Skip to main content

Language: English / Gàidhlig

Loading…

Mu Phàrlamaid na h-Alba

Guidance on Parliamentary Questions: data protection

From 25 May 2018, the General Data Protection Regulation (GDPR), together with the Data Protection Act 2018 (the DPA), replaced the Data Protection Act 1998 in regulating the processing of personal data. Following the UK’s exit from the EU, the UK adapted the GDPR as the UK GDPR. 

Members are data controllers in their own right for the purposes of data protection law, entirely separate to the SPCB. Under UK GDPR, every data controller must have a legal basis for any processing of personal data. The term ‘processing’ is wide and includes collecting, recording, storing, using and disclosing or sharing personal data. Personal data is any information that relates to a living human being and can be used to identify them even if additional information is needed to do so.

Whilst the defamation privilege in the Scotland Act 1998 protects Members against defamation proceedings as regards any statements made in parliamentary proceedings and publications under the authority of the Parliament, data protection requirements still apply.  As a result, there must be a legal basis whenever personal data is included in a motion or disclosed orally during Parliamentary proceedings as this will be processed (including published) by the Parliament. The DPA allows processing of personal data where it is “necessary for the exercise of a function of either House of Parliament” but the Scottish Parliament and its Members cannot rely on this exemption which preserves Parliamentary privilege only for the House of Commons and the House of Lords.  

Data controllers also have a duty to provide information about the ways in which they process personal data, including information about the purpose of the processing, the legal basis relied upon and who the data may be shared with. One way of fulfilling that duty is for data controllers to add a Privacy Notice to their website setting out the required information (it is not necessary to seek consent from each individual whose personal data is processed, unless the legal basis relied upon is consent). 

Parliamentary rules

Under the admissibility rules in Standing Orders, questions must not contain offensive language, breach any enactment or rule of law or be contrary to the public interest or contravene the sub judice rule. In addition, the Guidance on Questions says “the wording of a question should not disclose any information that is protected by an interdict or court order, that is commercially sensitive or confidential or the publication of which may cause personal distress or loss. Particular care should be taken regarding questions that name individuals, since they may be people whose identity needs to be protected”.

The Guidance on Questions also states that “questions should be no longer than is necessary to elicit the information sought. In editing, the clerks will consider whether questions contain any material that is not strictly necessary”. As a matter of course therefore, Chamber Desk clerks advise Members to keep personal data to a minimum in questions and this practice continues under UK GDPR.

While it is acknowledged that personal data is rarely used in questions, this guidance sets out the position under UK GDPR should a Member consider doing so. 

Submitting Parliamentary Questions to the Chamber Desk

In order to process personal data lawfully, all data controllers must identify a valid legal basis for each processing activity they undertake. This means that Members intending to lodge a question containing information which identifies a living individual (or from which a living individual can be identified) must have a legal basis under data protection law for doing so.

The legal bases for processing of personal data are set out in Article 6 of the UK GDPR and this applies to the processing of all personal data relating to an individual. If the question includes reference to special category (formerly referred to as “sensitive personal data”) and/or criminal offence data, then in addition to the legal basis under Article 6 UK GDPR the Member will need to identify a specific condition for processing in terms of Article 9 UK GDPR (for special category data) and Article 10 UK GDPR (for criminal offence data). Some of which require the SPCB and the Member to have an Appropriate Policy Document in place to outline the relevant compliance measures.

The appropriate legal basis and conditions for processing will depend on the particular circumstances. Information about the different legal bases and conditions for processing and when they can be used together with relevant examples are set out in the annex at the end of this document. The onus is on Members to identify and record their legal basis for processing of personal data as the Chamber Desk will assume that the Member is satisfied with the position and that the question complies with the Member’s obligations under data protection law.

When submitting questions that contain personal data, Members must therefore: (i) be satisfied that, in disclosing this information, they are complying with data protection legislation and (ii) confirm to Chamber Desk in writing which legal basis they are relying on for including such personal data in the question.

The Chamber Desk will not accept questions unless they are accompanied by such confirmation.  The reasons for this are (i) to ensure that lodged questions comply with the admissibility criteria set out in Standing Orders, (ii) to assist Members in complying with data protection requirements, and (iii) to avoid compromising the SPCB's compliance with data protection requirements in processing these questions.

Whilst this document has been prepared as guidance for Members on the requirements for complying with the UK GDPR and the DPA when submitting written and oral parliamentary questions it is important to emphasise that each case will need to be considered on its own individual facts and circumstances. If you require assistance with determining the legal basis for processing then please contact the Information Management and Governance Team at the following address: dataprotection@parliament.scot

Further information and question examples are contained in the Annex.

This guidance will be updated on an ongoing basis in light of experience and any future developments.

Chamber Desk

October 2022


Annex

Categories of data and examples of questions

There are three different types of personal data: normal category data, special category data and criminal offence data and different rules apply for processing personal data within these categories. 

Normal category personal data

This is any information relating to a living person who can be identified or who is identifiable either directly from that information or indirectly from that information in combination with other information. This would include a person’s name, age, their contact details, date of birth, phone number, home address and home email.

The legal bases available to data controllers for processing normal category data are set out in Article 6(1) of the UK GDPR and section 8 of the DPA.

When including personal data in a question, Members must be satisfied that there is a legal basis that applies and decide which is most appropriate in the circumstances. In practice, the most common legal bases that Members are likely to use are as follows:

  • that the processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR and section 8(c) DPA). Where a Member is satisfied that the raising of awareness/encouraging debate on an important issue in a motion is necessary to carry out their functions as a Member of the Scottish Parliament in the public interest (that is, of general benefit to the public at large), they can rely on this ground for the processing of any normal category data;
  • the processing is necessary for the purposes of the legitimate interests pursued by the Member or a third party (Article 6(1)(f) UK GDPR). The legitimate interests can be individual interests or broader societal benefits. This may be appropriate, for example, if the Member considers that it is necessary to include personal data in a motion for the legitimate interest of raising awareness about the efforts of a particular constituent who has raised a significant amount of money for charity. However, it is not possible to rely on this legal basis if the rights and freedoms of the data subject outweigh the legitimate interests pursued; a balancing exercise should therefore be carried out and if the impact of processing the data on the individual’s privacy is high and/or they would not expect their data to be used in this way then it would not be appropriate to rely on this basis; or
  • consent has been given by the data subject(s) for their information to be used in this way and they have been supplied with all the relevant information about what consent means and under what circumstances and up to what point it can be withdrawn (Article 6(1)(a) UK GDPR). This legal basis is only suitable when the circumstances are such that the data subject should be given a genuine right to choose whether their data is processed in this manner, for example. included in a motion to be discussed in Parliament. It is important to be make the data subject aware that once the personal data has become part of the processing by the SPCB, it may form part of the official record and it will not be possible to withdraw consent from that point onward

The legal basis for the further processing of the motion by the SPCB will be that the processing is necessary for the performance of a task carried out in the public interest which is the exercise of the SPCB’s functions, that is, publication of proceedings on Members’ questions (Art 6(1)(e) UK GDPR and section 8(d) DPA).

Questions examples

Parliamentary questions are a means by which Members can obtain factual and statistical information from the Scottish Government or the Scottish Parliamentary Corporate Body (SPCB). It is accordingly rare for individuals to be named in parliamentary questions. The expectation would be that an issue relating to a specific individual is more appropriately raised during proceedings. 

Example:

"To ask the Scottish Government for what reason it has not yet compensated Joe Black, whose property was compulsorily purchased as part of the construction of the new section of the M77 motorway."

While the Member may consider that the use of this data may pursue the legitimate interest of raising awareness in relation to the plight of Joe Black, the question may be highlighting something that has an impact on Joe Black’s privacy and/or where he would not expect his data to be used in this way. As a result, it may not be appropriate to rely on the legitimate interests ground here unless, in this case, the Member is satisfied that Joe Black has himself publicised the fact that he has still not been compensated. The Member may therefore consider that the legal basis for processing this data is having the consent of the individual named.

While the question as it stands may meet the admissibility criteria, the Chamber Desk clerks may suggest a more general question, without the need to refer to personal data. There may also be sub judice issues to consider if there are ongoing legal proceedings in relation to a particular case, which would result in the question being inadmissible (Rule 7.5.1)

An alternative might be along the lines of:

"To ask the Scottish Government how many people’s property were compulsorily purchased as part of the construction of the new section of the M77; of these, how many have not yet received compensation from x, and for what reason compensation remains unpaid in each case." 

Special category personal data

This includes information revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning a person’s sex life or sexual orientation, data concerning physical or mental health, the processing of genetic data and biometric data for the purpose of uniquely identifying a natural person.

The UK GDPR prohibits the processing of special category data unless one of the exemptions set out in Article 9(2) of the UK GDPR applies. These are known as the conditions for processing special category data. The Information Governance team (IMG) have prepared a APD template for Members to use and adapt which can be accessed on the Member’s page on data protection. The SPCB has an APD in place for Parliamentary questions and motions, and Members are also required to have one in place.

When including special category personal data in a question, Members must be satisfied that in addition to a legal basis for processing (under Article 6(1) UK GDPR) they are able to identify a condition for processing in terms of Article 9(2) UK GPDR; the conditions most likely to be appropriate are that:

  • The processing is necessary for reasons of substantial public interest in relation to the exercise of a function conferred on a person by enactment or rule of law1 (Article 9(2)(g) and section 10(3) DPA and paragraph 6(2)(a), Part 2 of Schedule 1 to the DPA), that is, parliamentary questions serve a range of functions and are a key mechanism by which Members can obtain information from the Scottish Government and the SPCB which closely relates to their role of holding the government to account. Being able to ask questions is therefore an important part of the role of MSPs. The role of MSPs is underpinned by the Scotland Act 1998 and the Standing Orders. Members give notice of proposed questions to the Chamber Desk for review in line with both their and the SPCB’s functions; 
  • The processing is in connection with the discharge of a Member’s functions and in response to a request by an individual that the Member take action on their behalf2. Where the request is made by an individual other than the data subject, the Member must be satisfied in the circumstances that either the data subject could not consent to the processing or that the Member cannot reasonably be expected to obtain the consent of the data subject (Article 9(2)(g) UK GDPR, section 10(3) and paragraph 23, Part 2 of Schedule 1 to the DPA); 
  • explicit consent (Article 9(2)(a) UK GPDR) has been given by the person named in the motion or who the question is about (whilst there is no definition of explicit consent under UK GDPR, the requirement for explicit consent can be satisfied by the person whose details are to be used giving an express written statement (for example: by email) of their consent to this, of which the Member should retain a record);
  • the processing relates to personal data that is manifestly made public by the person whose details are being used (Article 9(2)(e) UK GDPR). There is no definition of ‘manifestly made public’ under UK GDPR, however, simply because personal data is in the public domain (for example, in a newspaper article), or has been provided directly to a Member, does not necessarily mean it has been manifestly made public by the person. This exemption can only be relied upon in circumstances where it is clear that the data subject has themselves put their personal data into the public domain, for example, on their own social media account, on a charity fundraising page that they have set up themselves) or in a direct media quote;   

Criminal offence personal data

This includes personal data relating to criminal convictions and offences or related security measures and covers criminal activity; allegations; investigations; proceedings; penalties; conditions or restrictions placed on an individual under the criminal justice process; civil measures that may lead to a criminal penalty if not adhered to; as well as unproven allegations.

For processing criminal offence data, as with special category data, Members will need to have a legal basis for processing in terms of Article 6(1) of the UK GDPR (for example: public interest or legitimate interests); however, as a result of Article 10 UK GDPR and section 10(5) of the DPA it is also necessary to comply with a condition in Parts 1, 2 or 3 of Schedule 1 of the DPA. The conditions which are most likely to be relevant to Members are that:

  • he processing is necessary for reasons of substantial public interest in relation to the exercise of the function of a Member3 (paragraph 6(2)(a), Part 2 of Schedule 1 to the DPA), that is, as noted above, parliamentary questions are a key mechanism by which Members can obtain information from the Scottish Government and the SCPB, this an important part of their role as an MSP, including holding the executive to account, which is underpinned by the Scotland Act 1998 and the Standing Orders;
  • the processing is in connection with the discharge of a Member’s functions and in response to a request by an individual that the Member take action on their behalf4. Where the request is made by an individual other than the data subject, the Member must be satisfied in the circumstances that either the data subject could not consent to the processing or that the Member cannot reasonably be expected to obtain the consent of the data subject (Article 9(2)(g) UK GDPR, section 10(3) and paragraph 23, Part 2 of Schedule 1 to the DPA);
  • consent has been given by the person (this requirement can be satisfied by the person whose details are to be used giving an express written statement (for example: by email) of their consent to this, of which the Member should retain a record) (paragraph 29, Part 3 of Schedule 1 to the DPA); or
  • the processing relates to personal data that is manifestly made public by the person whose details are being used (paragraph 32, Part 3 of Schedule 1 to the DPA). 

Question example

Example 1 (special category personal data):

"To ask the Scottish Government for what reason Mary Black of 12 Main Street, Newtown has had to wait x weeks for an operation to do y, and what action it will take to ensure z."

As with all questions that include personal data, the Member must be satisfied that they have a legal basis for doing so under data protection law.

This type of question is more likely to be asked in the Chamber as an oral question supplementary to a published oral question rather than in a written question, but in asking it during proceedings, the Member still requires to be satisfied that he or she has a legal basis for doing so.

If this example was submitted as a written question, the Member may decide to process this data on the grounds of having the explicit consent of Mary Black to use such details (bearing in mind that the information about Mary Black’s health amounts to special category data). This means that the Member must have an express written statement to the effect that consent has been given.

Alternatively, if the information was made available by Mary Black, for example on her social media account, then the Member may consider that the information has manifestly been made public by them and should confirm that this is the legal basis on which the information is being published.

If the personal data had been gleaned from a newspaper article or TV news story, while this information is in the public domain, it cannot be assumed that all or any of the personal data was provided to the media by Mary Black (unless it is obvious, for example, in an interview). The Member might not, therefore, be able to rely on the ‘manifestly made public’ legal basis and explicit consent would therefore be required.

However, in the absence of consent or another legal basis for the processing of the personal data, the following may be suggested as an alternative:

"To ask the Scottish Government what its response is to concerns that waiting times for operations to do x in Newtown are not being met and what action it is taking to address this."

Example 2 (criminal offence data):

"To ask the Scottish Government on its position in relation to the early release of prisoners by the Parole Board for Scotland following the recent cases of Joe White and Jim Red who have reportedly breached their conditions for early release."

If this example was submitted as a written question then, in addition to the legal basis for processing under Article 6, the Member will need to identify a condition for processing in terms of Article 10 UK GDPR and Schedule 1 to the DPA. In these circumstances and given the importance to the general public the Member may consider that the processing of criminal offence data of the individuals referred to in the question is necessary for reasons of substantial public interest. 

Other relevant factors to consider when processing personal data

In addition to identifying a legal basis for the processing of personal data, Members must ensure the processing complies with the other data protection principles. This includes ensuring the processing is fair, transparent, accurate and uses the minimum amount of personal data necessary for the question.

Fairness requires consideration of how the personal data was obtained, whether the personal data is being handled in a way an individual would reasonably expect; how the use of their data may affect them including any potential adverse impact, and if so whether this is justified. Where personal data is a repeat of information in the public domain as a result of reporting in the press, this will help inform the issue of fairness in particular, the reasonable expectations of identifiable individuals. For example, where there are press reports, there may be a legitimate expectation that such matters may be raised in Parliament by Members where these are matters of concern to them and their constituents.

If this special category and/or criminal offence data is not already in the public domain, it is for the Member to be satisfied as to the fairness of including the personal data in the question, for example, what the individual’s expectations would be as to how their data is used, the potential impact on them and whether it is reasonable in the circumstances to notify the individual identified. For example, if a constituent has specifically asked a Member to raise a question relating to their personal health circumstances or a matter relating to a conviction, the likely appropriate legal basis for the processing of this special category or criminal offence data will be the Member is taking the action in response to a request by an individual (paragraph 23, Part 2 of Schedule1 to the DPA). Nevertheless, the individual should still be made aware of how this information will then be used, including further processed by the Parliament and become part of the public record. Or to use another example, even where the personal data has been manifestly made public by the data subject, for example, an interview with the data subject where they disclose information which constitutes special category or criminal offence data, the Member should still consider the fairness of using this personal data for the purpose of a parliamentary question.

Finally, Members may wish to note that there is a presumption in the DPA that children aged 12 or over (in Scotland) have capacity to provide consent for the processing of personal data relating to them (and for exercising their rights under data protection law).  For children who are under 12, consent can be provided by a parent or guardian. 

Further information

Useful guidance on UK GDPR can also be found on the Information Commissioner’s Office website, particularly in relation to:

  • the lawful bases for processing normal category personal data
  • special category data
  • consent; and
  • providing privacy information to data subjects

Back to Parliament rules and guidance