You appear to be using an unsupported browser, and it may not be able to display this site properly. You may wish to upgrade your browser.

Privacy notice and data protection - Social Security Scotland



Social Security Scotland hold and process personal data for the purposes of:

  • processing benefits and payments
  • preventing or detecting benefit fraud as part of law enforcement

Social Security Scotland acts as data controller on behalf of Scottish Ministers when we process personal data to administer the Scottish social security system. This includes when other organisations, known as third parties, collect or process personal data on our behalf.

This privacy notice explains your rights under the UK General Data Protection Regulations (UK GDPR). It tells you how we will look after and use your personal data. This includes what:

  • you tell us about yourself
  • third parties share with us to support your application
  • others share with us to fulfil their legal obligations to help prevent and detect benefit fraud

It also tells you what personal data we may share with other organisations.

Social Security Scotland has appointed a Data Protection Officer (DPO). This is to help us make sure that we fulfil our legal obligations when processing personal data.
You can contact the Data Protection Officer for more information.


Write to:
Data Protection Officer
PO Box 10298

How we protect your personal data


We have a duty to safeguard and ensure the security of your personal data.

We do that by having systems and policies that limit access to your personal data and prevent unauthorised disclosure. Staff who access personal data must:

  • have appropriate security clearance 
  • only access personal data if there is a business need to do so 

We audit and review the activities of staff who access personal data. 

Our reasons for processing your personal data 


We may need to process your personal data to:

  • establish your residency to check if you are eligible for a benefit
  • verify your identity
  • complete your application for payment
  • support you to receive any benefits or payments you may be eligible for
  • investigate or prosecute offences relating to payment and benefits
  • carry out quality and compliance monitoring
  • do user research
  • report statistics

How we collect your personal data


We may collect your personal data:

  • if you apply online, by phone or by filling in a paper form
  • if we speak to you face to face
  • over the phone, video call or by webchat
  • over social media
  • from third party groups, for example, the Department for Work and Pensions
  • from any device that connects to the internet

We collect information about how you use our websites using cookie tracking data. This helps us to make informed decisions about whether the site meets your needs. The cookies we use cannot identify you. Our cookie notice explains how you can choose which cookies we use.

Why we collect and use your personal data 


We are only allowed to use, collect and share personal data where we have an appropriate legal basis to do so under:

  • the UK General Data Protection Regulations (UK GDPR) 
  • the Data Protection Act 2018 

We collect and process personal data to carry out our legal and official functions. We will only use personal data:

  • when the law allows us to
  • where it is necessary and proportionate to do so, for example to carry out functions under the Social Security Scotland Act 2018

Social Security Scotland is registered with the Information Commissioner as a data controller (registration number Z4857137) under Scottish Ministers.

We have an appropriate policy in place to meet the requirement in the Data Protection Act 2018. The policy covers: 

  • the legal basis for processing data
  • the safeguards in place for sensitive processing
  • processing of special categories of personal data

If you would like a copy of the policy, email: 

We will only collect medical information from third parties such as your GP if you have asked us to do so.  

The legal basis for processing your personal data will, in most cases, be Article 6(1)(e) of the UK GDPR. This states that the processing is necessary to: 

  • perform a task carried out in the public interest 
  • exercise the official authority granted to us as the data controller 

As part of some applications, such as for disability benefits, we also process special categories of personal data. The legal basis for this is:

  • Article 9(2)(b) of the UK GDPR where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law 
  • Article 9(2)(g) of the UK GDPR where processing is necessary for reasons of substantial public interest. This may include information about health 

​​​​When you apply for a disability benefit, we also ask if you could complete an equalities survey. This survey asks for information on your:

  • sexuality
  • religion
  • ethnic background 
  • gender

We may also process personal data under Part 3, Chapter 2 (law enforcement processing) of the Data Protection Act 2018, for the purposes of the prevention, investigation, detection or prosecution of criminal offences. We will also work with Audit Scotland to carry out applicant checks under Part 5 (97) of the Criminal Justice and Licensing (Scotland) Act 2010.

We may ask third parties for personal data. We may also share personal data with them. This might be to: 

  • verify information you gave us to support an application 
  • get information to support your application
  • get information needed for safeguarding 
  • investigate benefit fraud 

This may involve, for example:

  • Department of Work and Pensions 
  • HM Revenue and Customs
  • Department for Communities (Northern Ireland)
  • Home Office
  • Office of the Public Guardian
  • Scottish Prison Service
  • National Records of Scotland
  • Audit Scotland
  • Tell Us Once service
  • Scottish Courts and Tribunal Service
  • multi-agency public protection arrangements (MAPPA)
  • local authorities
  • Heath Boards and General Practitioners (GPs)
  • Motability Operations - Accessible Vehicles and Equipment

We may use your personal data to make sure relevant authorities can provide support to vulnerable individuals at immediate risk of harm.

What personal data we may collect


Examples of personal data that we collect from you include: 

  • personal details (for example name, address, date of birth, national insurance number)
  • proof of residency
  • family, including number of children, lifestyle and social circumstances
  • financial details (bank details)
  • employment and education details
  • visual images (where specifically requested), including photos and video interviews

We record all inbound and outbound phone calls and we will record audio from video calls when we need to.

You may ask us to gather information about you from health professionals as part of an application. If you do, we may use your Community Health Index (CHI) number to help us communicate about you with NHS Scotland partners.

Some of the personal data we may process is special category data, including:

  • nationality
  • physical or mental health details
  • racial or ethnic origin
  • political, religious or other beliefs of a similar nature
  • sexual orientation 
  • restrictions under multi-agency public protection arrangements (MAPPA)
  • criminal proceedings, outcomes and sentences for the purposes of benefit fraud

Who we might collect personal data about 


We may collect personal data about: 

  • members of the public
  • clients (people applying for and receiving benefits)
  • people who live in the client’s household
  • suppliers and service providers
  • advisers, consultants and other professional experts
  • people who submit a complaint or an enquiry
  • relatives, guardians and associates
  • people who are restricted under multi-agency public protection arrangements (MAPPA)
  • employees

We may also collect personal data on third parties who have the legal right to act on behalf of a client. This may include (but is not limited to):

  • appointees
  • partners
  • carers
  • individuals authorised to act on the basis of a power of attorney
  • organisations

Organisations we share personal data with 


We have contracts or agreements with some private sector organisations. These organisations help provide services relating to benefit payments. To do this they may process personal data on our behalf and under our direction. These organisations include:

  • Equifax - for bank account verification
  • LexisNexis - for address and bank account verification
  • allpay - which provides Best Start Foods payment cards
  • Questback - which provides an equalities survey tool
  • Near Me - video calling for our local delivery service
  • Funeral directors - in connection with funeral support payments
  • Vodafone - which provides our telephony service
  • Improvement Services (Myaccount) - which provides access to our digital portal
  • Amazon Web Services - which provides cloud storage

We may also share your personal data with: 

  • other organisations whose job it is to stop fraud
  • third parties who help us make a payment to you

In public health emergencies, we may share personal data with other government departments and health authorities where this is appropriate and proportionate.

If you follow any links to third party websites from this website or the Social Security Scotland website, we encourage you to read the privacy policy statements on those websites.

Processing personal data in the UK


The data for most of our systems is processed within the UK. Sometimes, personal data is processed outside the UK. When this happens, we always ensure that the data is just as safe as it would be if it was processed in the UK. This meets our obligations under the UK GDPR.

How long we will keep your personal data 


We keep most of the detailed information provided during your application and ongoing payment for 7 years after your claim ends. This is to cover the period necessary for any appeals, reviews and other activity including tax purposes.

We keep all call recordings for 7 years.

We want to minimise the amount of personal data we keep. We will delete some personal data sooner if we no longer need it. 

When you start an application for a disability benefit online, we tell you that you must submit it within: 

  • 14 days for part one
  • 42 days for part 2

If you do not submit part 2 of your application within this time, we will assume you do not intend to complete it. We will delete your personal data after 90 days unless we hear from you. 

Automated decision making


Under Article 22 of the UK GDPR, you have the right not to be subject to a decision made solely on the basis of automated processing. This means a decision made by an electronic system without any human involvement. Parts of our processing may involve some automation. However any decisions we make that have a substantial effect on you, such as if you are entitled to a benefit, are made with meaningful input from staff.

Your rights and how to get a copy of your personal data 


You can ask us for the personal data we hold about you.

Under the UK GDPR you also have the right to: 

  • object to the use of your personal data
  • restrict the use of your personal data  
  • ask us to correct your personal data 
  • ask us to delete your personal data 

However, there may be legal or other official reasons why we need to continue to keep or use your personal data. If this is the case, we will explain to you in writing why we need to do this. 

If you want to exercise these rights you can email us at: 

Or write to us:
Data Protection Officer
PO Box 10298

How to complain


You also have the right to complain to the Information Commissioner’s Office about the way we:

  • handle your personal data
  • respond to your request to access your personal data 
  • respond to your requests to exercise your other rights under the UK GDPR or the UK Data Protection Act 2018

To contact the Information Commissioner’s Office:

Phone: 0303 123 1113

Visit the website: Information Commissioner’s Office

Write to:

The Information Commissioner
Wycliffe House
Water Lane


Back to top