Skip to main content

Language: English / Gàidhlig

Loading…

Test and Protect: Passholders

This privacy statement explains how we collect and use personal information as a data controller for the following process: Passholder information for Test and Protect.

 

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.

For the health and safety of everyone in the Scottish Parliament and to help stop the spread of coronavirus we are asking all passholders to assist the Scottish Parliamentary Corporate Body (SPCB) to support NHS Scotland’s Test and Protect strategy.

Information about when you are in the premises and your contact details, may be used by the Scottish Parliament to enable NHS Scotland to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus.

Contacting people who might have been exposed to the virus is an important step in stopping its spread.

In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland. If requested, information will be transferred securely to NHS National Services Scotland who will use the data to contact trace those who were in close proximity to the positive case, and will provide guidance and support to those who may be advised to self-isolate. 

Read further information on the NHS Scotland Test and Protect strategy on the NHS website

The Parliament has taken the decision to ensure it is in a position to provide this information, if requested by the NHS, about all passholders to ensure it is taking all reasonable measures to protect passholders and to support efforts to contain the spread of coronavirus. In reaching this decision, the Parliament has taken a number of factors into account, including the following:

  • the Parliament is under an obligation, under The Health Protection (Coronavirus)(Scotland) Regulations 2020, Regulations 4A and 4(1)(b) to take any measures, where reasonably practicable, to minimise the risk of the incidence and spread of coronavirus on the premises
  • the Parliament has a duty of care to its staff and other building users to protect them from harm and a duty to protect their health and safety so far as reasonably practicable; and therefore being able to assist contact tracers quickly with the requested data in order that they in turn can quickly assess and advise any contacts to self-isolate supports these duties

The purposes of the processing

The purpose of the processing is to enable the SPCB to respond to requests received from NHS test and protect for information about those individuals who are physically present at the Scottish Parliament on particular days during COVID:19.  In such circumstances the SPCB are taking the view that supplying this information is necessary for it to support the welfare of passholders and to contribute to the suppression of the virus.

Categories of information processed

Personal data, as defined in the UK General Data Protection Regulation (UK GDPR), namely:

  • name
  • dates on the Parliament’s premises and primary location on the premises
  • contact details (those contained in e-HR (payroll) and in Outlook address book) consisting of personal and parliament email address and mobile phone number (if available)

Source of the information 

The source of the information will consist of the details about passholders provided to Facilities Management to confirm which individuals are present at the Scottish Parliament on particular days. This information is supplied to enable the management of Covid:19 infection risks and mitigations to be raised and followed.

A further source of information will be the contact details provided by passholders to the SPCB so that contact can be made with you in the case of emergencies or an incident via our Alert system. This information is under your control and supplied by you in the e-HR (payroll) system. The SPCB has carefully weighed the risks of processing this information in a way that is in addition to the previously notified use of passholder contact details for the Alert System and has decided that

  • the need to support the wellbeing of passholders and all those that use the Parliament
  • the need for the Parliament to be able to continue operating effectively
  • and supporting the purpose of the Test and Protect initiative by the Scottish Government and NHS to supress the virus

means that during the period when Covid:19 is present, the contact information supplied by passholders may be shared with the NHS exclusively for test and protect and for no other reasons. This will process will be kept under review. 

Legal basis for processing

Data protection law states that we must have a legal basis for handling your personal data.

The legal basis for the processing of personal data is that it is necessary for a task carried out in the public interest (Article 6 (1)(e) UK GDPR and section s8(d) of the Data Protection Act 2018 (DPA).)

This information will not be collated or shared unless the SPCB is contacted by the NHS to ask for information about the location of passholders on a particular day and for their contact details. 

This will only be for the purpose of test and protect and not any other reason.

Data sharing 

The personal data will be shared with the NHS test and protect upon receipt of a verifiable request. The purpose of this will be so that contact tracers can support you and advise you on next steps if you have been in contact with another individual who has tested positive for coronavirus. You may be asked for further information about others you may have been in contact with while on the Scottish Parliament premises for test and protect purposes.

Retention of data

The Facilities Management and e-HR system contact details will only be collated for a particular individual or individuals if the NHS asks for them.  Once the information is provided to the NHS the collated information will be securely deleted and no record will be retained by the SPCB.

Children and young people safeguarding and child protection

In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.

Your rights

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below.  You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.  

The following rights may apply:

Access to your information

You have the right to request a copy of the personal information about you that we hold.   

Further information on how to make a data protection 'subject access request'.

Correcting your information

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. 

  • please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
  • the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you 

Deletion of your information

You have the right to ask us to delete personal information about you where:

  • you consider that we no longer require the information for the purposes for which it was obtained
  • we are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
  • you have validly objected to our use of your personal information – see Objecting to how we may use your information above
  • our use of your personal information is contrary to law or our other legal obligations
  • please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest. 
  • the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you. 

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to using your information

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.

Please contact us in any of the ways set out below if you wish to exercise any of these rights. 

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website.  Paper copies of the privacy statement may also be obtained using the contact information below. 

This privacy statement was last updated on 9 February 2021.  

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913

(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: dataprotection@parliament.scot

Please contact us if you require information in another language or format

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.

Or by phone at: 0303 123 1113

Share this page

Share this page on x Share this page on pinterest Share this page on linkedin