Sandra White MSP Data Protection Privacy Notice. This privacy notice explains how my office collects and uses personal information about individuals.

Transcription

1 Sandra White MSP Data Prtectin Privacy Ntice This the Privacy Ntice f the ffice f Sandra White MSP. This privacy ntice explains hw my ffice cllects and uses persnal infrmatin abut individuals. My ffice address and cntact details are: Address: 1274 Argyle Street, Glasgw G3 8AA Sandra.white.msp@parliament.sct Phne: Ntificatin: I am registered as a data cntrller with the UK Infrmatin Cmmissiner and the reference number is: Z Hw I use yur persnal data: I prcess any persnal data under the requirements f the General Data Prtectin Regulatin (EU) 2016/679 (the GDPR) and the Data Prtectin Act 2018 (the DPA). What is persnal data? Persnal data is any infrmatin frm which a living individual can be identified. I will hld all persnal data securely, I will nly use it fr the purpses it was cllected r acquired fr and I will nly pass it n t third parties with yur cnsent r accrding t a legal bligatin. Further infrmatin abut the data prtectin legislatin and yur rights is available here: Purpses and categries f prcessing persnal data: I cllect and use persnal data t fulfil the fllwing functins and assciated activities f my ffice; t carry ut casewrk n behalf f my cnstituents; t stre said data fr the purpses f assisting my cnstituents until such times as my ffice has brught the matter t a clse. At this time an individual s persnal data will be destryed in a secure fashin; t tend t issues and campaigns I am invlved in; t maintain supplier relatinships; t prcess expenses, accunts and assciated recrds. If yu cntact me with an inquiry r a cmplaint, I will nrmally need t stre yur cntact details t deal with yur inquiry r cmplaint. This is cnsidered t be nrmal categry data under the GDPR. Other persnal data yu may prvide t me may include details abut yur persnal and family life, scial circumstances and business activities, yur emplyment and educatin details, financial infrmatin r infrmatin abut yur husing situatin etc.. Depending n what views, issues r experiences yu wish t discuss with me, yu may be sharing special categry data with me. Fr example, this culd include details abut race r ethnic rigin, plitical r religius views, sex life r sexual rientatin, trade unin membership, physical r mental health, genetic r bimetric data r any criminal ffences. If yu are a supplier, I will nrmally need t stre yur name, cntact and payment details fr the purpses f the cntract between us.

2 The legal basis fr prcessing persnal data: Data prtectin law states that I must have a legal basis fr handling yur persnal data. The permitted legal bases can be fund in the GDPR and the DPA. Casewrk Where it is necessary fr me t prcess data fr the purpse f taking reasnable actin n behalf f a cnstituent, I d nt require the cnstituent s cnsent fr that prcessing. The legal basis fr the prcessing is that it is necessary fr a r, as regards special categry data, the substantial public interest. In particular: In relatin t nrmal categry data, the legal basis is that the prcessing is necessary fr an activity supprting r prmting demcratic engagement (article 6(1)(e) GDPR and sectin 8(e) DPA). Demcratic engagement cvers a wide range f plitical activities inside and utside electin perids, including but nt limited t: demcratic representatin, cmmunicating with electrs and interested parties, surveying and pinin gathering, campaigning activities, activities t increase vter turnut, supprting the wrk f elected representatives, prspective candidates and fficial candidates and fundraising t supprt any f these activities; In relatin t special categry data, the legal basis is that the prcessing is necessary fr reasns f substantial public interest, which includes any prcessing carried ut by an MSP, r a persn acting with their authrity, fr the purpse f reasnable actins taken by the MSP in respnse t a request by an individual t take actin n their behalf (Article 9(2)(g) GDPR and paragraph 23 f Schedule 1 f the DPA). Other prcessing activities Fr ther activities and functins which invlve the prcessing f persnal data, the legal basis fr prcessing may, depending n the circumstances, be: Prcessing necessary fr a (which includes prcessing necessary fr an activity supprting r prmting demcratic engagement (article 6(1)(e) GDPR and sectin 8(e) DPA). Demcratic engagement cvers a wide range f plitical activities inside and utside electin perids, including but nt limited t: demcratic representatin, cmmunicating with electrs and interested parties, surveying and pinin gathering, campaigning activities, activities t increase vter turnut, supprting the wrk f elected representatives, prspective candidates and fficial candidates and fundraising t supprt any f these activities Prcessing pursuit f legitimate interests Cnsent f the data subject (the persn wh the persnal data relates t.) Prcessing necessary t cmply with legal bligatins Prcessing necessary t prtect vital interests f individuals Prcessing cntract As fr any sensitive (r special categry ) data, the legal basis relied upn may, depending n the circumstances, be: Prcessing necessary t cmply with legal bligatins Explicit cnsent Prcessing necessary t prtect vital interests f individuals The data has been manifestly made public by the data subject Prcessing establishment, exercise r defence f legal claims

3 Categries f prcessing activities and crrespnding legal basis: Prcessing f persnal data means anything frm cllecting, string, using t sharing and deleting (see link abve fr mre infrmatin). I prcess persnal data in the fllwing ways: Fr further infrmatin n the legal basis fr prcessing here: Prcessing activity The legal basis Hw lng I retain the data Receiving, string 1 parliamentary term and respnding t r 5 years frm pint general enquiries by f last cntact. letter, , r in persn r fr the purpse f a legitimate interest (Art 6(1)(e) GDPR). The task is the engagement f cnstituents with their elected parliamentary representative. The accessibility f elected representatives is in. Receiving, string and respnding t cmplaints by letter, , r in persn Receiving and string data in relatin t a persnal issue r prblem raised by a cnstituent (casewrk) The task is the engagement f cnstituents with their elected parliamentary representative. The accessibility f elected representatives is in. 1 parliamentary term r 5 years frm pint f last cntact. 1 parliamentary term r 5 years frm pint f last cntact. Hw the data may be shared Electrnically r via written crrespndence r in a telephne cnsultatin. Electrnically r via written crrespndence r in a telephne cnsultatin. Electrnically r via written crrespndence r in a telephne cnsultatin.

4 The task is the engagement f cnstituents with their elected parliamentary representative. The accessibility f elected representatives is in. Fr special categry data: necessary fr reasns f substantial public interest (Art 9(2)(g) GDPR and DPA Sch 1, para 23; (this cvers any prcessing carried ut by an MSP, r a persn acting with their authrity, fr the purpse f reasnable actins taken by an MSP in respnse t a request by an individual t take actin n their behalf). Cllect and use data fr the purpse f sending ut newsletters with infrmatin abut surgeries, ffice cntact details and upcming events and campaigns Take, stre and use phts and vides in cnnectin with my engagements and events I attend in my capacity as a MSP (Art 6(1)(e) GDPR) r fr the purpse f a legitimate interest (Art 6(1)(f) GDPR) r The duratin f my service as a MSP, unless an individual requests their data t be deleted. The duratin f my service as a MSP, unless an individual requests their data t be deleted. Via r as a paper publicatin. On my website r via scial media r in a paper publicatin.

5 Cntacting cnstituents with surveys relevant t issues affecting Glasgw Kelvin the data subject has prvided cnsent (Art 6(1)(e) GDPR) r fr the purpse f a legitimate interest (Art 6(1)(f) GDPR) r the data subject has prvided cnsent The duratin f my service as a MSP, unless an individual requests their data t be deleted. Via r as a paper publicatin. Sharing f persnal data: I smetimes may be required t share the persnal infrmatin I hld with ther individuals r rganisatins including fr example: healthcare, scial and welfare rganisatins lcal and central gvernment bdies educatrs and examining bdies statutry law enfrcement agencies investigating bdies elected representatives and ther hlders f public ffice financial rganisatins crime preventin agencies and the plice Depending n the circumstances, the legal basis fr sharing data with these rganisatins may be that: - the sharing is necessary fr cmplying with a legal bligatin t which I am subject (Art 6(1)(c) GDPR); - the sharing is necessary in rder t prtect the vital interests f the data subject r f anther persn (Art 6(1)(d)); r - the sharing is r substantial public interest (Art 6(1)(e) r Art 9(2)(g) GDPR). I may seek yur prir express cnsent t share yur persnal data with any f the fllwing: emplyment and recruitment agencies press and the media family, assciates and representatives f the persn whse persnal data I am prcessing enquirers subjects f cmplaints plitical parties charitable parties

6 The cnsequences f my nt prcessing persnal data are: - Where I am prcessing persnal data fr the cntract, the cnsequence f nt prcessing the persnal data is that I may nt be able t fulfil my bligatins under that cntract. - Where I am prcessing persnal data in accrdance with a statutry bligatin, the cnsequence f nt prcessing persnal data may be that I am liable t regulatry fines fr nn-cmpliance with that statutry duty. Autmated data prcessing: I d nt use autmated prcessing techniques t prcess yur data. Sharing r prcessing persnal data utside the Eurpean Ecnmic Area: Please nte that sending persnal data utside the EEA includes using nline services ( distributin, survey sftware etc.) that are based utside the EEA. I d nt intend t share r prcess persnal data in lcatins utside the EEA. Retentin f persnal data: I retain persnal data fr the perid that is necessary t carry ut casewrk n the behalf f my cnstituents, wrk n issues and campaigns I am invlved in, and t maintain supplier infrmatin, expenses, accunts and assciated recrds. Using my website My website uses ckies t gather infrmatin abut hw visitrs use my website t help me imprve its perfrmance, and secndly, t imprve the visitr experience when using the website by delivering pages mre quickly r remembering user settings. Additinally, vides n the website may use ckies created by third-party prviders such as Flash r YuTube. The infrmatin I cllect is annymus - it cannt be used t identify yu persnally. Further infrmatin n the way that I use ckies and hw yu can set yur brwser t cntrl ckies is available in my ckie plicy here: Yur rights The GDPR sets ut the rights which individuals have in relatin t persnal infrmatin held abut them by data cntrllers. These rights are listed belw, althugh whether yu will be able t exercise each f these rights in a particular case may depend n the purpse fr which the data cntrller is prcessing the data and the legal basis upn which the prcessing takes place (see the individual privacy ntices listed abve fr further details in relatin t specific prcessing activities). Access t yur infrmatin Yu have the right t request a cpy f the persnal infrmatin abut yu that I hld.

7 Crrecting yur infrmatin I want t make sure that yur persnal infrmatin is accurate, cmplete and up t date and yu may ask me t crrect any persnal infrmatin abut yu that yu believe des nt meet these standards. Deletin f yur infrmatin Yu have the right t ask me t delete persnal infrmatin abut yu where: Yu cnsider that I n lnger require the infrmatin fr the purpses fr which it was btained. I am using that infrmatin with yur cnsent and yu have withdrawn yur cnsent. Yu have validly bjected t my use f yur persnal infrmatin / my use f yur persnal infrmatin is cntrary t law r ur ther legal bligatins. Objecting t hw we may use yur infrmatin Yu have the right at any time t require me t stp using yur persnal infrmatin fr direct marketing purpses. In additin, where I use yur persnal infrmatin t perfrm tasks carried ut in r fr a legitimate interest then, if yu ask me t, I will stp using that persnal infrmatin unless there are verriding legitimate grunds t cntinue. Restricting hw we may use yur infrmatin in sme cases, yu may ask me t restrict hw I use yur persnal infrmatin. This right might apply, fr example, where I am checking the accuracy f persnal infrmatin abut yu that I hld r assessing the validity f any bjectin yu have made t my use f yur infrmatin. The right might als apply where this is n lnger a basis fr using yur persnal infrmatin but yu dn't want me t delete the data. Where this right is validly exercised, I may nly use the relevant persnal infrmatin with yur cnsent, fr legal claims r where there are ther public interest grunds t d s. Withdrawing cnsent using yur infrmatin Where I use yur persnal infrmatin with yur cnsent yu may withdraw that cnsent at any time and we will stp using yur persnal infrmatin fr the purpse(s) fr which cnsent was given. Please cntact me using the cntact details prvided abve. Changes t my privacy statement I keep this privacy statement under regular review and will place any updates n this website. Paper cpies f the privacy statement may als be btained using the cntact infrmatin abve. This privacy statement was last updated n 25 May Cmplaints I seek t reslve directly all cmplaints abut hw I handle persnal infrmatin but yu als have the right t ldge a cmplaint with the Infrmatin Cmmissiner s Office: Online: By phne: By pst: Infrmatin Cmmissiner's Office, Wycliffe Huse, Water Lane, Wilmslw, SK9 5AF