Your Private Information

Your Personal Information

Privacy Notice

Data Protection Legislation is Changing

From 25 May 2018, organisations must manage personal data in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This legislation gives more rights to you as an individual and more obligations to organisations holding your personal data.

One of the rights is a right to be informed. Below is information about the way in which we use and share your personal data, the legal basis on which we process your personal data and information about the increased rights you have in relation to the data we hold on you.

Data Controller

The controller of your personal data is the Scottish Prison Service (SPS). Their address is:

Scottish Prison Service
Calton House
5 Redheughs Rigg
Edinburgh
EH12 9HW.

If you want to request information, you can write to us at the above address or email us at SPSInformationManagement@sps.pnn.gov.ukSPS acts on behalf of Scottish Ministers.

Data Protection Officer

The SPS Data Protection Officer (DPO) is the Head of Information Management who can be contacted at the above address.

What We Do With Your Personal Data

Your personal data is managed in a secure manner and only SPS employees or partners working with SPS with a need to see the information have access to it.

The way we use and share your information and the legal basis for processing your information depends on your relationship with the SPS. Below are details of how we process your personal data for:

• Individuals who are or have been held in our custody;
• Visitors to prisons;
• Victims of crime;
• Job applicants, current and former SPS employees.

Individuals Who Are or Have Been Held In Our Custody

The information we hold about you is used in a range of ways including, where appropriate:

• Sentence calculations; supervision level; discipline; communications or complaints from you; managing your care; support from partner organisations; consideration for parole; dealing with courts and/or legal representatives; providing continuity of support services when you leave custody.

It is likely that we will share your data, where there is a legal basis for doing so, with some or all of the following:

• Scottish Courts and Tribunals Service; Crown Office & Procurator Fiscals Service; Parole Board; Police Scotland; UK Security Services; HM Revenue & Customs; Department for Work & Pensions; Home Office: Immigration Enforcement; Local Authorities including Social Work and Housing; National Health Service.  Audit Scotland; The Auditor General; The Accounts Commission (or any audit firm appointed by them).

We process your personal data in line with the Data Protection Act 2018 Part 3: Law Enforcement Processing. SPS is an executive agency of the Scottish Ministers, a competent authority named in Schedule 7 of the Data Protection Act 2018. SPS processes your personal data for one or more law enforcement purposes: the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The legal basis for processing your personal data is generally:

• processing is necessary for the performance of a task carried out for a law enforcement purpose by a competent authority.

If the processing is sensitive processing then the legal basis is generally:

• processing is strictly necessary for the law enforcement purpose; and
• the processing is necessary for the exercise of a function conferred on SPS by an enactment or rule of law, and is necessary for reasons of substantial public interest; or
• the processing is necessary for the administration of justice.

In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018 Part 3: Law Enforcement Processing.

In the majority of circumstances the SPS does not require your permission to process your personal data. However where any processing of your personal data is based upon consent you may withdraw that consent at any time.

Visitors to Prisons

The information we hold about you is used in a range of ways. The main processes include:

• Prison visits and access to prison premises; family support; attendance at case conferences; compliance with Prison Rules

We may share your data, where there is a legal basis for doing so, with some or all of the following:

• Police Scotland; Local Authorities including Social Work; Professional Bodies.

We process your personal data in line with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The legal basis for processing your personal data is generally:

• processing is necessary for compliance with a legal obligation to which the controller is subject; or
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

If the data is a special category of personal data then the legal basis is generally:

• processing is necessary for reasons of substantial public interest and for the exercise of a function conferred on a person by an enactment or rule of law.

In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and The Prisons and Young Offenders Institutions (Scotland) Rules 2011, Rules 105 – 108.

In the majority of circumstances the SPS does not require your permission to process your personal data. However where any processing of your personal data is based upon consent you may withdraw that consent at any time.

 Victims of Crime

If you are registered with the Victim Notification Scheme, the information we hold about you is mainly used to keep you informed of the key stages in the sentence of a named individual in accordance with the requirements of the Victims and Witnesses (Scotland) Act 2014 and the Victims’ Rights (Scotland) Regulations 2015.

We may share your data, where there is a legal basis for doing so, with the Scottish Courts and Tribunal Service.

We process your personal data in line with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The legal basis for processing your personal data is that you have provided your explicit consent to process your personal data. You may withdraw that consent at any time.

Job Applicants, Current and Former SPS Employees

The information we hold about you is used in a range of ways. The main processes include:
• Recruitment; employment and contract; performance appraisal; absence management; pay; pension; discipline; taxation; training.

We may share your data, where there is a legal basis for doing so, with some or all of the following:

• Cabinet Office; MyCSP; Payroll Processor; HM Revenue & Customs; Department for Work & Pensions; Occupational Health Provider.  Audit Scotland; The Auditor General; The Accounts Commission (or any audit firm appointed by them).

We process your personal data in line with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The legal basis for processing your personal data is generally:

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• processing is necessary for compliance with a legal obligation to which the controller is subject.

If the data is a special category of personal data then the legal basis is generally:

• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

In the majority of circumstances the SPS does not require your permission to process your personal data. However where any processing of your personal data is based upon consent you may withdraw that consent at any time. In certain circumstances there may be other legal bases for processing your data.

How Long Do We Keep Your Personal Data

We only retain personal data for as long as is necessary. The timeframes differ depending on the type of personal data being processed and the retention and destruction policies specified by SPS.

What Are Your Rights?

• Access to Personal Data - You can request to see the personal data that SPS is processing or has processed about you.
• Rectification of Personal Data - If you believe the personal data that SPS is processing about you is incorrect or incomplete then you are entitled to request to have that data corrected.
• Erasure of Personal Data or the Restriction of its Processing - You have the right to ask for your personal data to be erased or to restrict processing of that data.

Subject Access Request

You have the right to see a copy of the personal information that SPS holds about you, subject to exemptions. This right is commonly referred to as a Subject Access Request (SAR). Subject Access Requests should not be confused with freedom of information requests.

Who can make a Subject Access Request?

An individual can request to see a copy of the personal information that SPS holds about them. A request for personal data from people acting on behalf of someone else must be accompanied by their consent or authority to act on their behalf. In such instances consideration will be given by SPS to verify that consent or authority has been received in order to release the personal data.

Making a Subject Access Request

Subject access requests must be made in writing. Download the subject access request form SubjectAccessRequestForm. In situations where a person making a request has some form of disability and finds it impossible or unreasonably difficult to make a subject access request in writing, SPS will consider a verbal request which will be subject to verification process.

Return the completed form (inclusive of relevant proof of identity) to:

Information Security Manager
Scottish Prison Service
Calton House
5 Redheughs Rigg
Edinburgh
EH12 9HW

How long will it take?

Your request will be processed in line with the Act within one month of receipt of your completed request, proof of identity and such information as we may reasonably require:

• to satisfy ourselves as to your identity and
• to locate the information sought.

If you have any questions regarding this process please send an email to: SPSInformationManagement@sps.pnn.gov.uk .

If you are not satisfied with the response you may contact the SPS Data Protection Officer at SPS headquarters.

Complaint to the Information Commissioners Office (ICO)

If you wish to make a complaint about how the SPS has or is processing your personal data you can do so by contacting:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

National Fraud Initiative - Creditor's Privacy Notice

Please see the below link for guidance on how SPS protects the public funds it administers;

National Fraud Initiative - Creditor's Privacy Notice