Your Private Information
PRIVACY NOTICE
Data Protection Legislation
The Scottish Prison Service manages your personal data in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). Below is information about the way in which we use and share your personal data, the legal basis on which we process your personal data and information about the rights you have in relation to the data we hold on you.
Data Controller
The controller of your personal data is the Scottish Prison Service (SPS). Their address is:
Scottish Prison Service
Calton House
5 Redheughs Rigg
Edinburgh
EH12 9HW
If you want to request information, please email us at spsisu@prisons.gov.scot or, if that is not possible, write to us at the above address.
Data Protection Officer
The SPS Data Protection Officer (DPO) can be contacted by emailing SPSDataProtectionOfficer@prisons.gov.scot or, if that is not possible, in writing to the above address.
What We Do With Your Personal Data
Your personal data is managed in a secure manner and only SPS employees or partners working with SPS with a need to see the information have access to it. The way we use and share your information and the legal basis for processing your information depends on your relationship with the SPS. Below are details of how we process your personal data for:
- Individuals who are or have been held in our custody;
- Visitors to prisons;
- Victims of crime;
- Job applicants, current and former SPS employees;
- Other reason.
Individuals Who Are or Have Been Held In Our Custody
The information we hold about you is used in a range of ways including, where appropriate:
• Sentence calculations; supervision level; discipline; communications or complaints from you; managing your care; support from partner organisations; consideration for parole; dealing with courts and/or legal representatives; providing continuity of support services when you leave custody; public health; research.
It is likely that we will share your data, where there is a legal basis for doing so, with some or all of the following:
Scottish Government; Scottish Courts and Tribunals Service; Crown Office & Procurator Fiscals Service; Parole Board; Police Scotland; UK Security Services; HM Revenue & Customs; Department for Work & Pensions; Home Office: Immigration Enforcement; Local Authorities including Social Work and Housing; National Health Service; NHS Test and Protect; Audit Scotland; The Auditor General; The Accounts Commission (or any audit firm appointed by them).
We process your personal data in line with the Data Protection Act 2018 Part 3: Law Enforcement Processing. SPS is an executive agency of the Scottish Ministers, a competent authority named in Schedule 7 of the Data Protection Act 2018. SPS processes your personal data for one or more law enforcement purposes: the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The legal basis for processing your personal data is generally:
• processing is necessary for the performance of a task carried out for a law enforcement purpose by a competent authority
If the processing is sensitive processing, then the legal basis is generally:
• processing is strictly necessary fo the law enforcement purpose; and
• the processing is necessary for the exercise of a function conferred on SPS by an enactment or rule of law, and is necessary for reasons of substantial public interest; or
• the processing is necessary for the administration of justice
In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018 Part 3: Law Enforcement Processing.
In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time.
Visitors to Prisons
The information we hold about you is used in a range of ways. The main processes include:
• Prison visits (including virtual visits); access to prison premises; phone calls; family support; attendance at case conferences; compliance with Prison Rules; public health.
We may share your data, where there is a legal basis for doing so, with some or all of the following:
• Police Scotland; Local Authorities including Social Work; Professional Bodies; NHS Test and Protect.
We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). The legal basis for processing your personal data is generally:
• processing is necessary for compliance with a legal obligation to which the controller is subject; or
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
If the data is a special category of personal data, then the legal basis is generally:
• processing is necessary for reasons of substantial public interest and for the exercise of a function conferred on a person by an enactment or rule of law.
In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR) and The Prisons and Young Offenders Institutions (Scotland) Rules 2011, Rules 105 – 108.
In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time.
Victims of Crime
If you are registered with the Victim Notification Scheme, the information we hold about you is mainly used to keep you informed of the key stages in the sentence of a named individual in accordance with the requirements of the Victims and Witnesses (Scotland) Act 2014 and the Victims’ Rights (Scotland) Regulations 2015.
We may share your data, where there is a legal basis for doing so, with the Scottish Courts and Tribunal Service.
We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). The legal basis for processing your personal data is that you have provided your explicit consent to process your personal data. You may withdraw that consent at any time.
Job Applicants, Current and Former SPS Employees
The information we hold about you is used in a range of ways. The main processes include
• Recruitment; employment and contract; performance appraisal; absence management; pay; pension; discipline; taxation; training.
We may share your data, where there is a legal basis for doing so, with some or all of the following:
• Cabinet Office; MyCSP; Payroll Processor; HM Revenue & Customs; Department for Work & Pensions; Occupational Health Provider; NHS Test and Protect; Audit Scotland; The Auditor General; The Accounts Commission (or any audit firm appointed by them).
We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). The legal basis for processing your personal data is generally:
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• processing is necessary for compliance with a legal obligation to which the controller is subject.
If the data is a special category of personal data, then the legal basis is generally:
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.
In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time. In certain circumstances there may be other legal bases for processing your data.
Other Reason
We may hold and process information about you for some other reason, for example, if you have made a request for information or you have made a complaint.
We may share your data, where there is a legal basis for doing so, with some or all of the following:
• Information Commissioner’s Office; Scottish Information Commissioner; Scottish Public Services Ombudsman.
We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).
The legal basis for processing your personal data is generally:
• processing is necessary for compliance with a legal obligation to which the controller is subject.
In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).
In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time.
How Long Do We Keep Your Personal Data
We only retain personal data for as long as is necessary. The timeframes differ depending on the type of personal data being processed and the retention and destruction policies specified by SPS.
What Are Your Rights?
• Access to Personal Data - You can request to see the personal data that SPS is processing or has processed about you.
• Rectification of Personal Data - If you believe the personal data that SPS is processing about you is incorrect or incomplete then you are entitled to request to have that data corrected.
• Erasure of Personal Data or the Restriction of its Processing - You have the right to ask for your personal data to be erased or to restrict processing of that data.
Subject Access Request
You have the right to see a copy of the personal information that SPS holds about you, subject to exemptions. This right is commonly referred to as a Subject Access Request (SAR). Subject Access Requests should not be confused with Freedom of Information requests.
Who can make a Subject Access Request?
An individual can request to see a copy of the personal information that SPS holds about them. A request for personal data from people acting on behalf of someone else must be accompanied by their consent or authority to act on their behalf. In such instances consideration will be given by SPS to verify that consent or authority has been received in order to release the personal data.
Making a Subject Access Request
Subject Access Requests must be made in writing. Download the Subject Access Request Form. In situations where a person making a request has some form of disability and finds it impossible or unreasonably difficult to make a Subject Access Request in writing, SPS will consider a verbal request which will be subject to verification process.
Please email the completed form (inclusive of relevant proof of identity) to spsisu@prisons.gov.scot or, if that is not possible, send them by post to:
Information Security Manager
Scottish Prison Service
Calton House
5 Redheughs Rigg
Edinburgh
EH12 9HW
If your request is for medical information this should be sent to the relevant Health Board. Details of each Health Board’s subject request process can be found online.
If your request is for Social Work information this should be sent to the relevant Local Authority. Details of each Local Authority’s subject request process can be found online.
How long will it take?
In line with data protection legislation, your request will be processed within one month of receipt of your completed request plus proof of identity and such information as we may reasonably require:
• to satisfy ourselves as to your identity and
• to locate the information sought.
If you have any questions regarding this process, please send an email to spsisu@prisons.gov.scot.
Complaint to the SPS Data Protection Officer
If you are not satisfied with the response you may contact the SPS Data Protection Officer by email at SPSDataProtectionOfficer@prisons.gov.scot or, if that is not possible, by writing to:
Data Protection Officer
Scottish Prison Service
Calton House
5 Redheughs Rigg
Edinburgh
EH12 9HW
Complaint to the Information Commissioner’s Office (ICO)
If you wish to make a complaint about how the SPS has or is processing your personal data, you can do so by contacting:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
National Fraud Initiative - Creditor's Privacy Notice
Please see the below link for guidance on how SPS protects the public funds it administers:
NFI Privacy Notice