Privacy notice and data protection - Social Security Scotland

Due to coronavirus Social Security Scotland has moved to remote working so we can continue to provide our services.

As a result we've introduced a service allowing you to contact our Client Advisers on webchat. Information you share with us on webchat will be collected for quality and audit purposes.

This privacy notice explains your rights under the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR). It describes the type of information we may hold on you, how it may be processed and who we might share it with.

Personal data (which we will call 'data' throughout the rest of this notice) means any information about an individual from which that person can be identified.

Social Security Scotland processes lots of data to do our job. We manage your personal data to deliver a number of social security benefits outlined in the:

• Social Security (Scotland) Act 2018

• Employment and Training Act 1973

• Welfare Reform Act 2012

• Social Security (Claims and Information) Regulations 1999.

We are committed to protecting and respecting your privacy.

Social Security Scotland is registered with the Information Commissioner (registration number Z4857137) under Scottish Ministers, to handle your data.

General Enquiries
PO Box 10301
Dundee
DD1 9FW

We will regularly review our privacy notice and, if anything changes, we will update our privacy notice to reflect these changes.

We collect your data to check if you can get social security benefits, and to pay you. As well as collecting your data for the benefit you apply for, we may also use your data to see if you can get any other benefits. If we find out that you qualify for any other benefits, we will let you know.

We also collect data on third parties who have the legal right to act on behalf of a claimant. This may include (but is not limited to):

• appointees

• partners

• carers

• power of attorneys

• organisations

Your data may be used to detect and prevent fraud or error.

It may also be used for statistics, research, or reporting purposes. This lets Social Security Scotland know how we can improve our service and meet our legal requirements. Social Security Scotland always make sure that there are checks and safeguards in place to protect your data.

This research will not lead to measures or decisions being taken about you as an individual, including any decisions affecting your benefit entitlements.

We'll only use your personal information when we are required to by law. We'll use your personal information where:

• it is needed to perform a task carried out in the public interest

• we need to comply with a legal requirement

• it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences

Some of the data that we process is classed as 'special category'. We are allowed to process this data under data protection legislation and will have proper safeguards in place. A list of what we may ask you is found further on in this privacy notice.

We may process several categories of personal data, depending on the type of benefit you are applying for.

We may collect any of these types of data from you:

• personal details (for example name, address, date of birth, national insurance number)

• family, including number of children, lifestyle and social circumstances

• financial details (bank details)

• employment and education details

• goods or services provided

• visual images (where specifically requested), including photos and video interviews

Some of the data we may process is special category data, including:

• physical or mental health details

• racial or ethnic origin

• political, religious or other beliefs of a similar nature

• sexual orientation

• offences, including alleged offences

• criminal proceedings, outcomes and sentences

• gender identity

• transgender status

We have a safeguards policy for processing special categories of personal data and criminal convictions. Contact our Data Protection Officer to ask for a copy of the safeguards policy. You do not have to pay for this.

We may collect your data in a number of ways:

• if you apply online, by phone or by filling in a paper form

• if we speak to you face to face, over the phone or by webchat

• over social media

• from third party groups, for example, the Department for Work and Pensions

• any device that connects to the internet

When you use our websites, it places small files, known as 'cookies', onto your device. These collect information about how you browse. You will normally see a message on the site before we store a cookie on your device.

We use a third party service, Google Analytics, to collect information on how you use the site. This uses cookies and page tagging techniques.

The information we - and Google - collect doesn't identify anyone and is kept for a maximum of 38 months. If we do want to collect information that could identify you personally through the site, we will let you know and outline your rights.

In exchange for collecting your data, we request that you:

• give us complete and correct details about you

• tell us as soon as you can if any of your details change

In some cases, we'll share data with third parties when needed to fulfil our services. This includes, but is not limited to -

Other public bodies, such as:

• Department for Work and Pensions (DWP)

• Her Majesty's Revenue and Customs (HMRC)

• Scottish local authorities

• Health Boards

• Integration joint boards

• the Registrar General for Scotland

• the Keeper of the Records of Scotland

• the Scottish Courts and Tribunals Service

• other UK and Scottish Government departments

Private bodies including:

• credit referencing agents (we use credit referencing agents to verify payment details)

• banks

• allpay limited

• research organisations

• charities

• funeral directors

• Questback

Questback is the survey tool which collects the equality information for Social Security Scotland. Data is held in the survey tool before it's analysed by Social Security Scotland.

Third party service providers:

• contractors and other third party service providers who will process personal data on our behalf

We require third parties to respect the security of your data and to treat it in line with the law.

These third parties may use your data to keep their information accurate and up to date, and to make sure they are offering you the best possible services.

Your data may also be shared with:

• other bodies whose job it is to stop fraud

• third parties who help us make a payment to you

If you click on any links to third party websites from our website, we encourage you to read the privacy policy statements contained on those sites.

All your data will be processed within the EU. We always make sure that there will be checks in place to safeguard your data.

We will keep your data only for as long as it's needed. The length of time may vary across the organisation, depending on the reason for collecting or holding the data.

In general, your data will be kept for the duration of a benefit plus up to 7 years, in line with the requirement of the Public Sector Finance Manual.

We may hold your data for a longer period of time in some cases. For example if your application was unsuccessful or involves fraud, error, or debt. If your application is unsuccessful we'll use the data for appeals and redeterminations.

Automated individual decision making is a decision made by an electronic system without any human involvement. We are allowed to use automated decision making in the following circumstances:

• where we have let you know of the decision and given you the right to request us to review the decision, or make a new decision, not based solely on automated processing

• in limited circumstances, with your explicit written consent and where proper measures are in place to safeguard your rights

If we make an automated decision on the basis of any special category data it must be justified in the public interest. Or we must have your explicit written consent. We must also put in place proper measures to safeguard your rights.

You'll not be subject to decisions that will have a significant impact on you based solely on automated decision making, unless we have a lawful basis for doing so. If this does occur we will let you know.

We may use automated systems to profile and help our staff make decisions. Profiling is the processing of personal data by a system, to check certain things about an individual.

We may use profiling to help us check certain things about you, to:

• see if you are entitled to any other benefits or assistance

• detect and prevent fraud and error

• improve our services

Under certain circumstances, you have the right to:

• know what data we hold about you (known as a subject access request). This allows you to check that your data is being processed lawfully

• request your information be corrected or updated for accuracy

• request your data be deleted. This allows you to ask us to delete or remove your data when there is no good reason for us continuing to process your data. However, this does not apply where we are legally obliged to process your data or for the performance of a task carried out in the public interest

• ask us to stop processing your data, unless we can show a legal reason to continue

• request the restriction of processing of your data in certain circumstances. This allows you to ask us to suspend the processing of personal information about you, for example if you want to correct the accuracy of your personal data and you are verifying the accuracy of the data

• ask us to share your information with other organisations in certain circumstances, like when you have given your consent for us to process your data

Please note that we do not have to comply with your requests in cases of the prevention, detection, investigation or prosecution of criminal offences.

In some circumstances the DPA provides an exemption from particular GDPR provisions, including certain principles and rights.

When data is collected for statistics, research, and reporting purposes it exempts Social Security Scotland from the following principles:

• Purpose limitation - this is the principle where data can only be collected for a specified, explicit and legitimate purpose, and not further processed in a manner that is incompatible with that purpose.

However, research is considered to be compatible with the initial processing, where your data is being collected for Social Security purposes.

• Retention period - Social Security Scotland will only keep data as long as it is lawfully required. There's no retention period placed on data used for research and statistical purposes. However, we will always ensure that appropriate safeguards are in place to protect your data.

Additionally, Social Security Scotland are also exempt from the following rights:

• access to copies of data (as all research will be anonymised when published)

• correcting inaccurate data

• restricting the processing of data

• objecting to the processing of data

However, this exemption will only apply if:

• Social Security Scotland have appropriate technical and organisational safeguards to protect your data. This includes data minimisation measures

• there's no likelihood of substantial damage or distress to you from the data processing

• the research will not lead to measures or decisions being taken about you, including decisions about your benefit entitlement

• compliance with the exempted rights would prevent or seriously impair our ability to conduct our research

• the research results are not made available in a way that identifies individuals

You have a right to access your data. You can ask us to see the data we hold about you. You will not have to pay to get your data. However, in some cases we may refuse your request in line with the Data Protection Act 2018, if we find that it is clearly unfounded or excessive.

Please contact our Data Protection Officer to ask about this, any of your other rights, or for any other questions or comments you may have.

Email us: DataProtectionOfficer@socialsecurity.gov.scot

Write to us:

Data Protection Officer
PO Box 10298
Dundee
DD1 9FS

You can contact the Information Commissioner if you are concerned about how we process your data. If you are going to do this, we would ask you to let us have the chance to put things right first, by getting in contact with our Data Protection Officer and letting them know your concerns.

To lodge a complaint with the independent Information Commissioner (ICO), you can contact: You can contact the Information Commissioner:

• 0303 123 1113

• casework@ico.org.uk

• https://ico.org.uk/

Alternatively, you can write to:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF