Privacy notice and data protection - Social Security Scotland
Social Security Scotland holds and processes personal data, in compliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This privacy notice explains your rights and tells you how we will look after and use your personal data. This includes:
- information you tell us about yourself
- information that third parties share with us about you to support your application
- information others share with us about you to fulfil legal obligations to help prevent and detect benefit fraud
- It also tells you what personal data we may share with other organisations
Social Security Scotland has a Data Protection Officer.
You can contact the Data Protection Officer for more information about what we do with your personal data, email: DataProtectionOfficer@socialsecurity.gov.scot or write to:
Data Protection Officer
PO Box 10298
How we protect your personal data
We have a duty to make sure your personal data is secure.
We do that by limiting access to your personal data and preventing unauthorised disclosure. We only hold your data for as long as necessary.
Staff who access personal data must:
- have appropriate security clearance
- only access personal data if there is a business need to do so
- complete mandatory data protection training
We audit and review the activities of staff who access personal data.
Our reasons for processing your personal data
We may need to process your personal data to:
- check if you are eligible to receive a benefit
- verify your identity
- make a decision on your application for payment
- to fulfil legal obligations to help prevent and detect benefit fraud
- carry out quality and compliance monitoring
- share it with other organisations were there is a requirement to do so
- carry out user research
- compile and report statistics
In exceptional circumstances we may process your information to protect you, your community or the wider public.
How we collect your personal data
We collect your personal data in circumstances such as:
- through communication with you online, by phone, by post, face to face or by text message or video call
- when we receive information from other organisations, for example, the Department for Work and Pensions
- when we receive information from other organisations to fulfil legal obligations to help prevent and detect benefit fraud, protect public funds or to support the prosecution of offences relating to benefit fraud
We collect information about how you use our websites using cookie tracking data. This helps us to make informed decisions about whether the site meets your needs. The cookies we use cannot identify you. Our cookie notice explains how you can choose which cookies we use.
Social Security Scotland acts on behalf of the Scottish Ministers as controller for the personal data we process. This means we are responsible for deciding how we hold and use personal data about you.
Scottish Ministers are registered with the Information Commissioner’s Office as a controller (registration number Z4857137).
We are only allowed to process personal data where we have a legal reason to do so under:
- the UK General Data Protection Regulation (UK GDPR)
- the Data Protection Act 2018 including under Part 3, Chapter 2 (law enforcement processing) of the Data Protection Act 2018, for the purposes of the prevention, investigation, detection or prosecution of criminal offences
We only process personal data to carry out our legal and official functions:
- when the law allows us to
- where it is necessary and proportionate to do so, for example to carry out functions under the Social Security (Scotland) Act 2018
We have an Appropriate Policy Document which details the lawful basis and conditions for processing and safeguards we have put in place when we process special category data, criminal offence data, and sensitive data for law enforcement purposes.
If you would like a copy of the Appropriate Policy Document, contact our Data Protection Officer.
Legal basis for processing your personal data
The legal basis for processing your personal data will, in most cases, be Article 6 (1)(e) of the UK GDPR. This states that the processing is necessary for us to:
- perform a task carried out in the public interest
- exercise the official authority granted to us
In order to process some benefit applications, such as disability benefits, we will also process sensitive data, for example about your health. The legal basis for this is:
- Article 9 (2)(b) of the UK GDPR where processing is necessary in the field of social security law.
- Article 9 (2)(g) of the UK GDPR where processing is necessary for reasons of substantial public interest
When you apply for a benefit, we ask you to complete an optional equalities survey. This survey asks for information on your:
- ethnic background
Examples of personal data we may collect
The types of data that we process will depend on a number of factors.
Types of data that we process include:
- name and address and contact details, such as email address and phone number
- National Insurance Number
- family and social circumstances
- bereavement information
- financial information
- employment status
- education and training
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs of a similar nature
- sexual life
- recordings of telephone calls between you and our advisers
- offences including alleged offences
- criminal proceedings, outcomes and sentences
- visual images, for example by CCTV in our buildings
Who we might collect personal data about
In order to support an application we may collect personal data about:
- you - the person applying for and receiving benefits
- people who live in your household
- friends or family or anyone supporting your application, for example carers
- people who submit a complaint or an enquiry
- your General Practitioner or other professionals, for example other healthcare, social workers or education professionals
We sometimes collect personal data about people other than the person who has applied for a benefit or service to determine how much that person is entitled to. For example, where a person makes a claim for Scottish Child Payment, we need information about other people who live in the same household to determine how much the person will be paid.
We may also collect personal data on others who have the legal or official right to act on your behalf. This may include, but is not limited to:
- appointees - an individual or organisation appointed to manage somebody else’s benefit applications
- legal guardians
- individuals with power of attorney
Organisations and individuals we share personal data with
We may share personal data with other organisations or individuals. This might be to:
- verify your information to support an application
- get information to support your application
- get information needed for safeguarding
- offer additional services
- prevent and detect benefit fraud
This may include:
- other government departments
- Members of the Scottish Parliament, Members of Parliament and local authority councillors when they act or contact us on your behalf
- local authorities
- Scottish public sector bodies
- General Practioners and health boards
- social security organisations in other countries
- employers and potential employers
- private sector organisations such as funeral directors and credit reference agencies, for example, for verifying your identity and your bank accounts to make payments to you
- financial service providers
- charitable and welfare organisations
- the emergency services
- suppliers and contractors who provide support to our systems and processes for delivering benefits to you
- participants in Multi-Agency Public Protection Arrangements (MAPPA)
Where we process personal data
The personal data we process is mostly held within the UK. If we process personal data in another country we will only do so where there are strong data protection safeguards in place.
How long we will keep your personal data
We keep your information for no longer than is necessary.
Most personal data provided for the purposes of your application and making payments to you will be kept after the payment ends for the period necessary for any redeterminations, appeals, reviews and other activity including tax and audit purposes.
For more information on how long we hold your data for, contact our Data Protection Officer.
Automated decision making
Automated decision making takes place when an electronic system uses personal information to make a decision without any human intervention.
We use automated decision making where applicable to provide a better and quicker service to you.
We will always tell you if we use automated decision making to process your application or give you a payment you are entitled to.
We only use automated decision making where the outcome provides a favourable decision for you.
If you want any more information contact the Data Protection Officer.
Automated decision making is applied to:
- Scottish Child Payment
- Best Start Grant Early Learning Payment and School Age Payment
- Child Winter Heating Assistance
- Winter Heating Payment
where the outcome is beneficial for you.
If you want to know more, please see the list of benefits we apply automated decision making to.
Your rights and how to get a copy of your personal data
The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 provide individuals with rights around the use of their personal data. You have the right to:
- ask us to confirm what personal data we hold about you and to provide you with a copy
- object to the use of your personal data
- ask us to restrict the use of your personal data
- ask us to correct your personal data
- ask us to delete your personal data
Please note there may be legal reasons why we cannot carry out your request.
If you want to exercise these rights, contact our Data Protection Officer.
How to complain
You also have the right to complain to the Information Commissioner’s Office about the way we:
- handle your personal data
- respond to your request to exercise your other rights under the UK GDPR or the Data Protection Act 2018
To contact the Information Commissioner’s Office:
- Phone: 0303 123 1113
- Visit the website: Information Commissioner’s Office
- Write to:
The Information Commissioner
There is a problem
Thanks for your feedback