The Scottish Biometrics Commissioner (SBC) is committed to protecting the privacy and security of your information.
This privacy notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe.
It is likely we’ll need to update the privacy notice from time to time. We will publicise any significant changes but you’re welcome to ask us questions about the notice or check the online version at any time.
Review of this privacy notice
This notice was updated 31 January 2022, a slight amendment was made July 2023 to include a link to SAR information
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date
- Kept only as long as necessary for the purposes we have told you about
- Kept securely
We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:
- We have been given responsibility and duties by law and we need to use personal information to comply with those obligations
- We have been given an important function or job by law and need to use personal information to fulfil that function
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- When we have your consent to do so
- Where we need to protect your interests (or someone else's interests)
Collecting and using information
To deliver the functions as stated within the Act, the SBC will collect information:
- keep under review the law, policy and practice relating to the acquisition, retention, use and destruction of biometric data by or on behalf of the Police Service of Scotland, the Scottish Police Authority and the Police Investigations and Review Commissioner
- promote public awareness and understanding of the powers and duties those persons have in relation to the acquisition, retention, use and destruction of biometric data, how those powers and duties are exercised, and how the exercise of those powers and duties can be monitored or challenged
This information will be used to ensure the SBC complies with:
- Data Protection Act 2018
- UK GDPR
- Freedom of Information (Scotland) Act 2002
- Public Records (Scotland) Act 2011
- Procurement Reform (Scotland) Act 2014
We collect information when:
- You contact us to ask for advice
- You bring a complaint to us
- We are looking at a complaint and need more information to make a decision
- You ask us to change any decision we’ve made
- You complain to us about our service
We will normally let you know what types of information we are asking for and why. For example this may include:
- Your name
- Your contact details
- Information you have told us about our needs to help us make our service accessible
- Information you tell us about your complaint
- Correspondence with the organisation
- Notes the organisation holds about the complaint
- Information about other people which we need to make a decision
- Information held by other people which we need to make a decision
- Information about your background
We use this information to:
- Provide you with advice
- Refer back to the advice if you contact us again
- Investigate and make decisions on complaints
- Respond to complaints about our service
- Monitor and assess the quality of our work
- Report on individual decisions to Parliament (we do not name individuals in any reports)
- Report on trends and statistics
- Learn more about our users and what their needs are
- Ask you about our service
Please see the following if making a complaint about a breach of the Code of Practice. Complaints Privacy Notice Nov 2022
When your organisation tells us you will be our key contact we will collect your contact details and will use them when we need to contact your organisation.
If you contact us for advice about a complaint we will keep a record of that contact so we can return to that advice and also monitor trends.
When you respond to any surveys we will collect and analyse the responses you give us to help us improve our service. We will not publish any data that is included in any response to a survey that could identify an individual. Personal information will be destroyed as per our Retention and Disposal Policy. We may use third party services.
When you respond to a consultation, the responses will be analysed and we may produce a report of consultation responses. Where permission is given, we may publish responses. We may include personal data where permission has been given to do so. We never publish email or postal addresses. Where permission is given, we may contact respondents for further comment.
When you sign up to a newsletter or mailing list we will collect the contact details we need to send these to you. We also collect information about the category of subscriber and any organisation you are subscribing on behalf of. This allows us to understand who is signing up to our services and helps us to improve those services.
We collect data via; browser sessions, website logs and contact forms. We use this data to:
- allow us to communicate with our users
- track any potential issues with the website
- Analyse how the web traffic and how users navigate the website, so that we can identify ways to make it easier to use and make sure that there is enough capacity for the website to perform well and respond quickly
To find out more about cookies in general you can visit allaboutcookies.org
When searching our website, a record of your search item is logged and this information is used to help improve our website.
General traffic data is collected on the website via google analytics. Any statistics produced are based on aggregated data from which no details of any individual visitor can be traced. The site does not automatically capture or store personal data from visitors to the site other than to record session information such as the most popular pages visited and the nature of the browser used. This information is used only for the administration of the site system and in the compilation of general statistics used by us to assess the use of the site.
We have a self-contained secure office within the shared building of Bridgeside House. When you visit our office, your image will be recorded on CCTV which is maintained by the Scottish Public Services Ombudsman. There are two cameras, one at the front door and one in reception. Access to CCTV is limited and all recordings are destroyed after 21 days.
When you make an information request to us we need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations. We will consult with any third parties we may have received the information being requested from for their views on disclosure.
We need your personal information to allow you to engage in our procurement process and to ensure we can facilitate the procurement process before entering into a contract.
If you take part in one of our procurement processes, then we collect your information, including your personal information. This includes your name and contact details - including in your capacity as a representative of a business - and other information you supply as part of the process, such as CVs, professional history, bank account details, conflicts of interest information.
When we agree to a contract for a product or service that you or company provide, we may use the personal information you provide to allow us to manage that contract.
When we purchase a product or service from you or your company, we may use your personal information to allow us to pay for it.
We share and receive information from different organisations.
A number of data processors process personal data on our behalf, such as for payroll processing. We have measures in place to ensure they:
- only act under our instructions when they are processing your personal data
- use appropriate technical and organisational measures to protect your personal data
- delete or return data to us during the processing contract and when that contract ends
- get our permission
- before engaging sub-contractors to carry out any part of the service
Collecting special category information
Some of the information we collect may be what the data protection law calls 'special categories' of information. Special categories include information about someone’s:
- Ethnic origin
- Trade union membership
- Biometrics (where used for ID purposes)
- Sex life
- Sexual orientation
Sometimes we will need information in these categories to carry out our general functions. We will only process this type of information if it is relevant to the decision we need to make. We ask people to share some of this information with us to help us monitor our service and meet our commitments on equality. In addition we may also collect personal information such as names or other information that could identify you with this data – this will be stored, processed and deleted as per our Information Governance Handbook.
When do we share information with others?
We need to share information with others to do the jobs under the powers and duties the Scottish Parliament gave us. We will share information with bodies to whom our functions extend, e.g. if a data subject complains about a failure by Police Scotland, The Scottish Police Authority or the Police Investigations and Review Commissioner to comply with our Code of Practice. We will also report about our work to the Scottish Parliament and the public.
This may include:
- Sharing and asking for comments on information we have collected
- Publicly reporting our decisions to the Scottish Parliament (reports do not name individuals)
- Receiving expert advice from someone
- Obtaining a translation or providing a translation of information
Note: if you bring us a complaint or a request for a review we will normally share information with the organisation you complained about and if necessary to carry out our function or required by law. If you have concerns about this please contact us as soon as possible.
Procurement and contracts:
- The personal data is shared with other public sector bodies involved in the procurement process where necessary. For example, any public sector body with which the SBC collaborates on a procurement due to similar/shared requirements.
- The personal data is shared with third party advisers involved in the procurement process where necessary. For example, independent and/or contracted advisers/specialists who may take forward procurements on behalf of the SBC or be consulted for contract evaluation purposes on areas in which the SBC lacks the required expertise (e.g. IT, Construction etc.).
- All regulated contracts (contracts with a value above £50,000) are published on the Public Contracts Scotland website. This is in order for the SBC to meet the obligations of Section 35 of the 3 Procurement Reform (Scotland) Act 2014.
- Selected non-regulated contracts (with a value below £50,000) are also published on the Public Contracts Scotland website when appropriate.
We may also share information:
- When that information shows there may be a risk to someone’s health or safety
- When that information is important to certain other organisations for their work.
Section 3 of the Scottish Biometrics Commissioner Act 2020 includes a list of named organisations the Commissioner may work jointly with, assist or consult in the exercise of their functions:
- The Scottish Parliament
- Scottish Ministers
- The Lord Advocate
- The chief constable of the Police Service of Scotland
- Her Majesty’s Inspectors of Constabulary in Scotland
- The Scottish Police Authority
- The Police Investigations and Review Commissioner
- The Information Commissioner
- The Commissioner for the Retention and Use of Biometric Material
- The Scottish Human Rights Commission
- Such other persons as the Commissioner considers appropriate
Further to this, Section 16 of the Act states the Commissioner may require information from the organisations to whom our functions extend to ascertain their compliance with the code of practice. We would also share information with the Court of Session when we need to report a failure to comply with an information notice as per Section 27 of the Act.
We sometimes use third parties to provide us with services and they may need to process information to do so. This may include people or organisations who provide us with:
- IT services
- Legal services
- Professional advisers and consultants
- Independent complaints review services
- Courier and secure shredding services
- Survey management and processing services
How do we keep your information safe?
Data Protection law protects your information. There are rules in our legislation which add additional legal protections as mentioned in Section 16 – Power to gather information and Section 19 – Offence of Commissioner’s office disclosing confidential information.
We also take steps to protect the information given to us.
- We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Additionally, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality
- We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so
- Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We can provide more details of these measures and procedures if you ask for them and they are also available on our website.
In considering some complaints, we may need to process information about third parties without their knowledge. In such cases of ‘invisible processing’, it may not be appropriate to inform third parties of this processing of information. In that regard, we take measures to ensure people’s privacy rights are protected, including ensuring only information relevant to an investigation is obtained.
Keeping special categories of data safe
We take additional steps to protect special categories of data. We clearly identify when we hold special category data and have set out specific procedures for ensuring this is held securely and only held for as long as we need to.
When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it can never be traced back to an individual.
Please Note: The SBC will not routinely hold or process any biometric data. In circumstances when we receive a complaint about the holding of biometric data by a body to whom our function extends, all enquiries relevant to the holding of the data will be conducted with the relevant data controller.
What are your rights?
The law says you have the right to:
- Know when we are processing your data
- See the data we process about you
- Correct any information
- Object to processing
- Ask for the information to be destroyed
- Withdraw consent where this has been provided
Unless there are legal reasons which mean we can't do this.
You always have the right to lodge a complaint with the Information Commissioner's Office (ICO).
We respect these rights. If you have any concerns about our handling of your personal information, please let us know.
Where we process your data
The majority of your personal information is hosted within the United Kingdom. However, it may be necessary to transfer your personal information to countries outside of the United Kingdom. In doing so, we will ensure that adequate safeguards are used to secure the data - for example, by encryption and ensuring that suppliers are subject to contract clauses in respect of data security.
Where we communicate with you via email, we may not always be able to identify the destination of your information.
Note: If you choose an email address as your preferred contact please be aware that we may be sending you sensitive and personal information to that email. Email security cannot always be guaranteed. If you choose this method of contact, you are confirming that you accept that risk.
How long do we keep your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. This includes for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We will only keep personal information on a review for longer if we have a good reason to do so. Details of all the retention periods for different aspects of your personal information are in our retention policy which is available on our website or any time you ask us for this.
Freedom of Information (Scotland) Act 2002
Please Note: The Commission is covered by the Freedom of Information (Scotland) Act 2002. The Act requires us to disclose information we hold to the requester unless we are permitted to withhold it by an exemption. This includes personal data we hold. If the request covers personal data, the interests of the data subject must be considered but ultimately, we may be required by law to release the information to the person who has made the request.
For more information on the Freedom of Information (Scotland) Act 2002, please visit the website of the Office of the Scottish Information Commissioner
You can contact us to exercise any of your data protection rights, or to raise any data protection concerns.
Telephone: (0131) 202 1043
We have a Data Protection Officer who is independent of the Scottish Biometrics Commissioner (SBC) and can also give you advice and listen to your concerns.
Email the SBC's Data Protection Officer email@example.com