ways to make it easier to use and make sure that there is enough capacity for the website to perform well and respond quickly.

Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these small files as you wish.  We provide more information about our cookies, how they are used and how long they are stored for directly on each website.

3M

When you respond to any surveys we will collect and analyse the responses you give us to help us improve our service.  We will not process any data that is included in any response to a survey that could identify an individual.  Personal information will be destroyed as soon as we become aware of it.  We may use third party services such as Survey Monkey. Their privacy notice is available on their website.

3N

When you give us information about your background to help us understand who is using our services and what their needs are (this is often called equalities monitoring information), we will collect the information you give us to understand and improve our service.  We do not collect any personal information such as your name or other information that could identify you with this data.

3O

When you visit our office and we use our CCTV to store information for security we will collect your image and the time you visited our office.  This information is only accessed if we identify a security issue.  Otherwise it is destroyed without anyone accessing it.

3P

When you sign up for newsletters, regular communications or any of our mailing lists we will collect the contact details we need to send these to you.  We also collect information about the category of subscriber and any organisation you are subscribing on behalf of.  This allows us to understand who is signing up to our services and helps us to improve those services.  We use Mailchimp for our newsletter and they have their own privacy policy available on their website.

3Q

When your organisation tells us you will be our key contact we will collect your contact details and will use them when we need to contact your organisation.

3R

When we compile statistics and undertake research and analysis. There may be public interest reasons for undertaking this work and whenever possible information is completely anonymised for these purposes.

3S When you make an information request to us we need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations. We will consult with any third parties we may have received the information being requested for their views on disclosure.

4

Here are some examples of the types of information we may hold and use when looking at a complaint

4A

When we are looking at a complaint we will normally let you know what types of information we are asking for and why.  For example this may include:

  • your name

  • your contact details

  • details of anyone you have chosen to represent you

  • your relationship to other people who are mentioned in the complaint

  • information you have told us about our needs to help us make our service accessible

  • correspondence with the organisation

  • notes the organisation holds about the complaint

  • information about other people which we need to make a decision

  • information held by other people which we need to make a decision.

5

Here are some examples of the types of information we may hold and use when reviewing a welfare fund decision? 

5A

  • Your name

  • Your contact details

  • Details of anyone you have chosen to represent you

  • Your relationship to other people who are mentioned in the complaint

  • Information you have told us about our needs to help us make our service accessible

  • Correspondence with the organisation

  • Notes the organisation holds about the review

  • Information about other people which we need to make a decision

  • Information held by other people which we need to make a decision.

6

Special Category Information

6A

Some of the information we collect may be what the data protection law calls “special categories” of  information.  Special Categories include information about someone’s:

  • race

  • ethnic origin

  • politics

  • religion

  • trade union membership

  • genetics

  • biometrics (where used for ID purposes)

  • health

  • sex life

  • sexual orientation.

Sometimes we will need information in these categories to look at complaints or review welfare fund decisions.  We will only process this type of information if it is relevant to the decision we need to make.

We ask people to share some of this information with us to help us monitor our service and meet our commitments on equality.

7

When do we share information with others?

7A

We need to share information with others to do the jobs under the powers and duties the Scottish Parliament gave us

  • Considering and investigating complaints

  • Reviewing welfare fund decisions

  • Sharing best practice and monitoring complaints handling by others

  • Reporting about our work to the Scottish Parliament and the public

Note: if you bring us a complaint or a request for a review we will normally share information with the organisation you complained about or the Council who made the welfare fund decision.  If you have concerns about this please contact us as soon as possible.

7B

The law says we need to share information:

  • To let the organisation or person complained about respond to the complaint

  • When we decide not to investigate a complaint we must share information with the people and organisation directly involved

  • When we start to investigate a complaint but decide we can come to a decision without conducting a full investigation we must share information with the people and organisation directly involved.  We also may report to the Scottish Parliament but must not name people when we do so.

  • When we complete an investigation we must share information with the people and organisation directly involved.  In complaints about GPs, opticians, and pharmacists this will include the Board they hold a contract with.  We must also send a report to the Scottish Parliament but must not name people when we do so.

7C

We will also need to share information to:

  • receive comments about that information that we need to make a decision

  • receive expert advice from someone

  • obtain a translation or provide a translation of information (We use Languageline and they also have their own privacy policy which is available on their website

  • obtain further information we need to make a decision

  • provide the Independent complaint review service with the information they need to make a decision on a complaint about our service. 

7D

When that information shows there may be a risk to someone’s health or safety

7E

When that information is important to some named organisations for their work.  Those organisations are named by law and the law also names the reasons we can share information with them they include:

  • Audit Scotland (for purposes relating to audit)

  • The Care Inspectorate (for purposes relating to their role as a regulator of care services)

  • The Scottish Social Services Council (for purposes relating to their role as the registrar for care workers)

  • The Scottish Information Commissioner (for purposes relating to their role as regulator for Freedom of Information)

  • The Information Commissioner (for purposes relating to their role as the regulator for Data Protection)

  • Other UK Public Services Ombudsman (when the issue may be a cross-border issue).

7F

If a court or a law tells us we need to release information.

7G

We sometimes use third parties to provide us with services and they may need to process information to do so.  This may include people or organisations who provide us with:

  • IT services

  • legal services

  • Professional advisers and consultants

  • Independent complaints review services

  • courier and secure shredding services

  • Survey management and processing services  

8

How do we keep your information safe?

8A

Data Protection law protects your information.  There are rules in our legislation which add additional legal protections by

  • limiting when we can share information and

  • ensuring if information is made public we are not allowed to include names

8B

We also take steps to protect the information given to us.

  • we have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Additionally, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality

  • we have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so

  • third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We can provide more details of these measures and procedures if you ask for them and they are also available on our website.

9

Keeping Special categories of data safe

9A

We take additional steps to protect special categories of data.   We clearly identify when we hold special category data and have set out specific procedures for ensuring this is held securely and only held for as long as we need to.

When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it can never be traced back to an individual.

When we collect information held by social work or about your health we will normally contact you about this before doing so.

10

What are your rights?

10A

You have the right to:

  • know when we are processing your data

  • see the data we process about you

  • correct any information

  • object to processing

  • ask for the information to be destroyed

  • Withdraw consent where this has been provided

Unless there are legal reasons which mean we can't do this.

  • You always have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We respect these rights.  If you have any concerns about our handling of your personal information, please let us know.

10B

Fee NOT usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

10C

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

To do the jobs we have been given by the Scottish Parliament and the law that applies to us effectively means that sometimes we may not be able to let you know when we process data or agree with you the steps you may want us to take. 

We have a process that allows you to challenge any decision we make about your data and you can also contact the ICO.   We can provide details about this if you ask us and it is also available in our 'Your Information Rights and the SPSO' leaflet (PDF, 214KB)

10D

We will have a Data Protection Officer who is independent of the SPSO and can also give you advice and listen to concerns.  Their contact details will be below.

11

Where we process your data

11A

We do not transfer the personal information we collect about you outside the European Economic Area without your consent, except where we ensure that your personal information will receive an adequate level of protection by putting in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.

12

How long do we keep your information for?

12A

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for.  This includes for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For example, we destroy most information on a complaint or a review 14 months after the last date of contact.  We will then only keep minimal information (surname and organisation complained about) indefinitely to make sure we have an archive of our work.

Details of all the retention periods for different aspects of your personal information are in our retention policy which is available on our website or any time you ask us for this.

13

Contact Details

13A

The SPSO

The Scottish Public Services Ombudsman

4 Melville Street

Edinburgh

EH3 7NS

Freephone 0800 377 7330

Online: www.spso.org.uk

13B

The SPSO’s Data Protection Officer:

Email: DPOservice@parliament.scot

Telephone: 0131 348 6080

 

Disclaimer

We try to ensure that the information published on the SPSO website is up-to-date and accurate. However, this information does not constitute legal or professional advice and the SPSO cannot accept any liability for actions arising from its use. The SPSO cannot be held responsible for the contents or accuracy of any pages referenced by an external link. External links are provided to assist visitors to the SPSO website and the inclusion of a link does not imply that the SPSO endorses or has approved the linked site.

Traffic monitoring

General traffic data is collected via the SPSO website. Any statistics produced are based on aggregated data from which no details of any individual visitor can be traced. The SPSO site does not automatically capture or store personal data from visitors to the site other than to record session information such as the most popular pages visited and the nature of the browser used. This information is used only for the administration of the site system and in the compilation of general statistics used by the SPSO to assess the use of the site.

Cookies

When we provide services via our website, we want to make them easy to use, useful and reliable. This sometimes involves placing small amounts of information on the device you are using for accessing the website, for example your computer or mobile phone. We do this using small files known as cookies. They cannot be used to identify you personally.

Cookies are used by SPSO to improve services for you by:

  • Enabling a service to recognise your device so you don’t have to give the same information during one task, for example to remember the information you entered on the first page of a multi-page form;
  • Remembering settings so you don’t have to re-enter them every time you visit a new page;
  • Measuring how many people are using the website and how they navigate the website, so that we can identify ways to make it easier to use and make sure that there is enough capacity for the website to perform well and respond quickly.

Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these small files as you wish.

To learn more about cookies and how to manage them, visit AboutCookies.org.Or please read on to find out more about how and where we use cookies.

How we use cookies

The lists below show all of the cookies that may be set when you visit the SPSO website.

Cookies for improving our service

Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This is to ensure that the website is available when you want it and to help us understand what you want to use.

Name Typical Content Expires
_utma Randomly generated number 2 years
_utmb Randomly generated number 30 minutes
_utmc Randomly generated number when you close your browser
_utmz Randomly generated number and information on how the site was reached (e.g. direct or via a link, organic search or paid search) 6 months

For further details on the cookies set by Google Analytics, please refer to the Google Code website.

Cookies for managing your current visit

We use 2 cookies to remember your selections or preferences that you’ve made when looking at the information on the SPSO website.

Name Typical Content Purpose Expires
SESSf054857b179272f64facf8f4b5f963cc Randomly generated text Session identifier When you close your browser
has_js 1 or 0 Identifies whether device is javascript-capable When you close your browser

If you have any queries about these cookies or would like more information about them, please contact us on 0131 240 8849.

Updated: May 30, 2018