Member’s Bill Consultation – privacy notice
This is a Privacy Notice for the office of Martin Whitfield MSP, Member of the Scottish Parliament (MSP). This privacy statement explains how I collect and use personal information as a data controller for my member’s bill consultation.
This privacy notice is in addition to my main privacy notice which explains how my office collects and uses personal information about individuals (for example in relation to constituency work).
My office address and contact details are:
Address: The Scottish Parliament Edinburgh EH99 1SP
Email: martin.whitfield.msp@parliament.scot
The purpose of the processing
The purpose of collecting, storing and sharing personal data contained in consultation responses is to enable me to consider the views of respondents to inform the development of the Bill. Personal data contained in consultation responses will not be used for any other purpose without the express consent of the data subject.
Categories of information processed
During Member’s Bill consultations, I will process normal category data such as your name and your contact details provided with the response. I may also process *special category data included in responses to consultation questions.
*Special category data includes information revealing an individual’s race; ethnic origin; political or religious views; sex life or sexual orientation; trade union membership; physical or mental health; genetic or biometric data.
Source of the information
The information is provided by you (the data subject) when responding to a consultation on the development of my member’s Bill.
Legal basis for processing
Data protection law states that I must have a legal basis for handling your personal data.
The legal basis for collecting, holding, sharing and publishing your personal data is that the processing is necessary for the performance of a task carried out in the public interest (for normal category data), or in the substantial public interest (for special category data), in accordance with Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR) and section 8(d) of the Data Protection Act 2018 (DPA) (for normal category data), or Article 9(2)(g) UK GDPR and section 10(3) of and paragraph 6(2)(b), Part 2 of Schedule 1 of the DPA (for special category data).
The task is to support me in seeking to introduce my Member’s Bill to the Parliament. Legislation is a core task of the Scottish Parliamentary Corporate Body (SPCB) and therefore a Crown function. The adequate support of the Member’s Bill process and the ability to seek, use and temporarily store personal data including special category data is in the substantial public interest.
If the person responding to the consultation is under the age of 12 then consent from the parent or guardian of the young person will be required to allow the young person to participate in the consultation process (however, the legal basis for the processing of the personal data submitted remains as the public interest task basis identified above).
Data sharing
The data collected and generated by Smart Survey will be held by me and staff in my office who are supporting me in progressing the Bill. Data submitted by other means (e.g. by email or hard copy) will be held by me and my office for the purposes of producing a summary of responses to the consultation. I, the MSP, am the data controller of the data.
Publishing Personal Data
“Not for publication” responses will not be published and will only be referred to in the summary of consultation responses in the context of a reference to the number of “not for publication” responses received and, in some cases, in the context of a general reference that is considered by you to be consistent with the reasons for choosing “not for publication” status for your response.
Anonymous responses will be published without your name attached, your name will not be mentioned in the summary of consultation responses, and any quote from or reference to any of your answers or comments will not be attributed to you by name.
Other responses may be published, together with your name; and quotes from or references to any of your answers or comments, together with your name, may also be published in the summary of consultation responses.
Contact details (e.g. your e-mail address) provided with your response will not be published, but may be used by me or my office to contact you about your response or to provide you with further information about progress with the proposed Bill.
Where personal data, whether relating to you or to anyone else, is included in that part of your response that is intended for publication, the MSP’s office (me or my team) may edit or remove it, or invite you to do so; but in certain circumstances the response may be published with the personal data still included.
Retention of data
If a summary of consultation responses is published within six months of the consultation period ending, all of your data will be deleted as soon as possible after the summary is published. If, six months after the consultation period has ended, a summary has not been published, then responses may be downloaded to Scottish Parliament IT systems and retained until the end of the session of the Parliament in which the consultation took place.
In exceptional circumstances, your data may be retained beyond the end of the six month period if that is necessary for the purpose of preparing a summary for future publication.
If I lodge a final proposal, I am required to provide a copy of your response (unless it was “not for publication”), together with your name (unless you requested anonymity), but not your contact details, to the Scottish Parliament Information Centre (SPICe), where it will be retained permanently in line with the collection management policy.
Children and young people safeguarding and child protection
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Your rights
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
Correcting your information – You have the right to ask me to correct the personal data I hold about you. I want to make sure that your personal information is accurate, complete and up to date and you may ask me to correct any personal information about you that you believe does not meet these standards.
Objecting to how I may use your information – You have the right at any time to request for me to stop using your personal information for direct marketing purposes. In addition, where I use your personal information to perform tasks carried out in the public interest then, if you ask us to, I will stop using that personal information unless there are overriding legitimate grounds to continue.
- Please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent.
- The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject.
- The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.
Deletion of your information – You have the right to ask me to delete personal information about you where:
- You consider that I no longer require the information for the purposes for which it was obtained
- I am using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
- You have validly objected to my use of your personal information – see Objecting to how I may use your information above
- Our use of your personal information is contrary to law or our other legal obligations
Please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest.
The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.
Restricting how I may use your information – In some cases, you may ask me to restrict how I use your personal information. This right might apply, for example, where I am checking the accuracy of personal information about you that I hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don’t want us to delete the data. Where this right is validly exercised, I may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent to using your information – Where I use your personal information with your consent, you may withdraw that consent at any time and I will stop using your personal information for the purposes for which consent was given.
Please contact me at martin.whitfield.msp@parliament.scot if you wish to exercise any of these rights.