Due to coronavirus Social Security Scotland has moved to remote working so we can continue to provide our services.
As a result we've introduced a service allowing you to contact our Client Advisers on webchat. Information you share with us on webchat will be collected for quality and audit purposes.
This privacy notice explains your rights under the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR). It describes the type of information we may hold on you, how it may be processed and who we might share it with.
Personal data (which we will call 'data' throughout the rest of this notice) means any information about an individual from which that person can be identified.
Social Security Scotland processes lots of data to do our job. We manage your personal data to deliver a number of social security benefits outlined in the:
Social Security (Scotland) Act 2018
Employment and Training Act 1973
Welfare Reform Act 2012
Social Security (Claims and Information) Regulations 1999.
We are committed to protecting and respecting your privacy.
Social Security Scotland is registered with the Information Commissioner (registration number Z4857137) under Scottish Ministers, to handle your data.
PO Box 10301
We will regularly review our privacy notice and, if anything changes, we will update our privacy notice to reflect these changes.
We collect your data to check if you can get social security benefits, and to pay you. As well as collecting your data for the benefit you apply for, we may also use your data to see if you can get any other benefits. If we find out that you qualify for any other benefits, we will let you know.
We also collect data on third parties who have the legal right to act on behalf of a claimant. This may include (but is not limited to):
power of attorneys
Your data may be used to detect and prevent fraud or error.
It may also be used for statistics, research, or reporting purposes. This lets Social Security Scotland know how we can improve our service and meet our legal requirements. Social Security Scotland always make sure that there are checks and safeguards in place to protect your data.
This research will not lead to measures or decisions being taken about you as an individual, including any decisions affecting your benefit entitlements.
We'll only use your personal information when we are required to by law. We'll use your personal information where:
it is needed to perform a task carried out in the public interest
we need to comply with a legal requirement
it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences
Some of the data that we process is classed as 'special category'. We are allowed to process this data under data protection legislation and will have proper safeguards in place. A list of what we may ask you is found further on in this privacy notice.
We may process several categories of personal data, depending on the type of benefit you are applying for.
We may collect any of these types of data from you:
personal details (for example name, address, date of birth, national insurance number)
family, including number of children, lifestyle and social circumstances
financial details (bank details)
employment and education details
goods or services provided
visual images (where specifically requested), including photos and video interviews
Some of the data we may process is special category data, including:
physical or mental health details
racial or ethnic origin
political, religious or other beliefs of a similar nature
offences, including alleged offences
criminal proceedings, outcomes and sentences
We have a safeguards policy for processing special categories of personal data and criminal convictions. Contact our Data Protection Officer to ask for a copy of the safeguards policy. You do not have to pay for this.
We may collect your data in a number of ways:
if you apply online, by phone or by filling in a paper form
if we speak to you face to face, over the phone or by webchat
over social media
from third party groups, for example, the Department for Work and Pensions
any device that connects to the internet
When you use our websites, it places small files, known as 'cookies', onto your device. These collect information about how you browse. You will normally see a message on the site before we store a cookie on your device.
The information we - and Google - collect doesn't identify anyone and is kept for a maximum of 38 months. If we do want to collect information that could identify you personally through the site, we will let you know and outline your rights.
In exchange for collecting your data, we request that you:
give us complete and correct details about you
tell us as soon as you can if any of your details change
In some cases, we'll share data with third parties when needed to fulfil our services. This includes, but is not limited to -
Other public bodies, such as:
Department for Work and Pensions (DWP)
Her Majesty's Revenue and Customs (HMRC)
Scottish local authorities
Integration joint boards
the Registrar General for Scotland
the Keeper of the Records of Scotland
the Scottish Courts and Tribunals Service
other UK and Scottish Government departments
Private bodies including:
credit referencing agents (we use credit referencing agents to verify payment details)
Questback is the survey tool which collects the equality information for Social Security Scotland. Data is held in the survey tool before it's analysed by Social Security Scotland.
Third party service providers:
contractors and other third party service providers who will process personal data on our behalf
We require third parties to respect the security of your data and to treat it in line with the law.
These third parties may use your data to keep their information accurate and up to date, and to make sure they are offering you the best possible services.
Your data may also be shared with:
other bodies whose job it is to stop fraud
third parties who help us make a payment to you
All your data will be processed within the EU. We always make sure that there will be checks in place to safeguard your data.
We will keep your data only for as long as it's needed. The length of time may vary across the organisation, depending on the reason for collecting or holding the data.
In general, your data will be kept for the duration of a benefit plus up to 7 years, in line with the requirement of the Public Sector Finance Manual.
We may hold your data for a longer period of time in some cases. For example if your application was unsuccessful or involves fraud, error, or debt. If your application is unsuccessful we'll use the data for appeals and redeterminations.
Automated individual decision making is a decision made by an electronic system without any human involvement. We are allowed to use automated decision making in the following circumstances:
where we have let you know of the decision and given you the right to request us to review the decision, or make a new decision, not based solely on automated processing
in limited circumstances, with your explicit written consent and where proper measures are in place to safeguard your rights
If we make an automated decision on the basis of any special category data it must be justified in the public interest. Or we must have your explicit written consent. We must also put in place proper measures to safeguard your rights.
You'll not be subject to decisions that will have a significant impact on you based solely on automated decision making, unless we have a lawful basis for doing so. If this does occur we will let you know.
We may use automated systems to profile and help our staff make decisions. Profiling is the processing of personal data by a system, to check certain things about an individual.
We may use profiling to help us check certain things about you, to:
see if you are entitled to any other benefits or assistance
detect and prevent fraud and error
improve our services
Under certain circumstances, you have the right to:
know what data we hold about you (known as a subject access request). This allows you to check that your data is being processed lawfully
request your information be corrected or updated for accuracy
request your data be deleted. This allows you to ask us to delete or remove your data when there is no good reason for us continuing to process your data. However, this does not apply where we are legally obliged to process your data or for the performance of a task carried out in the public interest
ask us to stop processing your data, unless we can show a legal reason to continue
request the restriction of processing of your data in certain circumstances. This allows you to ask us to suspend the processing of personal information about you, for example if you want to correct the accuracy of your personal data and you are verifying the accuracy of the data
ask us to share your information with other organisations in certain circumstances, like when you have given your consent for us to process your data
Please note that we do not have to comply with your requests in cases of the prevention, detection, investigation or prosecution of criminal offences.
In some circumstances the DPA provides an exemption from particular GDPR provisions, including certain principles and rights.
When data is collected for statistics, research, and reporting purposes it exempts Social Security Scotland from the following principles:
Purpose limitation - this is the principle where data can only be collected for a specified, explicit and legitimate purpose, and not further processed in a manner that is incompatible with that purpose.
However, research is considered to be compatible with the initial processing, where your data is being collected for Social Security purposes.
Retention period - Social Security Scotland will only keep data as long as it is lawfully required. There's no retention period placed on data used for research and statistical purposes. However, we will always ensure that appropriate safeguards are in place to protect your data.
Additionally, Social Security Scotland are also exempt from the following rights:
access to copies of data (as all research will be anonymised when published)
correcting inaccurate data
restricting the processing of data
objecting to the processing of data
However, this exemption will only apply if:
Social Security Scotland have appropriate technical and organisational safeguards to protect your data. This includes data minimisation measures
there's no likelihood of substantial damage or distress to you from the data processing
the research will not lead to measures or decisions being taken about you, including decisions about your benefit entitlement
compliance with the exempted rights would prevent or seriously impair our ability to conduct our research
the research results are not made available in a way that identifies individuals
You have a right to access your data. You can ask us to see the data we hold about you. You will not have to pay to get your data. However, in some cases we may refuse your request in line with the Data Protection Act 2018, if we find that it is clearly unfounded or excessive.
Please contact our Data Protection Officer to ask about this, any of your other rights, or for any other questions or comments you may have.
Write to us:
Data Protection Officer
PO Box 10298
You can contact the Information Commissioner if you are concerned about how we process your data. If you are going to do this, we would ask you to let us have the chance to put things right first, by getting in contact with our Data Protection Officer and letting them know your concerns.
To lodge a complaint with the independent Information Commissioner (ICO), you can contact: You can contact the Information Commissioner:
0303 123 1113
Alternatively, you can write to:
The Information Commissioner