Privacy and cookies

Privacy notice: how we use your data

The Petitions site lets you start and sign public petitions to raise issues with the Scottish Parliament.

The Public Petitions process is provided by the Scottish Parliament. We need to collect, process and store some personal data to enable you to do this.

Data Controller

The Scottish Parliamentary Corporate Body (SPCB) is the data controller of the information you provide and will ensure it is protected and used in line with data protection legislation.

Our Contact Details

Any queries regarding our use of your information should be sent to the Data Protection Officer at:

dataprotection@parliament.scot — 0131 348 6913

What data we collect from you

The personal data we collect from people who sign petitions will include:

• your name
• your email address
• your postcode
• the country you live in
• the IP address you use when starting or signing a petition

In addition, for people who start a petition we will also collect:

• organisation you are petitioning on behalf of (if applicable)
• your postal address
• your contact telephone number
• any personal information or details that you provide within the petition itself.

We sometimes receive information relating to people who have submitted petitions in writing. These petitions are securely stored and retained for the same period as personal data received through our own electronic petitions system.

Why we need your data

We use this information to:

• facilitate the public petitions process
• make sure that people only sign a petition once
• check that your petition is admissible
• contact you about petitions you start
• we may occasionally contact people who start or submit petitions to seek feedback on the petitions process and how it could be improved.

What we do with your data

We use your personal information to process the petition you have started or signed.

If you start a petition and we accept it, your name will be published alongside any text you include within the petition. We will not publish any of your contact details. If you start a petition, your name will remain permanently referenced alongside the petition on the Public Petitions Committee’s web pages and in meeting transcripts and recordings, as part of the official record of the Scottish Parliament’s petitions process. This information will be transferred to the Scottish Parliament archive at National Records of Scotland where it will be publicly available.

Your petition, including your name, will be included in data about parliamentary business that will be available on the Parliament’s Open Data Portal on an ongoing basis. The Open Data Portal can be accessed here: data.parliament.scot/#/home

If you’ve signed a petition, we will not publish any personal information about you.

IP addresses are used to protect the petitions site and prevent fraudulent activity.

What we’ll email you about

If a petition you’ve started is referred to the Public Petitions Committee, we will use your contact details to update you about the petition’s progress and to offer you the opportunity to provide further information and engage with the Committee.

You will receive automated confirmation emails when you set up or sign a petition.

Who has access to the data and where is it processed and stored

The Scottish Parliament’s staff administering the petitions process will have access to your personal information.

Unboxed Consulting Limited who provide technical support for the petitions system will also have access to the system for troubleshooting and maintenance purposes only.

Electronic information will be stored on Scottish Parliament ICT systems, which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.

The petitions system uses Amazon Web Services (AWS) cloud storage to store your data and to send emails relating to the petitions process. Emails sent are stored for 6 months. The privacy notice for Amazon Web Services (AWS) is available here: aws.amazon.com/privacy.

Petitions form part of the public record. They will be retained according to the Scottish Parliament’s record management policy and transferred publicly to the Scottish Parliament archive at National Records of Scotland where they will be publicly available.

How we protect your data and keep it secure

We are committed to keeping your personal data secure. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties who process personal data for us are required to keep that data secure.

Our legal bases for collecting, holding and using your personal information

Data protection law sets out various legal bases (or ‘conditions’) which allow us to collect, hold and use your personal information.

The collection and use of your information are necessary to help us facilitate the public petitions process and allow the public the chance to raise and show support for issues with The Scottish Parliament.

Personal data is processed because it is necessary for the performance of a task carried out in the public interest in accordance with Article 6(1)(e) of the General Data Protection Regulation (GDPR), read together with section 8(d) of the Data Protection Act 2018.

We may process special categories of personal data of those who start and/or contribute to its passage through the Scottish Parliament’s petitions process. Special category personal data is defined in Article 9(1) of the GDPR as the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.

Special category personal data will usually be processed on the basis that it is necessary for reasons of substantial public interest, pursuant to Article 9(2)(g) of the GDPR read in conjunction with section 10(3) of, and paragraph 6(2)(b), part 2, of Schedule 1 to, the Data Protection Act 2018.

The legal basis for sharing personal data with NRS (as set out in the paragraph below) is that it is necessary for historical and archiving purposes in the public interest (Article 6(1)(e) UK GDPR, section 8(d) DPA or Art 9(2)(j) UK GDPR, section 10(2) DPA and paragraph 4(a) of part 1, Schedule 1, DPA).

What are your rights

You have certain rights over the information we hold. In summary, the rights include:

• The right to be informed about how your personal information is used
• The right of access to copies of your personal information
• The right to rectification if your information is inaccurate
• The right to restrict our use of your personal information in certain circumstances
• The right to object to the use of your personal information in certain circumstances

If you would like to engage any of these rights, please email dataprotection@parliament.scot

Children and Young People Safeguarding and Child Protection

In line with the principles underlying the National Guidance for Child protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.

Changes to this notice

We keep this privacy notice under regular review. We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to make sure you know.

Contact information and further advice

You can also complain to the ICO if you are unhappy with how we have used your data.

The Scottish Parliament’s Head of Information and Governances address:

The Scottish Parliament
Edinburgh
EH99 1SP
01313 348 6913
dataprotection@parliament.scot

Calls are welcome through the Text Relay Service or in British Sign Language through contactSCOTLAND-BSL.

Cookies

This website puts small files (known as ‘cookies’) onto your computer to collect information about how you browse the site.

Cookies are used to:

• measure how you use the petitions service so it can be updated and improved based on your needs
• remember the notifications you’ve seen so that we do not show them to you again
• help prevent people from fraudulently signing petitions

Some cookies are strictly necessary to ensure the secure running of this website. They are not used to identify you personally.

Find out more about how to manage cookies.

Google Analytics cookies

We use Google Analytics to collect information about how you use the service. This information helps us to improve the service and prevent fraudulent signing. When you first visit the site on a new device an option is provided to opt-in to analytics cookies.

The Google Analytics cookies collect and store information about:

• unique users
• informing referring sites
• visitor and session counts

Session cookies

We store a session cookie on your computer to help keep your information secure while you use the service.