Skip to main content

Language: English / Gàidhlig

Loading…

Finance: Processing payment of invoices and reimbursement of fees/expenses

This privacy statement explains how we collect and use personal information as a data controller for the following process: Processing payment of invoices and reimbursement of fees and expenses.

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.

The purposes of the processing

During the course of our work we collect/use personal data for the purpose of processing payment of:

  • invoices in return for goods or services provided (including staff employed via a recruitment agency. Personal data is received from the recruitment agency for the purpose of paying agency costs in line with contractual obligations.)
  • to reimburse fees and expenses
  • professional fees and subscriptions to maintain professional membership 

Categories of information processed

Normal category data is processed which includes: name, address, telephone number, email address, VAT number, and bank or building society address and account details for:   

  • suppliers including employees, contractors, businesses which are not limited companies including sole traders, recreational groups (e.g. musicians) and individuals (including Advisory Audit Board Members, Visitors, Witnesses, Delegates and Advisors)

We may also obtain normal category personal data directly from a supplier or contractor within the content of an invoice such as in the description of goods/services provided or included in any supporting documentation for the purpose of payment of an invoice in line with contractual obligations, for example, but not limited to:  

  • agency workers: Name, hours worked and hourly rate paid to agency
  • taxi Invoices: Name and address (in terms of traveller and pick up/drop off location)
  • professional fees and subscription payments:  Name, address, telephone number, email address

Business areas of the Scottish Parliamentary Corporate Body (SPCB) out with the Finance Office may be a first point of contact for individuals submitting fees and expenses claims or invoices, therefore, may process normal category personal data including name, address, telephone number and email address. The personal data stored by these business areas will be deleted as soon as the payment has been processed.

Source of the information

Personal data is provided to us directly from individuals (data subjects) via a variety of means:

  • supplier set-up form
  • invoice
  • fees and expenses claim forms, for:
    • Advisory Audit Board members' fees
    • visitor fees and expenses payments
    • witness, delegate and advisor expenses payments
  • financial Assistance for non-government parties
  • professional fees and subscription invoice
  • theft, damage, accounting loss form

We may also obtain personal data from a supplier or contractor within the content of an invoice e.g. description of goods/services or included in any supporting documentation.

Legal basis for processing

Data protection law states that we must have a legal basis for handling your personal data.

The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the UK General Data Protection Regulation (UK GDPR)).

The legal basis for sharing personal data relating to the payment of invoices and reimbursement of fees and expenses with both internal audit (and support) and external auditors in terms of note 2 below, is that processing is necessary for a task carried out in the public interest (Article 6(1)(e) UK GDPR, section 8(d) of the Data Protection Act (DPA).

The legal basis for sharing personal data with Banks and Building Societies in terms of note 3 below, is that processing is necessary for payment of invoices or reimbursement of fees and expenses (Article 6(1)(b) UK GDPR).

Finally, the legal basis for sharing personal data with other government agencies and bodies responsible for auditing and administering public funds to prevent or detect fraud, is that processing is necessary for compliance with a legal obligation to which the SPCB is subject (Article 6(1)(c) UK GDPR).

Consequences of not processing personal data 

Not processing the personal data as described above would result in non-payment and failure to meet contractual obligations.

Data sharing 

Where necessary, personal data is shared both internally within the SPCB; and externally with other government agencies and organisations. We share your data with the following: 

  • business areas of the SPCB
  • internal audit (and external support) and External Auditors
  • bank or Building Society (of both the SPCB and the data subject)
  • other Government agencies (including those involved with the National Fraud Initiative)

Purpose of data sharing: 

Business areas of the SPCB:

Supplier data is shared internally with the relevant business areas in order to: 

  • set up and maintain suppliers on the financial accounting and purchasing ordering systems;
  • generate purchase order numbers on the purchase ordering system;
  • validate and review invoices for payment;
  • review and authorise reimbursement of fees and expenses claim forms.

Where relevant, suppliers’ personal data is restricted to Finance, the business area, and financial accounting and purchase ordering system users. 

Internal audit (and external support) and External Auditors:

All data relating to the payment of invoices and reimbursement of fees and expenses can be shared (usually on a sample basis) with both internal audit (and support) and external auditors in order to review payments to ensure they are processed demonstrating good governance, accountability, integrity and ensure the relevant control measures are in place to reduce risk.

Bank or Building Society (of both the SPCB and the data subject):

Personal data is shared with the relevant Bank or Building Society in order to process payment of invoices or reimbursement of fees and expenses.

Other Government agencies (including those involved with the National Fraud Initiative)

The financial accounting system is provided by a third-party government agency and the SPCB is a user. The government agency (the Scottish Government) can view and access supplier details in order to provide administrative, system and technical support. The Scottish Government is acting as a data processor on behalf of the SPCB in this instance. 

In addition, the SPCB is required by law to protect the public funds it administers and it may share information provided to it with other government agencies and bodies responsible for auditing or administering public funds in order to prevent or detect fraud via the National Fraud Initiative (NFI). The NFI runs every 2 years and uses data matching to compare information about individuals held by different public bodies that might suggest the existence of fraud or error. This data matching exercise is carried out under the powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. 

Retention of data

Personal data is retained in both paper and electronic format, in accordance with the Scottish Parliament records management policy, and access is limited as appropriate.. All documentation relating to the set-up of suppliers and any subsequent changes to details is retained for a period of 2 years. All invoices and reimbursement of fees and expenses and any supporting documentation is retained for the current financial year plus 6 years. 

Children and young people safeguarding and child protection

In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.   

Your rights

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below.  You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.  

The following rights may apply:

Access to your information

You have the right to request a copy of the personal information about you that we hold.   

Further information on how to make a data protection 'subject access request'.

Correcting your information

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. 

  • please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent 
  • the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you

Deletion of your information

You have the right to ask us to delete personal information about you where:

  • you consider that we no longer require the information for the purposes for which it was obtained
  • we are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
  • you have validly objected to our use of your personal information – see Objecting to how we may use your information above
  • our use of your personal information is contrary to law or our other legal obligations
  • please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.

Please contact us in any of the ways set out below if you wish to exercise any of these rights.

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website.  Paper copies of the privacy statement may also be obtained using the contact information below. 

This privacy statement was last updated on 21 January 2021. 

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:

The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913

(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: dataprotection@parliament.scot

Please contact us if you require information in another language or format

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.

Or by phone at: 0303 123 1113

Share this page

Share this page on x Share this page on pinterest Share this page on linkedin