Your private information

The information we hold about you is used in a range of ways including, where appropriate:

Sentence calculations; supervision level; discipline; communications or complaints from you; managing your care; support from partner organisations; consideration for parole; dealing with courts and/or legal representatives; providing continuity of support services when you leave custody; public health; research.

It is likely that we will share your data, where there is a legal basis for doing so, with some or all of the following:

Scottish Government; Scottish Courts and Tribunals Service; Crown Office & Procurator Fiscals Service; Parole Board; Police Scotland; UK Security Services; HM Revenue & Customs; Department for Work & Pensions; Home Office: Immigration Enforcement; Local Authorities including Social Work and Housing; National Health Service; NHS Test and Protect; Audit Scotland; The Auditor General; The Accounts Commission (or any audit firm appointed by them).

We process your personal data in line with the Data Protection Act 2018 Part 3: Law Enforcement Processing. SPS is an executive agency of the Scottish Ministers, a competent authority named in Schedule 7 of the Data Protection Act 2018. SPS processes your personal data for one or more law enforcement purposes: the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The legal basis for processing your personal data is generally:

• processing is necessary for the performance of a task carried out for a law enforcement purpose by a competent authority

If the processing is sensitive processing, then the legal basis is generally:

• processing is strictly necessary fo the law enforcement purpose; and
• the processing is necessary for the exercise of a function conferred on SPS by an enactment or rule of law, and is necessary for reasons of substantial public interest; or
• the processing is necessary for the administration of justice

In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018 Part 3: Law Enforcement Processing.

In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time.

The information we hold about you is used in a range of ways. The main processes include:

Prison visits (including virtual visits); access to prison premises; phone calls; family support; attendance at case conferences; compliance with Prison Rules; public health.

We may share your data, where there is a legal basis for doing so, with some or all of the following:

Police Scotland; Local Authorities including Social Work; Professional Bodies; NHS Test and Protect.

We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).  The legal basis for processing your personal data is generally:

• processing is necessary for compliance with a legal obligation to which the controller is subject; or
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

If the data is a special category of personal data, then the legal basis is generally:

• processing is necessary for reasons of substantial public interest and for the exercise of a function conferred on a person by an enactment or rule of law.

In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR) and The Prisons and Young Offenders Institutions (Scotland) Rules 2011, Rules 105 – 108.

In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time.

If you are registered with the Victim Notification Scheme, the information we hold about you is mainly used to keep you informed of the key stages in the sentence of a named individual in accordance with the requirements of the Victims and Witnesses (Scotland) Act 2014 and the Victims’ Rights (Scotland) Regulations 2015.

We may share your data, where there is a legal basis for doing so, with the Scottish Courts and Tribunal Service.

We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). The legal basis for processing your personal data is that you have provided your explicit consent to process your personal data. You may withdraw that consent at any time.

The information we hold about you is used in a range of ways. The main processes include:

Recruitment; employment and contract; performance appraisal; absence management; pay; pension; discipline; taxation; training.

We may share your data, where there is a legal basis for doing so, with some or all of the following:

Cabinet Office; MyCSP; Payroll Processor; HM Revenue & Customs; Department for Work & Pensions; Occupational Health Provider; NHS Test and Protect; Audit Scotland; The Auditor General; The Accounts Commission (or any audit firm appointed by them).

We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). The legal basis for processing your personal data is generally:

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• processing is necessary for compliance with a legal obligation to which the controller is subject.

If the data is a special category of personal data, then the legal basis is generally:

• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time. In certain circumstances there may be other legal bases for processing your data.

We may hold and process information about you for some other reason, for example, if you have made a request for information or you have made a complaint.

We may share your data, where there is a legal basis for doing so, with some or all of the following:

Information Commissioner’s Office; Scottish Information Commissioner; Scottish Public Services Ombudsman.

We process your personal data in line with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).

The legal basis for processing your personal data is generally:

• processing is necessary for compliance with a legal obligation to which the controller is subject.

In certain circumstances there may be other legal bases for processing your data. Please refer to the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).

In the majority of circumstances, the SPS does not require your permission to process your personal data, however where any processing of your personal data is based upon consent you may withdraw that consent at any time.

An individual can request to see a copy of the personal information that SPS holds about them. A request for personal data from people acting on behalf of someone else must be accompanied by their consent or authority to act on their behalf. In such instances consideration will be given by SPS to verify that consent or authority has been received in order to release the personal data.

Requests for records pertaining to a deceased individual are managed as Freedom of Information requests. Please follow the link below. 

Subject Access Requests must be made in writing. Download the Subject Access Request Form. In situations where a person making a request has some form of disability and finds it impossible or unreasonably difficult to make a Subject Access Request in writing, SPS will consider a verbal request which will be subject to verification process.

Please email the completed form (inclusive of relevant proof of identity) to [email protected] or, if that is not possible, send them by post to:

Information Management
Scottish Prison Service Headquarters
1 Lochside Avenue
Edinburgh
EH12 9DJ

If your request is for medical information this should be sent to the relevant Health Board. Details of each Health Board’s subject request process can be found online.

If your request is for Social Work information this should be sent to the relevant Local Authority. Details of each Local Authority’s subject request process can be found online.

In line with data protection legislation, your request will be processed within one month of receipt of your completed request plus proof of identity and such information as we may reasonably require:

• to satisfy ourselves as to your identity and
• to locate the information sought.

If you have any questions regarding this process, please send an email to [email protected] 

If you are not satisfied with the response you may contact the SPS Data Protection Officer using our contact form, by email at [email protected] or, if that is not possible, by writing to:

Data Protection Officer
Scottish Prison Service
1 Lochside Avenue
Edinburgh
EH12 9DJ