Skip to main content

Language: English / Gàidhlig

Loading…

Procurement process for supply of goods and services

This privacy statement explains how we collect and use personal information as a data controller for the following process: Procurement process for supply of goods and services.

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.

The purpose of the processing

We process and store any personal data for the purpose(s) of delivering and maintaining Scottish Parliamentary Corporate Body (SPCB) contracts and in order to comply with public procurement regulations in Scotland.

Categories of information processed

Normal category data, including:

  • names and contact details
  • addresses
  • date of birth
  • place of birth
  • professional history
  • CVs
  • bank account details
  • salary and pension details
  • conflict of interest information
  • credit check information. This can include date of birth, nationality, financial information that relate to individuals.
  • criminal offence data, as defined by the UK General Data Protection Regulation (UK GDPR), including Police Scotland Serious Organised Crime Group (SOCG) / Police Check information. This can include name, date of birth, address, criminal convictions and offences, suspected criminal activity.

Source of the information

Personal data can be provided to us via a number of sources including 

  • PCS-Tender, Public Contracts Scotland
  • email
  • post
  • verbally
  • access to an online portal/website for example Companies House or Creditsafe, third parties such as Police Scotland.

Personal data is provided to us directly from an economic operator or a person who has powers of representation, decision or control in relation to an economic operator for the purpose of taking part in a procurement procedure. 

Personal data is provided to us via a third party (e.g. credit check via access to an online portal or Police Scotland’s SOCG / Police Check).

Legal basis for processing 

Data protection law states that we must have a legal basis for handling your personal data. 

The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) UK GDPR). 

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) UK GDPR is necessary to ascertain whether an organisation, or an individual representing an organisation, has been convicted of any criminal offences. In terms of  regulation 8 of the Procurement (Scotland) Regulations 2016 a contracting authority must exclude an economic operator from participation in a procurement procedure where the contracting authority has established or is otherwise aware that the economic operator or a person who has powers of representation, decision or control in relation to an economic operator has been convicted of any of the offences listed in sub paragraphs (a) – (k) of the regulation. The SPCB, as the contracting authority, is therefore required to process information relating to certain criminal convictions under regulation 8 of the Procurement (Scotland) Regulations 2016. The processing is necessary to comply with a statutory obligation to which the SPCB is subject (Article 6(1)(c) UK GDPR).

The legal basis for sharing personal data as part of the procurement process is that it is necessary for the purposes of a legitimate interest of the SPCB (Article 6(1)(f) UK GDPR). The legitimate interest is to receive professional specialist advice in order to achieve best value for money in the procurement process. 

The legal basis for sharing information relating to certain criminal convictions is to ensure that the SPCB complies with the Procurement (Scotland) Regulations 2016. The sharing is insofar necessary to comply with a statutory obligation to which the SPCB is subject (Article 6(1)(c) UK GDPR).

Finally, the legal basis for sharing personal data with other public sector bodies involved in the procurement process as referred to below is that sharing is necessary for the performance of a contract (Art 6(1)(b) UK GDPR). 

Consequences of not providing personal data 

Not processing this information would make it impossible for the SPCB to conclude and manage contracts and compromise the SPCB’s full compliance with public procurement regulations in Scotland.

Data sharing

The personal data is shared with other public sector bodies involved in the procurement process where necessary. For example:

  • central Government Procurement Shared Services, who may take forward procurements on behalf of the SPCB
  • any public sector body with which the SPCB collaborates on a procurement due to similar/shared requirements 

The personal data is shared with third party advisers involved in the procurement process where necessary. For example:

  • independent and/or contracted advisers/specialists who may take forward procurements on behalf of the SPCB or be consulted for contract evaluation purposes on areas in which the SPCB lacks the required expertise (e.g. IT, Construction)

Supplier names and contract details are published on the Scottish Parliament website for all SPCB contracts with a value above £5,000 as part of our Contracts Register. Regulated contracts (contracts with a value above £50,000) are also published on the Public Contracts Scotland website. This is in order for the SPCB to meet the obligations of Section 35 of the Procurement Reform (Scotland) Act 2014.

Criminal offence data

The personal data is shared with Police Scotland to facilitate a SOCG / Police Check, where necessary.

Criminal offence data received from Police Scotland is shared internally with other departments within the Scottish Parliament, where necessary.

Retention of data 

The personal data is retained for 5 years after contract expiry in accordance with the Scottish Parliament records management policy.

Children and young people safeguarding and child protection

In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.   

Your rights

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below.  You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.  

The following rights may apply:

Access to your information

You have the right to request a copy of the personal information about you that we hold.   

Further information on how to make a data protection 'subject access request'.

Correcting your information

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. 

  • please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
  • the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you

Deletion of your information

You have the right to ask us to delete personal information about you where:

  • you consider that we no longer require the information for the purposes for which it was obtained
  • we are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
  • you have validly objected to our use of your personal information – see Objecting to how we may use your information above
  • our use of your personal information is contrary to law or our other legal obligations
  • please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given. 

Please contact us in any of the ways set out below if you wish to exercise any of these rights. 

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website.  Paper copies of the privacy statement may also be obtained using the contact information below. 

This privacy statement was last updated on 27 January 2021.

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:

The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913

(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: dataprotection@parliament.scot

Please contact us if you require information in another language or format

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.

Or by phone at: 0303 123 1113

Share this page

Share this page on x Share this page on pinterest Share this page on linkedin