Social Security Scotland hold and process personal data for the purposes of:
- processing benefits and payments
- preventing or detecting benefit fraud as part of law enforcement
Social Security Scotland acts as data controller on behalf of Scottish Ministers when we process personal data to administer the Scottish social security system. This includes when other organisations, known as third parties, collect or process personal data on our behalf.
This privacy notice explains your rights under the UK General Data Protection Regulations (UK GDPR). It tells you how we will look after and use your personal data. This includes what:
- you tell us about yourself
- third parties share with us to support your application
- others share with us to fulfil their legal obligations to help prevent and detect benefit fraud
It also tells you what personal data we may share with other organisations.
Social Security Scotland has appointed a Data Protection Officer (DPO). This is to help us make sure that we fulfil our legal obligations when processing personal data.
You can contact the Data Protection Officer for more information.
Data Protection Officer
PO Box 10298
How we protect your personal data
We have a duty to safeguard and ensure the security of your personal data.
We do that by having systems and policies that limit access to your personal data and prevent unauthorised disclosure. Staff who access personal data must:
- have appropriate security clearance
- only access personal data if there is a business need to do so
We audit and review the activities of staff who access personal data.
Our reasons for processing your personal data
We may need to process your personal data to:
- establish your residency to check if you are eligible for a benefit
- verify your identity
- complete your application for payment
- support you to receive any benefits or payments you may be eligible for
- investigate or prosecute offences relating to payment and benefits
- carry out quality and compliance monitoring
- do user research
- report statistics
How we collect your personal data
We may collect your personal data:
- if you apply online, by phone or by filling in a paper form
- if we speak to you face to face
- over the phone, video call or by webchat
- over social media
- from third party groups, for example, the Department for Work and Pensions
- from any device that connects to the internet
We collect information about how you use our websites using cookie tracking data. This helps us to make informed decisions about whether the site meets your needs. The cookies we use cannot identify you. Our cookie notice explains how you can choose which cookies we use.
Why we collect and use your personal data
We are only allowed to use, collect and share personal data where we have an appropriate legal basis to do so under:
- the UK General Data Protection Regulations (UK GDPR)
- the Data Protection Act 2018
We collect and process personal data to carry out our legal and official functions. We will only use personal data:
- when the law allows us to
- where it is necessary and proportionate to do so, for example to carry out functions under the Social Security Scotland Act 2018
Social Security Scotland is registered with the Information Commissioner as a data controller (registration number Z4857137) under Scottish Ministers.
We have an appropriate policy in place to meet the requirement in the Data Protection Act 2018. The policy covers:
- the legal basis for processing data
- the safeguards in place for sensitive processing
- processing of special categories of personal data
If you would like a copy of the policy, email: DataProtectionOfficer@socialsecurity.gov.scot
We will only collect medical information from third parties such as your GP if you have asked us to do so.
The legal basis for processing your personal data will, in most cases, be Article 6(1)(e) of the UK GDPR. This states that the processing is necessary to:
- perform a task carried out in the public interest
- exercise the official authority granted to us as the data controller
As part of some applications, such as for disability benefits, we also process special categories of personal data. The legal basis for this is:
- Article 9(2)(b) of the UK GDPR where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- Article 9(2)(g) of the UK GDPR where processing is necessary for reasons of substantial public interest. This may include information about health
When you apply for a disability benefit, we also ask if you could complete an equalities survey. This survey asks for information on your:
- ethnic background
We may also process personal data under Part 3, Chapter 2 (law enforcement processing) of the Data Protection Act 2018, for the purposes of the prevention, investigation, detection or prosecution of criminal offences. We will also work with Audit Scotland to carry out applicant checks under Part 5 (97) of the Criminal Justice and Licensing (Scotland) Act 2010.
We may ask third parties for personal data. We may also share personal data with them. This might be to:
- verify information you gave us to support an application
- get information to support your application
- get information needed for safeguarding
- investigate benefit fraud
This may involve, for example:
- Department of Work and Pensions
- HM Revenue and Customs
- Department for Communities (Northern Ireland)
- Home Office
- Office of the Public Guardian
- Scottish Prison Service
- National Records of Scotland
- Audit Scotland
- Tell Us Once service
- Scottish Courts and Tribunal Service
- multi-agency public protection arrangements (MAPPA)
- local authorities
- Heath Boards and General Practitioners (GPs)
- Motability Operations - Accessible Vehicles and Equipment
We may use your personal data to make sure relevant authorities can provide support to vulnerable individuals at immediate risk of harm.
What personal data we may collect
Examples of personal data that we collect from you include:
- personal details (for example name, address, date of birth, national insurance number)
- proof of residency
- family, including number of children, lifestyle and social circumstances
- financial details (bank details)
- employment and education details
- visual images (where specifically requested), including photos and video interviews
We record all inbound and outbound phone calls and we will record audio from video calls when we need to.
You may ask us to gather information about you from health professionals as part of an application. If you do, we may use your Community Health Index (CHI) number to help us communicate about you with NHS Scotland partners.
Some of the personal data we may process is special category data, including:
- physical or mental health details
- racial or ethnic origin
- political, religious or other beliefs of a similar nature
- sexual orientation
- restrictions under multi-agency public protection arrangements (MAPPA)
- criminal proceedings, outcomes and sentences for the purposes of benefit fraud
Who we might collect personal data about
We may collect personal data about:
- members of the public
- clients (people applying for and receiving benefits)
- people who live in the client’s household
- suppliers and service providers
- advisers, consultants and other professional experts
- people who submit a complaint or an enquiry
- relatives, guardians and associates
- people who are restricted under multi-agency public protection arrangements (MAPPA)
We may also collect personal data on third parties who have the legal right to act on behalf of a client. This may include (but is not limited to):
- individuals authorised to act on the basis of a power of attorney
Organisations we share personal data with
We have contracts or agreements with some private sector organisations. These organisations help provide services relating to benefit payments. To do this they may process personal data on our behalf and under our direction. These organisations include:
- Equifax - for bank account verification
- LexisNexis - for address and bank account verification
- allpay - which provides Best Start Foods payment cards
- Questback - which provides an equalities survey tool
- Near Me - video calling for our local delivery service
- Funeral directors - in connection with funeral support payments
- Vodafone - which provides our telephony service
- Improvement Services (Myaccount) - which provides access to our digital portal
- Amazon Web Services - which provides cloud storage
We may also share your personal data with:
- other organisations whose job it is to stop fraud
- third parties who help us make a payment to you
In public health emergencies, we may share personal data with other government departments and health authorities where this is appropriate and proportionate.
Processing personal data in the UK
The data for most of our systems is processed within the UK. Sometimes, personal data is processed outside the UK. When this happens, we always ensure that the data is just as safe as it would be if it was processed in the UK. This meets our obligations under the UK GDPR.
How long we will keep your personal data
We keep most of the detailed information provided during your application and ongoing payment for 7 years after your claim ends. This is to cover the period necessary for any appeals, reviews and other activity including tax purposes.
We keep all call recordings for 7 years.
We want to minimise the amount of personal data we keep. We will delete some personal data sooner if we no longer need it.
When you start an application for a disability benefit online, we tell you that you must submit it within:
- 14 days for part one
- 42 days for part 2
If you do not submit part 2 of your application within this time, we will assume you do not intend to complete it. We will delete your personal data after 90 days unless we hear from you.
Automated decision making
Under Article 22 of the UK GDPR, you have the right not to be subject to a decision made solely on the basis of automated processing. This means a decision made by an electronic system without any human involvement. Parts of our processing may involve some automation. However any decisions we make that have a substantial effect on you, such as if you are entitled to a benefit, are made with meaningful input from staff.
Your rights and how to get a copy of your personal data
You can ask us for the personal data we hold about you.
Under the UK GDPR you also have the right to:
- object to the use of your personal data
- restrict the use of your personal data
- ask us to correct your personal data
- ask us to delete your personal data
However, there may be legal or other official reasons why we need to continue to keep or use your personal data. If this is the case, we will explain to you in writing why we need to do this.
If you want to exercise these rights you can email us at: DataProtectionOfficer@socialsecurity.gov.scotOr write to us:
Data Protection Officer
PO Box 10298
How to complain
You also have the right to complain to the Information Commissioner’s Office about the way we:
- handle your personal data
- respond to your request to access your personal data
- respond to your requests to exercise your other rights under the UK GDPR or the UK Data Protection Act 2018
To contact the Information Commissioner’s Office:
Phone: 0303 123 1113
Visit the website: Information Commissioner’s Office
Write to:The Information Commissioner
There is a problem
Thanks for your feedback