How I use your personal data:
I process any personal data under the requirements of the General Data Protection Regulation (EU) 2016/679 (the GDPR), the Data Protection Act 1998 and any Act that replaces the Data Protection Act.
What is personal data?
Personal data is any information from which a living individual can be identified.
I will hold all personal data securely, I will only use it for the purposes it was collected or acquired for and I will only pass it on to third parties with your consent or according to a legal obligation.
Further information about the data protection legislation and your rights is available here:
https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
Purposes and categories of processing personal data:
I collect and use personal data to fulfil the following functions and associated activities of my office;
to carry out casework on behalf of my constituents;
to tend to issues and campaigns I am involved in;
to manage and support my staff and to maintain supplier relationships;
to process expenses, accounts and associated records.
If you contact me with an inquiry or a complaint, I will normally need to store your contact details to deal with your inquiry or complaint. This is considered to be “normal category data” under the GDPR.
Other personal data you may provide to me may include details about your personal and family life, social circumstances and business activities, your employment and education details, financial information or information about your housing situation etc. Depending on what views, issues or experiences you wish to discuss with me, you may be sharing “special category” data with me. For example, this could include details about race or ethnic origin, political or religious views, sex life or sexual orientation, trade union membership, physical or mental health, genetic or biometric data or any criminal offences.
The legal basis for processing personal data:
Data protection law states that I must have a legal basis for handling your personal data. The permitted legal bases can be found in the GDPR and the DPB.
Depending on the circumstances, the legal basis for processing personal data in my office may include:
Consent of the data subject (the person who the personal data relates to.)
Complying with legal obligations
Protecting vital Interests of individuals
Pursuing legitimate Interests
Acting in the public interest [includes democratic engagement activities]
The processing is necessary for the performance of a contract
Categories of processing activities and corresponding legal basis:
Processing of personal data means anything from collecting, storing, using to sharing and deleting (see link above for more information).
I process personal data in the following ways:
|
Processing activity |
The legal basis |
How long I retain the data |
How the data may be shared |
|---|---|---|---|
|
Receiving, storing and responding to general enquiries by letter, email or in person |
The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) or 6(1)(f) GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. |
Up to 3 years after the matter is considered closed, or until I am no longer an MSP. This is to ensure if further issues arise I have all necessary information. |
Your personal data won’t be shared without your permission. |
|
Receiving, storing and responding to complaints by letter, email or in person |
Depending on the nature of the complaint, the processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) GDPR or Art 6(1)(f) GDPR). |
Up to 3 years after the matter is considered closed, or until I am no longer an MSP. This is to ensure if further issues arise I have all necessary information. |
Your personal data won’t be shared without your permission. |
|
Receiving and storing data in relation to a personal issue or problem raised by a constituent (casework) |
The processing is carried out with the consent of the data subject (Art 6(1)(a) GDPR) OR The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) or 6(1)(f) GDPR). Or, for special category data: The processing is necessary for reasons of substantial public interest (Art 9(2)(g) GDPR and DPB Sch 1, para 23). Or, for criminal offence data: The processing is necessary for the performance of a task carried out in the public interest (GDPR Articles 6(1)(e), 10 and DPB Sch 1, paras 23-25, 29, 32) |
Up to 3 years after the matter is considered closed, or until I am no longer an MSP. This is to ensure if further issues arise I have all necessary information. |
Your personal data won’t be shared without your permission. |
|
Collect and use data for the purpose of sending out newsletters with information about surgeries, office contact details and upcoming events and campaigns |
The processing is necessary for the performance of a task carried out in the public interest (Art 6(1)(e) GDPR). |
Until it is requested that the data is deleted, or until I am no longer an MSP for my current region |
Your personal data won’t be shared without your permission. |
|
Take, store and use photos and videos in connection with my engagements and events I attend in my capacity as a MSP. |
The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) GDPR or Art 6(1)(f) GDPR). |
Up to 5 years or until I am no longer an MSP. |
Your image may be used in material explaining my work as an MSP online and in print media. In cases where you would not have reasonably expected your image to be public your permission will be sought beforehand. |
| Processing of personal data in parliamentary motions and questions including special category and/or criminal offence data |
The processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR and section 8(c) DPA) – where the Member is satisfied that the raising of awareness/encouraging debate on an important issue in a motion or parliamentary question is necessary to carry out their functions as an MSP. Other legal bases include: The processing is necessary for the purposes of the legitimate interests pursued by a Member of a third party (Article 6(1)(f) UK GDPR). Consent has been given by the data subject(s) for their information to be used in this way and they have been supplied with all the relevant information about what consent means and under what circumstances and up to what point it can be withdrawn (Article 6(1)(a) UK GDPR) For special category data: The processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR) with a substantial public interest condition (Article 9(2)(g) UK GDPR and paragraph 6(2)(a) of Part 2 to Schedule 1 of the DPA) – as the processing is necessary for reasons of substantial public interest in relation to the exercise of the function of a person conferred by enactment or rule of law i.e. parliamentary motions and questions serve a range of functions 9 and are a key mechanism by which Members gain information and raise issues. This is key to the role of MSPs, which is in turn underpinned by the Scotland Act 1998 and the Standing Orders. Members give notice of proposed motions and questions to the Chamber Desk for review in line with both their and the SPCB’s functions. Other conditions which may apply for the processing of special category data in relation to parliamentary motions and questions will include: Where the processing relates to personal data which are manifestly made public by the data subject (Article 9(2)(e) UK GDPR). Where explicit consent is given to the processing from the data subject (Article 9(2)(a) UK GDPR). Criminal offence data: The processing of personal data relating to criminal convictions and offences, or related security measures based on Article 6(1)(e) is authorised by domestic law, with a substantial public interest condition (Article 10 UK GDPR and paragraphs 6, 23 and 32, Parts 2 and 3 of Schedule 1 to the DPA) Where the processing is necessary for reasons of substantial public interest and the exercise of a function conferred on a person by enactment or rule of law (paragraph 6(2)(a), Part 2 of Schedule 1 to the DPA). Where the processing is carried out by an MSP, or a person acting with their authority, for the purpose of reasonable actions taken by an MSP in response to a request by an individual to take action on their behalf 10 (paragraph 23, Part 2 of Schedule 1 to the DPA) Where the processing relates to personal data which is manifestly made public by the data subject (paragraph 32, Part 3 of Schedule 1 to the DPA) (edited) |
(Data not used in a motion or question) Up to 3 years after the matter is considered closed, or until I am no longer an MSP. This is to ensure if further issues arise I have all necessary information |
(Data not used in a motion or question) Your personal data won’t be shared without your permission |
Sharing of personal data:
I sometimes may be required to share the personal information I hold with other individuals or organisations including for example:
healthcare, social and welfare organisations
local and central government bodies
educators and examining bodies
statutory law enforcement agencies
investigating bodies
elected representatives and other holders of public office
financial organisations
crime prevention agencies and the police
The legal basis for sharing data with these organisations may be that
the sharing is necessary for complying with a legal obligation to which I am subject (Art 6(1)(c) GDPR;
the sharing is necessary in order to protect the vital interests of the data subject or of another person (Art 6(1)(d); or
the sharing is necessary for the performance of a task carried out in the public interest or substantial public interest (Art 6(1)(e) or Art 9(2)(g) GDPR.
I may seek your prior express consent to share your personal data with any of the following:
employment and recruitment agencies
press and the media
family, associates and representatives of the person whose personal data I am processing
enquirers
subjects of complaints
political parties
charitable parties
The consequences of my not processing personal data are:
Where I am processing personal data for the performance of a contract, the consequence of not processing the personal data is that I may not be able to fulfil my obligations under that contract.
Where I am processing personal data in accordance with a statutory obligation, the consequence of not processing personal data may be that I am liable to regulatory fines for non-compliance with that statutory duty.
Automated data processing:
I do not use automated processing techniques to process your data.
Sharing or processing personal data outside the European Economic Area:
If you sign up to receive my newsletter, or engage my office in certain types of correspondence, your email may be processed using the Mailchimp system based in the USA. Mailchimp is GDPR compliant; their full privacy policy can be found at: https://mailchimp.com/legal/privacy
Retention of personal data:
I retain personal data for the period that is necessary to carry out casework on behalf of my constituents, work on issues and campaigns I am involved in, and to support my staff and maintain supplier information, expenses, accounts and associated records.
Using my website
This site will set anonymous cookies if your browser is set to accept them, and they will be used by Google Analytics. Additionally, videos on the website may use cookies created by third-party providers such as YouTube.
The information I collect is anonymous - it cannot be used to identify you personally.
Your rights
The GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below, although whether you will be able to exercise each of these rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place (see the individual privacy notices listed above for further details in relation to specific processing activities).
Access to your information – You have the right to request a copy of the personal information about you that I hold.
Correcting your information – I want to make sure that your personal information is accurate, complete and up to date and you may me to correct any personal information about you that you believe does not meet these standards.
Deletion of your information – You have the right to ask me to delete personal information about you where:
You consider that I no longer require the information for the purposes for which it was obtained
I am using that information with your consent and you have withdrawn your consent.
You have validly objected to my use of your personal information –my use of your personal information is contrary to law or our other legal obligations.
Objecting to how we may use your information – You have the right at any time to require me to stop using your personal information for direct marketing purposes. In addition, where I use your personal information to perform tasks carried out in the public interest then, if you ask me to, I will stop using that personal information unless there are overriding legitimate grounds to continue.
Restricting how we may use your information – in some cases, you may ask me to restrict how I use your personal information. This right might apply, for example, where I am checking the accuracy of personal information about you that I hold or assessing the validity of any objection you have made to my use of your information. The right might also apply where this is no longer a basis for using your personal information but you don't want me to delete the data. Where this right to validly exercised, I may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent using your information – Where I use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
Please contact me using the contact details provided above.
Changes to my privacy statement
I keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information above.
This privacy statement was last updated on 30th August 2023.