You appear to be using an unsupported browser, and it may not be able to display this site properly. You may wish to upgrade your browser.

Privacy notice and data protection - Social Security Scotland



Social Security Scotland holds and processes personal data, in compliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy notice explains your rights and tells you how we will look after and use your personal data. This includes:

  • information you tell us about yourself
  • information that third parties share with us about you to support your application
  • information others share with us about you to fulfil legal obligations to help prevent and detect benefit fraud
  • It also tells you what personal data we may share with other organisations

Social Security Scotland has a Data Protection Officer.

You can contact the Data Protection Officer for more information about what we do with your personal data, email: or write to:

Data Protection Officer
PO Box 10298


How we protect your personal data


We have a duty to make sure your personal data is secure.

We do that by limiting access to your personal data and preventing unauthorised disclosure. We only hold your data for as long as necessary.

Staff who access personal data must:

  • have appropriate security clearance
  • only access personal data if there is a business need to do so
  • complete mandatory data protection training

We audit and review the activities of staff who access personal data.

Our reasons for processing your personal data 


We may need to process your personal data to:

  • check if you are eligible to receive a benefit
  • verify your identity
  • make a decision on your application for payment
  • to fulfil legal obligations to help prevent and detect benefit fraud
  • carry out quality and compliance monitoring
  • share it with other organisations were there is a requirement to do so
  • carry out user research
  • compile and report statistics

In exceptional circumstances we may process your information to protect you, your community or the wider public.

How we collect your personal data


We collect your personal data in circumstances such as:

  • through communication with you online, by phone, by post, face to face or by text message or video call
  • when we receive information from other organisations, for example, the Department for Work and Pensions
  • when we receive information from other organisations to fulfil legal obligations to help prevent and detect benefit fraud, protect public funds or to support the prosecution of offences relating to benefit fraud

We collect information about how you use our websites using cookie tracking data. This helps us to make informed decisions about whether the site meets your needs. The cookies we use cannot identify you. Our cookie notice explains how you can choose which cookies we use.

Controller responsibilities


Social Security Scotland acts on behalf of the Scottish Ministers as controller for the personal data we process. This means we are responsible for deciding how we hold and use personal data about you.

Scottish Ministers are registered with the Information Commissioner’s Office as a controller (registration number Z4857137).

We are only allowed to process personal data where we have a legal reason to do so under:

  • the UK General Data Protection Regulation (UK GDPR)
  • the Data Protection Act 2018 including under Part 3, Chapter 2 (law enforcement processing) of the Data Protection Act 2018, for the purposes of the prevention, investigation, detection or prosecution of criminal offences

We only process personal data to carry out our legal and official functions:

  • when the law allows us to
  • where it is necessary and proportionate to do so, for example to carry out functions under the Social Security (Scotland) Act 2018

We have an Appropriate Policy Document which details the lawful basis and conditions for processing and safeguards we have put in place when we process special category data, criminal offence data, and sensitive data for law enforcement purposes

If you would like a copy of the Appropriate Policy Document, contact our Data Protection Officer.

Legal basis for processing your personal data


The legal basis for processing your personal data will, in most cases, be Article 6 (1)(e) of the UK GDPR. This states that the processing is necessary for us to:

  • perform a task carried out in the public interest
  • exercise the official authority granted to us

In order to process some benefit applications, such as disability benefits, we will also process sensitive data, for example about your health. The legal basis for this is:

  • Article 9 (2)(b) of the UK GDPR where processing is necessary in the field of social security law.
  • Article 9 (2)(g) of the UK GDPR where processing is necessary for reasons of substantial public interest

When you apply for a benefit, we ask you to complete an optional equalities survey. This survey asks for information on your:

  • sexuality
  • religion
  • ethnic background
  • gender

Examples of personal data we may collect


The types of data that we process will depend on a number of factors.

Types of data that we process include:

  • name and address and contact details, such as email address and phone number
  • National Insurance Number
  • family and social circumstances
  • bereavement information
  • financial information
  • employment status
  • education and training
  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs of a similar nature
  • sexual life
  • recordings of telephone calls between you and our advisers
  • offences including alleged offences
  • criminal proceedings, outcomes and sentences
  • visual images, for example by CCTV in our buildings

Who we might collect personal data about 


In order to support an application we may collect personal data about:

  • you - the person applying for and receiving benefits
  • people who live in your household
  • friends or family or anyone supporting your application, for example carers
  • people who submit a complaint or an enquiry
  • your General Practitioner or other professionals, for example other healthcare, social workers or education professionals

We sometimes collect personal data about people other than the person who has applied for a benefit or service to determine how much that person is entitled to. For example, where a person makes a claim for Scottish Child Payment, we need information about other people who live in the same household to determine how much the person will be paid.

We may also collect personal data on others who have the legal or official right to act on your behalf. This may include, but is not limited to:

  • appointees - an individual or organisation appointed to manage somebody else’s benefit applications
  • legal guardians
  • individuals with power of attorney

Organisations and individuals we share personal data with 


We may share personal data with other organisations or individuals. This might be to:

  • verify your information to support an application
  • get information to support your application
  • get information needed for safeguarding
  • offer additional services
  • prevent and detect benefit fraud

This may include:

  • other government departments
  • Members of the Scottish Parliament, Members of Parliament and local authority councillors when they act or contact us on your behalf
  • local authorities
  • Scottish public sector bodies
  • General Practitioners and health boards
  • social security organisations in other countries
  • employers and potential employers
  • private sector organisations such as funeral directors and credit reference agencies, for example, for verifying your identity and your bank accounts to make payments to you
  • financial service providers
  • charitable and welfare organisations
  • the emergency services
  • suppliers and contractors who provide support to our systems and processes for delivering benefits to you
  • participants in Multi-Agency Public Protection Arrangements (MAPPA)

Where we process personal data


The personal data we process is mostly held within the UK. If we process personal data in another country we will only do so where there are strong data protection safeguards in place.

How long we will keep your personal data 


We keep your information for no longer than is necessary.

Most personal data provided for the purposes of your application and making payments to you will be kept after the payment ends for the period necessary for any redeterminations, appeals, reviews and other activity including tax and audit purposes.

For more information on how long we hold your data for, contact our Data Protection Officer.

Automated decision making


Automated decision making takes place when an electronic system uses personal information to make a decision without any human intervention. 

We use automated decision making where applicable to provide a better and quicker service to you.

We tell you when we use automated decision making to process your application or give you a payment you are entitled to.

We only use automated decision making where the outcome provides a favourable decision for you.

If you are unhappy with your decision that we have made using automated decision making, you can ask for a review. 

You have the right to ask for that decision to be looked at again by a person. 

You have up to 1 month from the date of receipt of your award notification, to ask for the review.

If you want any more information, contact our Data Protection Officer. 

Automated decision making is applied to:

  • Scottish Child Payment
  • Best Start Grant Early Learning Payment and School Age Payment
  • Child Winter Heating Payment
  • Winter Heating Payment
  • Carers Allowance Supplement
  • Adult Disability Payment, only when your case is transferred from the Department for Work and Pensions
  • Carer Support Payment

If you want to know more, please see more information in this list of benefits where we may use automated decision making.

Your rights and how to get a copy of your personal data 


The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 provide individuals with rights around the use of their personal data. You have the right to:

  • ask us to confirm what personal data we hold about you and to provide you with a copy
  • object to the use of your personal data
  • ask us to restrict the use of your personal data
  • ask us to correct your personal data
  • ask us to delete your personal data

Please note there may be legal reasons why we cannot carry out your request.

If you want to exercise these rights, contact our Data Protection Officer.

How to complain


You also have the right to complain to the Information Commissioner’s Office about the way we:

  • handle your personal data
  • respond to your request to exercise your other rights under the UK GDPR or the Data Protection Act 2018

To contact the Information Commissioner’s Office:

Back to top