This page is a guide to how the Commissioner’s office uses people’s personal information to do the work we do. It explains:
- the types of personal information our office collects, and how we use it,
- how we keep your personal information safe,
- how long we keep your personal information for,
- what your rights around personal information are, and
- who you can talk to if you are unhappy about the way we use your personal information.
Decisions you can make around your data on this website are explained on our privacy on this website page.
What is personal information?
Your personal information is any information that can be identified as being about you.
For example, imagine we sent out a form that asked you to tell us your name, which school you went to and your opinion about something.
There probably isn’t anyone else at your school who has the same name as you, so we’d be able to work out that you personally had given us that opinion.
That would make your name and the school you went to personal information, because we could use it to identify you. It also means the opinion you put down on the form is your personal information.
Some personal information is called special category data, which has extra protections because it’s more sensitive than other personal information.
Special category data is particularly sensitive personal information. Because it’s more open to misuse than other personal information, there are extra protections around it.
It includes information about someone’s:
- Race or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (when used to identify someone)
- Sex life
- Sexual orientation
More in the Rights questions and answers section
Sometimes we will need special category data to help us resolve issues that affect the rights of individual or groups of children and young people in Scotland.
We also ask people to share some of this information with us to help us meet our equalities duties.
More in the Rights questions and answers section
How is personal information protected?
The ways in which people’s personal information are protected are known as data protection. Laws around data protection are made by the UK Parliament for the whole UK, including Scotland.
It’s important to us that we use your personal information in line with six principles outlined in data protection law:
- We will handle your personal information lawfully, fairly and in a transparent way.
- We will collect your personal information only for valid purposes that we have explained to you, and not use it in another way that is at odds with those purposes. Valid purposes are the legal reasons someone is allowed to process your personal information. You can find out about these on the Information Commissioner’s website.
- We will make sure that the personal information we hold about you is relevant to the purposes we have told you about.
- We will make sure that your personal information is accurate and kept up to date.
- We will keep your personal information only as long as it is needed for the purpose we have told you about.
- We will keep your personal information safe and secure.
What’s our lawful reason for using personal information?
Data protection law requires us to have a lawful reason for using your personal information— that is, one that the law says we’re allowed to use.
Most often, we’ll use your personal information when:
- We have been given an important function or job by law and need to use your personal information to carry out that job or function.
- We have been given responsibilities or duties by law and need to use your personal information to comply with them.
- It is necessary for our legitimate interests – or those of a third party – and your interests and fundamental rights do not override those.
- When we have your consent to do so.
- Where we need to protect your vital interests or the vital interests of someone else. Vital interests are usually matters of life and death— where passing on your personal information would change whether someone lived or died.
We will only use special category information when we have an additional lawful reason for doing so. Most commonly this will be because:
- There is a substantial public interest in us fulfilling our legal duties and responsibilities.
- There is a substantial public interest in us protecting an individual child who is at risk.
- We have your explicit consent to do so.
- We need to comply with employment or social security law.
- We need to protect your vital interests or the vital interests of someone else.
- We need the information for archiving or for undertaking research— though we will only do so where we have measures in place to protect your rights.
What personal information we collect and how we use it
We collect and use your personal information in several ways.
Advice and investigations
- When you contact us to ask for information, advice or to tell us about a children’s rights issue, we use the personal information you provide to allow us to respond to you.
- Sometimes we might need to contact another organisation about a problem you have raised with us, but we will only do this if we have your consent to do so.
- One of our jobs is to consider and carry out investigations of organisations who have not upheld children’s rights. To help us do this job we may need more information from you, the organisation or someone else who has the information we need. Sometimes this information will be about you.
Complaints to us
- When you bring a complaint to us about the Commissioner, one of his employees or our office’s performance, we will use the personal information you provide to allow us to respond to you.
Contacting and visiting us
- When you are requesting or attending a meeting with us, we will use the personal information you provide to allow us to manage the meeting.
- When you contact us, we will use the personal information you provide to allow us to respond to you.
Supply of products or services
- When we agree to an annual contract for a product or service that you or company provide, we may use the personal information you provide to allow us to manage that contract.
- When we purchase a product or service from you or your company, we may use your personal information to allow us to pay for it.
Data protection and freedom of information requests
- When you send us a request to access your personal information, we will use the personal information you used to make the request – like your email address – to allow us to respond to you.
- When you send us a freedom of information request or request for a freedom of information review, we will use your personal information to allow us to respond to you.
- When you send us an environmental request or request for an environmental review, we will use your personal information to allow us to respond to you.
- When we are hosting an event, we may use your contact details to allow us to invite you to the event.
- When you register to attend one of our events, we will use your contact details and other information that you have provided – such as dietary requirements or emergency contact details – to help us manage the event.
- When you submit a job application to us, we will use the personal information you provide to allow us to recruit the most suitable candidate for the job.
- When you are interviewed for a job with us, we will use interview evaluations and external references about you to allow us to recruit the most suitable candidate for the job.
- When you ask to be added to our list of research contacts, we will use the personal information you provide to let you know about our research calls.
- We need information to allow us to do the job the Scottish Parliament has given us to promote and safeguard the rights of children and young people. Surveys can be a useful way for us to gather this information. When you respond to one of our surveys, we will collect and analyse the response you give us. We will not keep your response after the work has been completed. We will use a third party to manage our survey.
Using our website and social media
- When you opt-in to our online news or international e-updates, we will ask for and keep the contact details you provide to send this to you. We use Mailchimp to manage our online news and e-updates.
- When you use our website, we collect information from people who agree to share it to help us understand how our website is being used. You can find out more about this on our web privacy page.
- When you send us a direct message via social media, we will use the personal information you provide to respond to you.
- When you send a message using forms on our website, we will use the personal information you provide to respond to you.
When will we share your personal information?
For the health and safety of yourself and others
We may share your personal information if we’re worried about your health or safety or the safety of someone close to you.
This might involve us contacting:
- your local social work office,
- the Children’s Reporter, or
- the police.
When we have to by law
We have to release your personal information if a court or law requires us to.
We may share your personal information with a translation service if we need it in another language. We use Language Line Solutions to do this.
When it’s important to certain organisations for their work
We can share personal information to three organisations when the information is important to their work.
The organisations are named by law, and the law also sets out the reasons we can share information with them.
- Audit Scotland can access personal information for purposes relating to our external audit,
- The Information Commissioner can access personal information for purposes relating to their role overseeing data protection across the whole UK, and
- The Scottish Information Commissioner can access personal information for purposes relating to their role overseeing freedom of information in Scotland.
When outside people or organisations need it to help our office run
People and organisations who don’t work for the Commissioner do some things for us so our office runs as well as it can. Sometimes, they need to use personal information to do their job. This may include people and organisations involved with:
- IT services,
- Human resource management services,
- Legal services,
- Confidential waste services,
- Professional advisers and consultants,
- Survey management services.
When you use our website
When you use our website some of your personal information is shared to allow it to work properly, and you can opt-in to sharing more of it with us and other organisations in order to turn on certain features. You can find out more about this on our privacy on this website page.
How long will we keep your personal information for?
We’ll only keep your personal information for as long as we need it to carry out whatever we collected it for. To work out how long we need to keep it, we look at:
- how much personal information we have, what type of information it is and how sensitive it is,
- how much harm it would do if it was used by someone who shouldn’t or seen by someone who shouldn’t have access to it,
- what we’re using the information to do and whether we could do it without using your information, and
- whether the law says we need to keep your information for a certain amount of time.
Where is your personal information kept?
We will only transfer your personal information outside the UK or European Economic Area if you give us your consent to do so, or we can be sure it will receive a level of protection consistent with UK data protection law.
How do we keep your personal information safe?
We have a responsibility to keep your personal information safe and secure, and it’s one that we take seriously. We’ve taken the following steps to safeguard your personal information:
We have appropriate security measures in place to prevent your personal information being lost, altered, used or accessed in a way that isn’t authorised, or disclosed.
Limits to access
Access to personal information is only given to people who need it to do their jobs, whether these are employees of the Commissioner or organisations who carry out work for us.
In both cases, these people only handle personal information under our instructions and are subject to a duty of confidentiality.
We require everyone outside the office who handles your personal information to make sure that it’s kept secure.
What happens if my personal information is lost, made public, or used in a way that it shouldn’t be?
If we lose control of your personal information or suspect that this has happened, we will notify you quickly. If you might be exposed to serious risk as a result of this, we will tell the Information Commissioner’s Office within 72 hours— exactly three days.
What are my rights around the personal information you keep about me?
You have several rights around the personal information we keep about you, including:
- the right to get information about how and when we collect and use your personal information,
- the right to request access to the personal information about you which we’re keeping,
- the right for us to correct your personal information if it’s wrong, incomplete or out of date,
- the right to have your personal information destroyed in certain circumstances,
- the right to put restrictions in certain circumstances on how we process your personal information,
- the right to have your personal information transferred to another organisation or to yourself under certain circumstances,
- the right to object to us using your personal information,
- the right to withdraw your consent at any time to us using your personal information.
You also have rights related to automated decision-making around personal data, which you can find out about on the website of the Information Commissioner’s Office.
How do I complain about how you’ve handled my personal information?
Our data protection officer
We have a data protection officer who is independent of the Commissioner’s office, so is free from our influence and control. You can contact them if you have concerns about how your personal information has been used by us, or if you want to know more around your rights in relation to data protection.
You also have the right to make a complaint about how we handle your personal information to the Information Commissioner’s Office.