The Scottish Public Services Ombudsman is committed to protecting the privacy and security of your information.
This privacy notice explains in detail the types of personal information we may collect about you when you interact with us. It also explains how we’ll store and handle that information, and keep it safe.
It is likely we’ll need to update the privacy notice from time to time. We will publicise any significant changes but you’re welcome to ask us questions about the notice or check the online version at any time.
1. Privacy commitment
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
We will only use your personal information when the law allows us or requires us to. Most commonly, we will use your personal information in the following circumstances:
- We have been given responsibility and duties by law and we need to use personal information to comply with those obligations.
- We have been given an important function or job by law and need to use personal information to fulfil that function.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- When we have your consent to do so.
- Where we need to protect your interests (or someone else's interests).
- For the purpose(s) of awarding, delivering and maintaining SPSO contracts and in order to comply with public procurement regulations in Scotland.
Some personal information has been given higher protection, this is called 'special category' information, and we will only use that category of information when we have additional reasons. Most commonly this will be because:
- There is a substantial public interest in us fulfilling our legal duties and responsibilities.
- We need to comply with social security law.
- Where we need to protect your interests (or someone else’s interests) and that person is not able to give consent.
- We will also only process this type of information for archiving or undertaking scientific or other research when we know we have appropriate protections in place.
2. Collecting and using information
2.1 Making a complaint
(If you are making a whistleblowing complaint about NHS services, see 2.3.)
We collect information when
- You contact us to ask for advice
- You bring a complaint to us
- We are looking at a complaint and need more information to make a decision
- You ask us to change any decision we’ve made
- You complain to us about our service
We will normally let you know what types of information we are asking for and why. For example this may include:
- Your name
- Your contact details
- Details of anyone you have chosen to represent you
- Your relationship to other people who are mentioned in the complaint
- Information you have told us about your needs to help us make our service accessible
- Information you tell us about your complaint
- Correspondence with the organisation
- Notes the organisation holds about the complaint
- Information about other people which we need to make a decision
- Information held by other people which we need to make a decision
- Information about your background
We use this information to:
- provide you with advice
- refer back to the advice if you contact us again
- investigate and make decisions on complaints
- respond to complaints about our service
- make a reasonable adjustment
- monitor and assess the quality of our work
- share best practice and monitor and assess the quality of complaint handling and service provision by organisations
- report on individual decisions to Parliament (we do not name individuals in any reports)
- report on trends and statistics
- learn more about our users and what their needs are
- ask you about our service
- protect our staff from unacceptable behaviour
2.2 Requesting a review of a welfare fund decision
We collect information when
- You contact us to ask for advice
- You bring a request for a review to us
- We are looking at a review and need more information to make a decision
- You ask us to change any decision we’ve made
- You complain to us about our service
We will normally let you know what types of information we are asking for and why. For example this may include:
- Your name
- Your contact details
- Details of anyone you have chosen to represent you
- Your relationship to other people who are mentioned in the review
- Information you have told us about our needs to help us make our service accessible
- Information about your review
- Correspondence with the organisation
- Notes the organisation holds about the review
- Information about other people which we need to make a decision
- Information held by other people which we need to make a decision
- Information about your background
We use this information to:
- provide you with advice
- refer back to the advice if you contact us again
- investigate and make decisions on reviews
- respond to complaints about our service
- make a reasonable adjustment
- monitor and assess the quality of our work
- share best practice and monitor and assess the quality of complaint handling by organisations
- report about our work to Parliament and the public (we do not name individuals in any reports)
- compile statistics and undertake research and analysis (there may be public interest reasons for undertaking this work and whenever possible information is completely anonymised for these purposes)
- learn more about our users and what their needs are
- ask you about our service
- protect our staff from unacceptable behaviour
2.3 Making a whistleblowing complaint about NHS services
We collect information when
- You contact us to ask for advice or information
- You bring a complaint to us
- We are looking at a complaint and need more information to make a decision
- You ask us to change any decision we've made
- You complain to us about our service
We will normally let you know what types of information we are asking for and why. For example this may include:
- Your name
- Your contact details
- Details of anyone you have chosen to represent you
- Your relationship to other people who are mentioned in the whistleblowing complaint
- Information you have told us about your needs to help us make our service accessible
- Information you tell us about your whistleblowing complaint
- Information about the way an organisation has handled your concerns
- Correspondence with the organisation
- Notes the organisation holds about the complaint (this may include relevant clinician, administrative and human resources records)
- Information about other people which we need to make a decision
- Information held by other people which we need to make a decision
- Information about your background
We use this information to:
- Provide you with advice
- Refer back to the advice if you contact us again
- Refer an anonymous concern (INWO cannot consider these), to an organisation or regulator that is able to investigate anonymous complaints. If we can, we will inform you that we have shared this information
- Investigate and make decisions on complaints
- Respond to complaints about our service
- Make a reasonable adjustment
- Monitor and assess the quality of our work
- Monitor and asses the quality of complaint handling and service provision by organisations
- Report on individual decisions to Parliament (we publish short summary reports on investigations - these do not name individuals, and we aim to omit any particulars that are likely to identify any person)
- Report on trends and statistics
- Learn more about our users and what their needs are
- Ask you about our service
- Protect our staff from unacceptable behaviour
We will ask whistleblowers about their sensitivities and preferences surrounding confidentiality, and will put in place safeguards to protect them from identification where appropriate. Bodies under jurisdiction are also required, as far as the law allows, to respect the confidentiality of any person who raises a concern. It is important to note that there may be practical limits to ensuring confidentiality while conducting an investigation.
2.4 For professionals
When your organisation tells us you will be our key contact we will collect your contact details and will use them when we need to contact your organisation.
If you attend a training session we will collect information we need to provide that training and to assess the quality of our training.
If you contact us for advice about complaint handling, reviews, or handling a whistleblowing concern we will keep a record of that contact so we can return to that advice and also monitor trends.
2.5 Responding to consultations or surveys or signing up to our mailing lists and newsletters
When you respond to any surveys we will collect and analyse the responses you give us to help us improve our service. We will not process any information that is included in any response to a survey that could identify an individual. Personal information will be destroyed as soon as we become aware of it. We may use third party services such as Survey Monkey - their privacy notice is here: https://www.surveymonkey.com/mp/legal/privacy-policy/
When you respond to a consultation, the responses will be analysed and we may produce a report of consultation responses. Where permission is given, we may publish responses. We may include personal information where permission has been given to do so. We never publish email or postal addresses. Where permission is given, we may contact respondents for further comment.
When you sign up to a newsletter or mailing list, we will collect the contact details we need to send these to you. We also collect information about the category of subscriber and any organisation you are subscribing on behalf of. This allows us to understand who is signing up to our services and helps us to improve those services. We use Mail Chimp for our newsletter and they have their own privacy policy here: https://mailchimp.com/legal/privacy/
2.6 Using our website
We collect information to help us understand how our website is being used. We also use cookies to help make our website easier to use by
- Enabling a service to recognise your device so you don’t have to give the same information during one task, for example to remember the information you entered on the first page of a multi-page form.
- Remembering settings so you don’t have to re-enter them every time you visit a new page.
- Measuring how many people are using the website and how they navigate the website, so that we can identify ways to make it easier to use and make sure that there is enough capacity for the website to perform well and respond quickly.
Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these small files as you wish. We provide more information about our cookies, how they are used and how long they are stored for directly on each website.
Read more about cookies on the SPSO website.
Traffic monitoring
General traffic data is collected via the SPSO website. Any statistics produced are based on aggregated data from which no details of any individual visitor can be traced. The SPSO site does not automatically capture or store personal information from visitors to the site other than to record session information such as the most popular pages visited and the nature of the browser used. This information is used only for the administration of the site system and in the compilation of general statistics used by the SPSO to assess the use of the site.
2.7 Visiting our office
When you visit our office, your image will be recorded on CCTV. We have two cameras one at our front door and one in reception for security purposes. Access to CCTV is limited and all recordings are destroyed after 21 days.
2.8 Making an information request
When you make an information request to us we need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations. We will consult with any third parties we may have received the information being requested from for their views on disclosure.
2.9 Taking part in a procurement process
We need your personal information to allow you to engage in our procurement process and to ensure we can facilitate the procurement process before entering into a contract.
If you take part in one of our procurement processes, then we collect your information, including your personal information. This includes your name and contact details - including in your capacity as a representative of a business - and other information you supply as part of the process, such as CVs, professional history, bank account details, conflicts of interest information.
2.10 Supply of products or services
- When we agree to a contract for a product or service that you or your company provide, we may use the personal information you provide to allow us to manage that contract.
- When we purchase a product or service from you or your company, we may use your personal information to allow us to pay for it.
2.11 Call recording
Calls to SPSO lines including to and from direct lines may be recorded.
We do so for the following purposes:
- establishing the facts and helping to assess customer service complaints
- protecting staff and others from harassment in the form of abusive/nuisance calls or threats
- providing evidence of criminal or safeguarding issues
- quality and training purposes
- obtaining direct evidence as part of an investigation or welfare fund review
- retaining evidence of the following when they are provided orally during a call
- consent e.g. for representation
- evidence that is necessary to resolve an investigation or welfare fund review
- a complaint about our service
- to make a reasonable adjustment
If you would prefer to have an unrecorded call, please ask, staff have discretion to pause recording during a call to allow this if it is clear that the call will not meet one of the purposes or if there is another good reason to switch recording off. This will include if the matter you wish to discuss is sensitive or you would be distressed by being recorded. Staff may refuse to switch recording off if they consider it is not appropriate to do so or in circumstances where previous behaviour by the caller mean a decision has been made that this option will not be available. Staff will also have discretion to restart call recording if during a paused/unrecorded section of call, the caller acts in a way that the staff member considers is inappropriate. In those circumstances we will signpost to alternative routes to contact us if the caller does not wish to continue with a recorded call.
Recordings are deleted automatically after 90 calendar days and will only be stored for longer if they are identified as meeting one of the purposes in our call recording policy and they need to be kept for longer to meet those purposes.
Calls which are stored for longer than 90 calendar days will be stored in line with our normal retention policy.
If you have questions about call recording, please contact us.
Calls to and from the whistleblowing 0800 number and direct lines are not recorded routinely. If you wish a call to be recorded, you can ask staff about this.
3. Collecting special category Information
Some of the information we collect may be what the data protection law calls 'special categories' of information. Special categories include information about someone’s:
- Race;
- Ethnic origin;
- Politics;
- Religion;
- Trade union membership;
- Genetics;
- Biometrics (where used for ID purposes);
- Health;
- Sex life; or
- Sexual orientation.
Sometimes we will need information in these categories to look at complaints, review welfare fund decisions or consider whistleblowing concerns. We will only process this type of information if it is relevant to the decision we need to make. We ask people to share some of this information with us to help us monitor our service and meet our commitments on equality. We do not collect any personal information such as names or other information that could identify you with this data.
4. When do we share information with others?
We need to share information with others to do the jobs under the powers and duties the Scottish Parliament gave us
- Considering and investigating complaints about public services
- Considering and investigating whistleblowing complaints about NHS services
- Reviewing welfare fund decisions
- Reporting about our work to the Scottish Parliament and the public
This may include:
- Sharing and asking for comments on information we have collected
- Explaining our decision to people involved. In complaints about GPs, opticians, and pharmacists this will include the Board they hold a contract with.
- Publicly reporting our decisions to the Scottish Parliament (reports do not name individuals)
- Receiving expert advice from someone
- Obtaining a translation or providing a translation of information
- Providing the Independent Customer Service Complaints Reviewer with the information they need to make a decision on a complaint about our service
Note: if you bring us a complaint or a request for a review we will normally share information with the organisation you complained about or the Council who made the welfare fund decision. If you have concerns about this please contact us as soon as possible.
We may also share information:
- When that information shows there may be a risk to someone’s health or safety
- When that information is important to certain other organisations for their work.
The law includes a list of named organisations and the information we can share with them:
- Audit Scotland (for purposes relating to audit)
- The Care Inspectorate (for purposes relating to their role as a regulator of care services)
- The Scottish Social Services Council (for purposes relating to their role as the registrar for care workers)
- The Scottish Information Commissioner (for purposes relating to their role as regulator for Freedom of Information)
- The Information Commissioner (for purposes relating to their role as the regulator for data protection)
- The Mental Welfare Commission (for purposes relating to their powers of investigation under the Mental Health (Care and Treatment) (Scotland) Act 2003)
- Healthcare Improvement Scotland (for purposes relating to the improvement of the quality of healthcare)
- NHS Education for Scotland (for purposes relating to their role in the education of training of persons providing or intending to provide NHS services)
- The Common Services Agency for the Scottish Health Service (for purposes relating to their role in providing support to the NHS and Scottish Ministers and dealing with fraud and other irregularities in the NHS)
- Other UK Public Services Ombudsman (when the issue may be a cross-border issue)
We would also share information if a court or a law tells us we need to release information.
Procurement and contracts:
- Information is shared with other public sector bodies involved in the procurement process where necessary. For example, any public sector body with which the SPSO collaborates on a procurement due to similar/shared requirements.
- Information is shared with third party advisers involved in the procurement process where necessary. For example, independent and/or contracted advisers/specialists who may take forward procurements on behalf of the SPSO or be consulted for contract evaluation purposes on areas in which the SPSO lacks the required expertise (e.g. IT, Construction etc.).
- All regulated contracts (contracts with a value above £50,000) are published on the Public Contracts Scotland website. This is in order for the SPSO to meet the obligations of Section 35 of the 3 Procurement Reform (Scotland) Act 2014.
- Selected non-regulated contracts (with a value below £50,000) are also published on the Public Contracts Scotland website when appropriate.
We sometimes use third parties to provide us with services and they may need to process information to do so. This may include people or organisations who provide us with:
- IT services
- Telephony services
- Translation services
- Legal services
- Auditors
- Professional advisers and consultants
- Independent complaints review services
- Courier and secure shredding services
- Survey management and processing services
5. How do we keep your information safe?
Data protection law protects your information. There are rules in our legislation which add additional legal protections by
- limiting when we can share information and
- ensuring if information is made public we are not allowed to include names
We also take steps to protect the information given to us.
- We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures also cover information held off-network and out-of-office. Additionally, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality
- We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so
- Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure
We can provide more details of these measures and procedures if you ask for them and they are also available on our website.
In considering some complaints, we may need to process information about third parties without their knowledge. In such cases of ‘invisible processing’, it may not be appropriate to inform third parties of this processing of information. In that regard, we take measures to ensure people’s privacy rights are protected, including ensuring only information relevant to an investigation is obtained.
6. Keeping special categories of information safe
We take additional steps to protect special categories of information. We clearly identify when we hold special category information and have set out specific procedures for ensuring this is held securely and only held for as long as we need to.
When we collect information about you for the purposes of equalities monitoring this is stored in a way that means it can never be traced back to an individual.
When we collect information held by social work or about your health we will normally contact you about this before doing so.
7. What are your rights?
The law says you have the right to:
- Know when we are processing your information
- See the information we process about you
- Correct any information
- Object to processing
- Ask for the information to be destroyed
- Withdraw consent where this has been provided
Unless there are legal reasons which mean we can't do this.
You can read more about your rights here.
You always have the right to lodge a complaint with the Information Commissioner's Office (ICO).
We respect these rights. If you have any concerns about our handling of your personal information, please let us know.
We have a Data Protection Officer who is independent of the SPSO and can also give you advice and listen to concerns.
8. Where we process your information
The majority of your personal information is hosted within the United Kingdom. However, it may be necessary to transfer your personal information to countries outside of the United Kingdom. In doing so, we will ensure that adequate safeguards are used to secure the information - for example, by encryption and ensuring that suppliers are subject to contract clauses in respect of information security.
Where we communicate with you via email, we may not always be able to identify the destination of your information.
Note: If you choose an email address as your preferred contact please be aware that we may be sending you sensitive and personal information to that email. Email security cannot always be guaranteed. If you choose this method of contact, you are confirming that you accept that risk.
9. How long do we keep your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. This includes for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
For example, we usually destroy most information on a complaint or a review 26 months after the date of last significant contact. We will only keep personal information on a complaint or review for longer if we have a good reason to do so. Details of all the retention periods for different aspects of your personal information are in our retention policy which is available on our website: https://www.spso.org.uk/spso-policies or any time you ask us for this.
10. Contact Details
You can contact us to exercise any of your data protection rights, or to raise any data protection concerns.
Email our Corporate Information Governance Officer.
We have a Data Protection Officer who is independent of the SPSO.
Email the Data Protection Officer.
Telephone: 0131 348 5281