Skip to main content

In some circumstances, it can currently take up to 4.5 months to conduct an initial assessment for some complaints, particularly if they are complex. We are doing everything we can to reduce this time. You can find average timescales for each stage of complaint handling across all types of complaints here.

Privacy policy

In the course of our work the Ethical Standards Commissioner collects and handles personal data. 

We are committed to protecting the privacy and security of your information.

This privacy policy explains the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data and keep it safe.

Some of the language used in this policy and other privacy notices can be specialised. The Information Commissioner’s website provides a useful introduction to key terms and concepts.

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

When handling personal data the ESC complies with the UK General Data Protection Regulation and the UK Data Protection Act 2018.

We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:

  1. We have been given responsibility and duties by law and we need to use personal information to comply with those obligations.
  2. We have been given an important function or job by law and need to use personal information to fulfil that function.
  3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  4. When we have your consent to do so.
  5. Where we need to protect your interests (or someone else's interests).
  6. For the purpose(s) of awarding, delivering and maintaining ESC contracts and in order to comply with public procurement regulations in Scotland

Some personal information has been given higher protection, this is called 'special category' information, and we will only use that category of information when we have additional reasons. Most commonly this will be because:

  1. There is a substantial public interest in us fulfilling our legal duties and responsibilities
  2. We need to comply with social security law
  3. Where we need to protect your interests (or someone else’s interests; and that person is not able to give consent)
  4. We will also only process this type of information for archiving or undertaking scientific or other research when we know we have appropriate protections in place.

When handling personal data the ESC complies with the UK General Data Protection Regulation and the UK Data Protection Act 2018.

We collect and handle personal data to carry out the following broad functions and activities:

  • Fulfilling our statutory functions
  • Appointing, managing and supporting employees
  • Appointing and managing contractors and suppliers
  • Managing our finances and financial records
  • Managing the information we hold
  • Managing ESC’s office accommodation
  • Running engagement and outreach activities
  • Other corporate administration activities.

What we do in specific instances are outlined here.

The categories of personal data the ESC processes include normal category and special category personal data.

Special category personal data includes information about:

  • an individual’s race
  • ethnic origin
  • political or religious views
  • sex life or sexual orientation
  • trade union membership
  • physical or mental health
  • genetic or biometric data

Sometimes we will need information in these categories to look at complaints. We will only process this type of information if it is relevant to the decision we need to make. 

We ask people to share some of this information with us to help us improve how we operate and fulfil our statutory functions and to meet our commitments on equality. Most commonly, this will be through the completion of a ‘monitoring form’, for example when recruiting new staff. We do not link any personal information such as names or other information that could identify you with this data.

For employees, we may need information in these categories to manage your contract of employment. We will only process this type of information if relevant and lawful. 

The ESC undertakes to handle this type of personal data in line with all data protection laws in a way that reflects the greater risk to individuals when special category personal data is handled.

When carrying out our statutory functions 

We need to share information with others to carry out the functions that the Scottish Parliament gave to us

  • Considering and investigating complaints
  • Reporting about our work to the Scottish Parliament, the Standards Commission for Scotland and the public
  • Providing information, advice and guidance in relation to our functions
  • Regulating the ministerial public appointments process

This may include:

  • Sharing and asking for comments on information we have collected.
  • Explaining our decision to people involved.
  • Publicly reporting our decisions to the Scottish Parliament and the Standards Commission for Scotland
  • Receiving expert advice from someone
  • Obtaining a translation or providing a translation of information

The Commissioner has a data sharing agreement with the Standards Commission to ensure the safe and appropriate transfer of personal data.

When there’s a legal requirement

We are required by law to share information with:

  • Audit Scotland and auditors appointed by them (for purposes relating to audit)
  • The Scottish Information Commissioner (for purposes relating to their role as regulator for Freedom of Information)
  • The Information Commissioner (for purposes relating to their role as the regulator for Data Protection)
  • HMRC (for purposes relating to their role in administering taxes)
  • Other bodies with appropriate statutory powers.

We would also share information if a court or a law tells us we need to release information.

The Commissioner has a data sharing agreement with the Crown Office and Procurator Fiscal Service to ensure the safe and appropriate transfer of personal data.

When we respond to a Freedom of Information request

The ESC is covered by Freedom of Information laws. This means that anyone can ask us for the information that we hold. We must release this unless there is a good reason not to. The information requested may include personal data. We are very unlikely to release this without first informing the individual or seeking their opinion. 

When we’ve asked someone to provide a service 

We sometimes use third parties to provide us with services and they may need to process information to do so. This may include people or organisations who provide us with:

  • IT services
  • Legal services
  • Audit services
  • Courier and secure shredding services
  • Survey management and processing services

or act as our:

  • Professional advisers and consultants
  • Public Appointments Advisers

How personal data is handled will be covered under the relevant terms and conditions, contract or services level agreement that we have with each of them.

When we’re purchasing goods and services

You may provide personal data when tendering for work with us. We may share part or all of this information: 

  • with other public sector bodies involved in the procurement process. For example, when we work with another public sector body to purchase similar/shared goods and services. 
  • with third party advisers involved in the procurement process. For example, an independent specialist. 
  • when publishing selected contracts on our own and the Public Contracts Scotland website.

Data Protection law protects your information. There are rules in our legislation which add additional legal protections by limiting when we can share information.

We also take steps to protect the information given to us.

  • We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Anyone processing your personal information on our instructions are subject to a duty of confidentiality.
  • We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so
  • Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We can provide more details of these measures and procedures if you ask for them and they are also available on our website.

In considering some complaints, we may need to process information about third parties without their knowledge. In such cases of ‘invisible processing’, it may not be appropriate to inform third parties of this processing of information. In that regard, we take measures to ensure people’s privacy rights are protected, including ensuring only relevant information is obtained.

When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it cannot be traced back to an individual.

The law says you have the right to:

  • Know when we are processing your data and what that data is
  • See the data we process about you and request copies
  • Correct any information that is inaccurate, incomplete or out of date
  • Object to how we use your information
  • Ask for the information to be destroyed or deleted
  • Withdraw your consent, where it has been provided, to use your information 

We will action your request unless there are legal reasons which mean we can't do this.

If you are not happy with how we have responded, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We respect these rights. If you have any concerns about our handling of your personal information, please let us know.

We have a Data Protection Officer who is independent of the ESC and can also give you advice and listen to concerns.

You can find out more about how to request information from us on our Freedom of Information webpage

We take the security of personal data very seriously and apply rigorous technical and other organisational measures to protect personal data. The ESC is Cyber Essentials Plus accredited.

Your information will be stored in our Case Management System, in our own server and within Microsoft M365 products.

The majority of your personal information is hosted within the United Kingdom. However, it may be necessary to transfer your personal information to countries outside of the United Kingdom. In doing so, we will ensure that adequate safeguards are in place, for example, by encryption and ensuring that supplier contracts and published working practices are appropriate.

In order to submit a complaint on our website, you must set up a user account. The account details along with any complaints you submit and the associated material you upload are stored on our website server. The server is hosted in the United Kingdom. 

We may have to share large electronic files with you that are too large to transfer by email. Where this is the case we use the file sharing platform WeTransfer. You will be advised when we intend to use this service. You can find out more about how WeTransfer manages personal data in their Privacy & Cookie statement. If preferred, alternative transfer methods may be available.

Where we communicate with you via email, we may not always be able to identify the destination of your information.

Note: If you choose an email address as your preferred contact method please be aware that we may be sending you sensitive and personal information to that email address. Email security cannot always be guaranteed. If you choose this method of contact, you are confirming that you accept that risk.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. This includes for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of the retention periods we apply are available in our File Plan and Retention Schedule. You may ask at any time for how long we’ll keep your data.

Website accounts will be deleted if the account is inactive for 28 days. Please bear this time limit in mind when preparing a complaint. When you submit a complaint, we download any associated material from the website server to our main systems. Your complaint and the associated material are deleted from the website server six months after the submission date.

The ESC uses cookies to gather information about how you use our website and to help us improve its performance. They are also used to improve your experience when using our website by delivering pages more quickly or remembering user settings. The information we collect is anonymous – it cannot be used to identify you personally. 

Further information on the way that we use cookies and how you can set your browser to control cookies is available in our cookie policy.

If you have any questions about how we process personal data, or about how to exercise your rights please contact us. You can contact us by phone, post or email.

Ethical Standards Commissioner
Thistle House
91 Haymarket Terrance
Edinburgh
EH12 5HE
Email: info@ethicalstandards.org.uk
Tel: 0131 347 3890
Calls are welcome in British Sign Language through contactSCOTLAND-BSL

We have a Data Protection Officer who is independent of the ESC and can also give you advice and listen to your concerns.

Email: dposervice@parliament.scot 
Tel: 0131 348 6913

How to contact us

If you want to contact us about anything in this privacy policy, or in relation to any other matter regarding our use of personal data, you can email us at info@ethicalstandards.org.uk or write to the Head of Corporate Services, Ethical Standards Commissioner, Thistle House, 91 Haymarket Terrace, Edinburgh EH12 5HE.