In the course of our work the Ethical Standards Commissioner collects and handles personal data.
We are committed to protecting the privacy and security of your information.
Some of the language used in this policy and other privacy notices can be specialised. The Information Commissioner’s website provides a useful introduction to key terms and concepts.
Privacy commitment Toggle accordion
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Using your personal information Toggle accordion
We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:
- We have been given responsibility and duties by law and we need to use personal information to comply with those obligations.
- We have been given an important function or job by law and need to use personal information to fulfil that function.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- When we have your consent to do so.
- Where we need to protect your interests (or someone else's interests).
- For the purpose(s) of awarding, delivering and maintaining ESC contracts and in order to comply with public procurement regulations in Scotland
Some personal information has been given higher protection, this is called 'special category' information, and we will only use that category of information when we have additional reasons. Most commonly this will be because:
- There is a substantial public interest in us fulfilling our legal duties and responsibilities
- We need to comply with social security law
- Where we need to protect your interests (or someone else’s interests; and that person is not able to give consent)
- We will also only process this type of information for archiving or undertaking scientific or other research when we know we have appropriate protections in place.
Collecting your personal information Toggle accordion
We collect and handle personal data to carry out the following broad functions and activities:
- Fulfilling our statutory functions
- Appointing, managing and supporting employees
- Appointing and managing contractors and suppliers
- Managing our finances and financial records
- Managing the information we hold
- Managing ESC’s office accommodation
- Running engagement and outreach activities
- Other corporate administration activities.
What we do in specific instances are outlined here.
Handling special category information Toggle accordion
The categories of personal data the ESC processes include normal category and special category personal data.
Special category personal data includes information about:
- an individual’s race
- ethnic origin
- political or religious views
- sex life or sexual orientation
- trade union membership
- physical or mental health
- genetic or biometric data
Sometimes we will need information in these categories to look at complaints. We will only process this type of information if it is relevant to the decision we need to make.
We ask people to share some of this information with us to help us improve how we operate and fulfil our statutory functions and to meet our commitments on equality. Most commonly, this will be through the completion of a ‘monitoring form’, for example when recruiting new staff. We do not link any personal information such as names or other information that could identify you with this data.
For employees, we may need information in these categories to manage your contract of employment. We will only process this type of information if relevant and lawful.
The ESC undertakes to handle this type of personal data in line with all data protection laws in a way that reflects the greater risk to individuals when special category personal data is handled.
Sharing personal data Toggle accordion
When carrying out our statutory functions
We need to share information with others to carry out the functions that the Scottish Parliament gave to us
- Considering and investigating complaints
- Reporting about our work to the Scottish Parliament, the Standards Commission for Scotland and the public
- Providing information, advice and guidance in relation to our functions
- Regulating the ministerial public appointments process
This may include:
- Sharing and asking for comments on information we have collected.
- Explaining our decision to people involved.
- Publicly reporting our decisions to the Scottish Parliament and the Standards Commission for Scotland
- Receiving expert advice from someone
- Obtaining a translation or providing a translation of information
The Commissioner has a data sharing agreement with the Standards Commission to ensure the safe and appropriate transfer of personal data.
When there’s a legal requirement
We are required by law to share information with:
- Audit Scotland and auditors appointed by them (for purposes relating to audit)
- The Scottish Information Commissioner (for purposes relating to their role as regulator for Freedom of Information)
- The Information Commissioner (for purposes relating to their role as the regulator for Data Protection)
- HMRC (for purposes relating to their role in administering taxes)
- Other bodies with appropriate statutory powers.
We would also share information if a court or a law tells us we need to release information.
The Commissioner has a data sharing agreement with the Crown Office and Procurator Fiscal Service to ensure the safe and appropriate transfer of personal data.
When we respond to a Freedom of Information request
The ESC is covered by Freedom of Information laws. This means that anyone can ask us for the information that we hold. We must release this unless there is a good reason not to. The information requested may include personal data. We are very unlikely to release this without first informing the individual or seeking their opinion.
When we’ve asked someone to provide a service
We sometimes use third parties to provide us with services and they may need to process information to do so. This may include people or organisations who provide us with:
- IT services
- Legal services
- Audit services
- Courier and secure shredding services
- Survey management and processing services
or act as our:
- Professional advisers and consultants
- Public Appointments Advisers
How personal data is handled will be covered under the relevant terms and conditions, contract or services level agreement that we have with each of them.
When we’re purchasing goods and services
You may provide personal data when tendering for work with us. We may share part or all of this information:
- with other public sector bodies involved in the procurement process. For example, when we work with another public sector body to purchase similar/shared goods and services.
- with third party advisers involved in the procurement process. For example, an independent specialist.
- when publishing selected contracts on our own and the Public Contracts Scotland website.
Keeping your information safe Toggle accordion
Data Protection law protects your information. There are rules in our legislation which add additional legal protections by limiting when we can share information.
We also take steps to protect the information given to us.
- We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Anyone processing your personal information on our instructions are subject to a duty of confidentiality.
- We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so
- Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We can provide more details of these measures and procedures if you ask for them and they are also available on our website.
In considering some complaints, we may need to process information about third parties without their knowledge. In such cases of ‘invisible processing’, it may not be appropriate to inform third parties of this processing of information. In that regard, we take measures to ensure people’s privacy rights are protected, including ensuring only relevant information is obtained.
When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it cannot be traced back to an individual.
Your rights Toggle accordion
The law says you have the right to:
- Know when we are processing your data and what that data is
- See the data we process about you and request copies
- Correct any information that is inaccurate, incomplete or out of date
- Object to how we use your information
- Ask for the information to be destroyed or deleted
- Withdraw your consent, where it has been provided, to use your information
We will action your request unless there are legal reasons which mean we can't do this.
If you are not happy with how we have responded, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
We respect these rights. If you have any concerns about our handling of your personal information, please let us know.
We have a Data Protection Officer who is independent of the ESC and can also give you advice and listen to concerns.
You can find out more about how to request information from us on our Freedom of Information webpage.
Storing your personal information Toggle accordion
We take the security of personal data very seriously and apply rigorous technical and other organisational measures to protect personal data. The ESC is Cyber Essentials Plus accredited.
Your information will be stored in our Case Management System, in our own server and within Microsoft M365 products.
The majority of your personal information is hosted within the United Kingdom. However, it may be necessary to transfer your personal information to countries outside of the United Kingdom. In doing so, we will ensure that adequate safeguards are in place, for example, by encryption and ensuring that supplier contracts and published working practices are appropriate.
In order to submit a complaint on our website, you must set up a user account. The account details along with any complaints you submit and the associated material you upload are stored on our website server. The server is hosted in the United Kingdom.
We may have to share large electronic files with you that are too large to transfer by email. Where this is the case we use the file sharing platform WeTransfer. You will be advised when we intend to use this service. You can find out more about how WeTransfer manages personal data in their Privacy & Cookie statement. If preferred, alternative transfer methods may be available.
Where we communicate with you via email, we may not always be able to identify the destination of your information.
Note: If you choose an email address as your preferred contact method please be aware that we may be sending you sensitive and personal information to that email address. Email security cannot always be guaranteed. If you choose this method of contact, you are confirming that you accept that risk.
How long do we keep your personal information? Toggle accordion
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. This includes for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of the retention periods we apply are available in our File Plan and Retention Schedule. You may ask at any time for how long we’ll keep your data.
Website accounts will be deleted if the account is inactive for 28 days. Please bear this time limit in mind when preparing a complaint. When you submit a complaint, we download any associated material from the website server to our main systems. Your complaint and the associated material are deleted from the website server six months after the submission date.
Using our website Toggle accordion
Contacting us if you have a query or concern Toggle accordion
If you have any questions about how we process personal data, or about how to exercise your rights please contact us. You can contact us by phone, post or email.
Ethical Standards Commissioner
91 Haymarket Terrance
Tel: 0131 347 3890
Calls are welcome in British Sign Language through contactSCOTLAND-BSL
We have a Data Protection Officer who is independent of the ESC and can also give you advice and listen to your concerns.
Tel: 0131 348 6913
Find out more about how we handle your personal information when:
- You complain about the conduct of an MSP
- You complain about the conduct of a Councillor or board member
- You are an MSP being complained about
- You are a Councillor or board member being complained about
- You are a witness to a complaint
- You are a prospective, current or former employee
How to contact us