Privacy and cookies

SPCB Privacy Notice: Online Petitions Processing

This privacy statement explains how we collect and use personal information as a data controller for the following process:

To start and sign public petitions to raise issues with the Scottish Parliament.

The purpose of the processing

• Facilitate the public petitions process
• Make sure that people only sign a petition once
• Check that your petition is admissible
• Contact you about petitions you start
• We may occasionally contact people who start or submit petitions to seek feedback on the petitions process and how it could be improved
• We will use your personal information to process the petition you have started or signed
• If you start a petition and we accept it, your name will be published alongside any text you include within the petition. We will not publish any of your contact details. If you start a petition, your name will remain permanently referenced alongside the petition on the Citizen Participation and Public Petitions Committee’s web pages and in meeting transcripts and recordings, as part of the Official Report of the Scottish Parliament’s petitions process. This information will be transferred to the National Records of Scotland (NRS) where it will be publicly available
• Your petition, including your name, will be included in data about parliamentary business that will be available on the Parliament’s Open Data Portal on an ongoing basis. The Open Data Portal can be accessed here: https://data.parliament.scot/#/home
• If you’ve signed a petition, we will not publish any personal information about you
• IP addresses are used to protect the petitions site and prevent fraudulent activity.

We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you, for example, we protect your data using varying levels of encryption. All third parties who process personal data for us are required to keep that data secure.

Categories of information processed

The personal data we collect from people who sign petitions will include the following types of normal personal data:

• Your name
• Your email address
• Your postcode
• The country you live in
• The IP address you use when starting or signing a petition.

In addition, for people who start a petition we will also collect:

• Organisation you are petitioning on behalf of (if applicable)
• Your postal address
• Your contact telephone number
• Any personal information or details that you provide within the petition itself.

We sometimes receive information relating to people who have submitted petitions in writing. Some may contain special category personal data. These petitions are securely stored and retained for the same period as personal data received through our own electronic petitions system.

If a petition you’ve started is referred to the Citizen Participation and Public Petitions Committee, we will use your contact details to update you about the petition’s progress and to offer you the opportunity to provide further information and engage with the Committee.

You will receive automated confirmation emails when you set up or sign a petition.

Source of the information

The personal data being processed is received directly from the data subjects themselves.

Legal basis for data processing

Data protection law states that we must have a legal basis for handling your personal data.

For normal category personal data, the processing is necessary for the performance of a task that is carried out in the public interest in terms of Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR).

For petitions or other information containing special category data, the legal basis for the processing is that the personal data processing is necessary for reasons of substantial public interest. The public interest is compliance with statutory equality requirements. (Art 9(2)(g), S10(3) and Part 2 Schedule 1, para 6 DPA, s29(7) Equality Act 2010.)

A service provider must make reasonable adjustments. Processing personal data relating to protected characteristics enables the SPCB to make reasonable adjustments. This does not interfere with the rights of the data subjects disproportionately because the data subjects provide the data themselves, they are not under an obligation to provide the data to us and we only keep the data for the minimum time necessary to comply with the statutory obligation.

The legal basis for sharing personal data with NRS is that it is necessary for historical and archiving purposes in the public interest (Article 6(1)(e) UK GDPR, section 8(d) DPA or Art 9(2)(j) UK GDPR, section 10(2) DPA and paragraph 4(a) of part 1, Schedule 1, DPA).

The privacy notice for the NRS can be viewed here:

https://www.nrscotland.gov.uk/Privacy

Retention of data

Petitions form part of the public record. They will be retained according to the Scottish Parliament’s record management policy and transferred to the Scottish Parliament archive at NRS where they will be publicly available.

Transfer of Data

The Scottish Parliament’s staff administering the petitions process will have access to your personal information.

Unboxed Consulting Limited who provide technical support for the petitions system will also have access to the system for troubleshooting and maintenance purposes only.

Electronic information will be stored on Scottish Parliament Information and Communication Technologies (ICT) systems, which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the UK is covered by Standard Contractual Clauses under which Microsoft ensure that personal data is treated in line with UK GDPR.

The petitions system uses Amazon Web Services (AWS) cloud storage to store your data and to send emails relating to the petitions process. Emails sent are stored for 6 months. The privacy notice for AWS is available here: https://aws.amazon.com/privacy.

Children and Young People Safeguarding and Child Protection

In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.

Your rights

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.

The following rights may apply:

Access to your information – You have the right to request a copy of the personal information about you that we hold. For further information, see information on how to make a data protection subject access request:
Request personal information about you that we hold | Scottish Parliament Website

Correcting your information – You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information – You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.

• Please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
• The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
• The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.

Deletion of your information – You have the right to ask us to delete personal information about you where:

• You consider that we no longer require the information for the purposes for which it was obtained
• We are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
• You have validly objected to our use of your personal information – see Objecting to how we may use your information above
• Our use of your personal information is contrary to law or our other legal obligations
• Please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest
• The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.

Restricting how we may use your information – In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information – Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.

Please contact us in any of the ways set out below if you wish to exercise any of these rights.

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.

This privacy statement was last updated on 31 March 2021.

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:

The Scottish Parliament
Edinburgh
EH99 1SP

01313 348 6913 (Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: dataprotection@parliament.scot

Complaints

We seek to directly resolve all complaints about how we handle personal data.

You also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113

Please contact us if you require information in another language or format.

Cookies

This website puts small files (known as ‘cookies’) onto your computer to collect information about how you browse the site.

Cookies are used to:

• measure how you use the petitions service so it can be updated and improved based on your needs
• remember the notifications you’ve seen so that we do not show them to you again
• help prevent people from fraudulently signing petitions

Some cookies are strictly necessary to ensure the secure running of this website. They are not used to identify you personally.

Find out more about how to manage cookies.

Google Analytics cookies

We use Google Analytics to collect information about how you use the service. This information helps us to improve the service and prevent fraudulent signing. When you first visit the site on a new device an option is provided to opt-in to analytics cookies.

The Google Analytics cookies collect and store information about:

• unique users
• informing referring sites
• visitor and session counts

Session cookies

We store a session cookie on your computer to help keep your information secure while you use the service.