Some of the language used in privacy notices can be specialised. The Information Commissioner's website provides a useful introduction to key terms and concepts.
Categories of information processed
In order to send email bulletins, the Scottish Parliament processes normal category personal data, including your name, email address and postcode.
For Education News and Community Outreach News, information is also collected about your organisation and the local authority for your school, where relevant.
Source of the information
The personal information is provided to us directly when you (the data subject) complete an email-bulletin subscription form on the Scottish Parliament website or the Festival of Politics website.
You may also provide details by completing a hard-copy subscription form or a subscription section on a feedback form, for example, for the Festival of Politics. This information will then be added manually to the subscription database by Scottish Parliament staff for the specific email bulletins requested.
The purpose of the processing
The Scottish Parliament uses the information that you have provided as a subscriber to send the requested email bulletins about the Parliament’s activities. If you have provided a postcode or identified the parliamentary region in which you live, this information may be used to provide email bulletins with more detail about Parliament activities relating to your local area. We may also use the above information for statistical purposes to improve and develop the email bulletin service.
The legal basis of processing
The legal basis for holding and processing personal information in the case of the email bulletins is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation (GDPR).
Data sharing and data processing
We use a UK-based third-party provider (Campaign Master) as a data processor to manage subscriptions and issue email bulletins.
Information is stored on its system on secure servers. Information about subscribers can be accessed only by a limited number of Parliament staff. With the authorisation of Parliament staff, it may also be accessed by the provider if required to resolve any technical issues arising. The information you provide will not be shared with anyone else.
There are separate subscription mechanisms and separate subscription lists for the different bulletins. We will not transfer personal information between lists without the explicit consent of the data subject.
We use a US-based third-party provider, Eventbrite, as a data processor to manage bookings for the Festival of Politics. Eventbrite will contact registered attendees with emails containing transactional information about the event they have booked.
Information is stored in its system on secure servers. Access to the system requires a username and password, and personal information about those who have booked tickets can be accessed only by a limited number of Parliament staff. With the authorisation of Parliament staff, it may also be accessed by the provider if required to resolve a technical issue. It will not be shared with anyone else.
Retention of data
Subscribers to email bulletins can update their details at any time by clicking on the ‘Maintain my details’ link included on all email bulletins.
Your name and contact details information will remain on the Campaign Master system and will be used to send email bulletins until you choose to unsubscribe. An ‘Unsubscribe’ link is included on all email bulletins and subscribers can unsubscribe at any time. If you unsubscribe, you will immediately be taken off the distribution list for the relevant bulletin. Any remaining personal information will be removed from the system entirely no later than one year from the date on which you unsubscribe.
Hard copies of subscription forms will be stored securely, reviewed regularly and destroyed no more than three months after the individual has unsubscribed.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below, although whether you will be able to exercise data subject rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
For example, the rights allowing for deletion or erasure of personal data (right to be forgotten) and data portability do not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest. The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject. This would be considered on a case-by-case basis and depends on what personal data is involved and the risks further processing of that data would pose to you.
The following rights apply:
Access to your information
You have the right to request a copy of the personal information about you that we hold. For further information, have a look at our page on Making a Subject Access Request.
Correcting your information
We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Deletion of your information
You have the right to ask us to delete personal information about you where:
- You consider that we no longer require the information for the purposes for which it was obtained.
- We are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below.
- Our use of your personal information is contrary to law or our other legal obligations.
Restricting how we may use your information
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent to using your information
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
Please contact us in any of the ways set out in the Contact information and further advice section if you wish to exercise any of these rights.
Changes to our privacy statement
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 9 November 2020 and will be reviewed within 12 months.
Contact information and further advice
If you have any further questions about the way in which we process personal data, or
about how to exercise your rights, please contact the Head of Information Governance
The Scottish Parliament
Telephone: 0131 348 6913
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Please contact us if you require information in another language or format