Back to How we work

Data Protection Policy

Aims of this policy

This policy aims to set the basic standards regarding the processing of personal data by the Scottish Environment Protection Agency (SEPA).

In this policy, we set out the framework in which SEPA will ensure the appropriate use of personal data in line with the law.

Everyone has rights regarding how their personal information is handled. During our activities, SEPA will collect, store and process personal information about our customers, staff and all other individuals who work with us or contact us.

• We recognise the fundamental importance of handling this information in an appropriate and lawful manner to maintain the confidence and trust of our customers and staff in our processing of their personal data.
• Protecting the confidentiality and integrity of personal data is a critical responsibility that we always take seriously.
• If SEPA fails to comply with Data Protection Law, then it may be subject to enforcement and sanctions from the Information Commissioner’s Office.

Who does this policy apply to?

This policy covers all employees, consultants, contractors, agency workers, interns, and anyone who will be processing personal data in the course of their duties

Does this policy form part of my contract of employment?

This policy does not form part of your contract of employment except to the extent that it imposes obligations on you.

Status of the policy

This policy has been approved by the Chief Officer; Governance, Performance & Engagement.

Scope

Personal data

This policy applies to all personal data we process (or that a third-party processes on our behalf) regardless of the media on which that data is stored or who it relates to. This could be past or present employees, workers, customers, clients or supplier contacts, shareholders, website users, and members of the public whose personal data we process.

Data protection responsibilities

All of our business areas, functions, teams, and individuals are responsible for ensuring staff comply with this policy. We are all required to implement appropriate practices, processes, controls, and training to ensure such compliance. Staff who have management responsibility are expected to regularly review all the systems, processes, and procedures under their control to ensure they comply with this policy. Staff with management responsibility must also check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.

Data Protection Officer

The Data Protection Officer (DPO) is responsible for ensuring SEPA’s compliance with data protection law; for overseeing (and updating) this policy; and as applicable, related policies and guidelines. This role is held by Alison M. Mackinnon, who can be reached by email: dataprotection@sepa.org.uk.

Queries about Data Protection Law or this policy

The DPO should be contacted if:

• You have any questions about the operation of this policy or about Data Protection Law; or
• if you have concerns that this policy is not being followed or has not been followed.

When to contact the DPO

Staff must immediately contact the DPO if there has been a personal data breach (see Specific requirements below)

There are certain circumstances in which staff must contact the DPO for support and advice. These include:

• they are unsure of the lawful basis which they are relying on to process personal data
• queries about the retention period for the personal data being processed
• questions about what security or other measures need to be implemented to protect personal data
• whether they are permitted to transfer personal data outside the UK
• if they receive any communication from an individual which may seek to exercise any rights which he/she may have under Data Protection Law as a Data Subject
• whenever they are engaging in a significant new, or change in, processing activity or plan to use personal data for purposes others than for which it was collected
• if they are considering entering into any contracts with third parties which shall involve the disclosure or sharing of personal data
• if they plan to undertake any activities involving automated processing including profiling or Automated Decision-Making

Data protection principles

The seven data protection principles are set out in Article 5 of the UK GDPR (the ‘Principles’). The Principles lie at the heart of our approach to processing personal data.

Article 5(1) requires that personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes...subject to implementation of the appropriate technical and organisational measures...in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

In addition, the UK GDPR provides that the controller shall be responsible for, and be able to demonstrate compliance with, the principles (‘accountability’).

Specific requirements

Appendix 2 of this policy explains what measures SEPA has put in place to comply with the data protection Principles and what staff and contractors are expected to do as part of those measures.

Special Category Data and Criminal Offence Data

As part of SEPA’s statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act 2018 (DPA 2018). SEPA’s special category data has an extra layer of protection due to its sensitive nature.

Special category data is defined at Article 9 UK GDPR as personal data revealing:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purposes of uniquely identifying a natural person
• Data concerning health
• Data concerning a natural person’s sex life or sexual orientation

Criminal offence data is defined at Article 10 UK GDPR as criminal convictions and offences or related security measures.

SEPA has an Appropriate Policy Document (APD) in place. This sets out SEPA’s measures for securing compliance with the principles in Article 5. It also contains policies regarding the retention and erasure of such personal data

Law enforcement processing

SEPA is a competent authority for the purposes of Part 3 of the Data Protection Act 2018 (DPA 2018). Part 3 covers the processing of personal data by competent authorities for law enforcement purposes.

Law enforcement purposes include the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security.

Sensitive processing is defined in DPA 2018 Part 3 section 35(8) and is equivalent to special category data. This includes:

• the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
• the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual
• the processing of data concerning health
• the processing of data concerning an individual's sex life or sexual orientation

SEPA has as Appropriate Policy Document in place, as required under Part 3 of the DPA 2018, when processing sensitive personal data for law enforcement purposes.

Transfers

General requirements

Data protection law imposes restrictions on the transfers of personal data to countries outside the UK. This is to ensure that the level of data protection afforded to individuals by UK data protection law is not undermined.

You are transferring data across a border if: data originates in one country, and you need to transmit or send this data to another country, or if you are viewing or accessing data in a country in which it did not originate.

Staff transfer personal data originating in one country across borders when they transmit, send, view or access that data in or to a different country.

Restrictions on transfers outside the UK

SEPA staff may only transfer personal data outside the UK if one of the following mechanisms is used:

• the country to which you are sending the personal data has a suitable adequacy decision in place
• you have implemented appropriate safeguards
• Binding Corporate rules apply
• There are exceptional circumstances that allow for derogations

If you plan to transfer data outside of the UK, a Transfer Impact Assessment may be required. You will need to consult the DPO on this.

Role of the DPO

Where staff wish to transfer personal data outside the UK, it is their responsibility to ensure that the transfer concerned satisfies one of the requirements described in section

In practice, this means that staff need to check with the DPO to confirm that the proposed transfer is permissible before they do it.

Data Subjects’ rights and requests

Individual rights

Data Subjects have rights when it comes to how we handle their personal data. These include rights to:

• withdraw consent to processing at any time (where we process personal data on the basis of consent)
• request access to their personal data that we hold
• ask us to erase personal data in certain circumstances or to rectify inaccurate data or to complete incomplete data
• restrict processing in specific circumstances
• object to decisions based solely on automated processing, including profiling (Automated Decision Making (ADM))
• be notified of a personal data breach which is likely to result in high risk to their rights and freedoms
• in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format

Notify DPO

Where staff are contacted by an individual about information that SEPA holds about them they must immediately notify the DPO and follow the DPO's instructions. Do not respond or provide any information beforehand

Accountability

General requirements

Under data protection law, we must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles.

We must also be able to demonstrate we comply with them. This section sets out how SEPA will comply with its accountability obligations

Data Protection Impact Assessment (DPIA)

The DPO must be advised at the earliest opportunity in order that they can consider the proposed project or activity, and determine whether a Data Protection Impact Assessment is required, in the following circumstances:

When we are considering or planning

• projects to implement major system or business change programmes involving the processing of personal data including:
• use of new technologies (programmes, systems or processes), or changing technologies (programmes, systems or processes)
• automated processing including profiling and ADM
• large scale processing of Sensitive Data
• large-scale, systematic monitoring of a publicly accessible area
• any other activity which will involve (or may potentially involve) the processing of personal data which has not been collected before or the processing of personal data in new ways or for new purposes
• any contract activity that requires 3rd party access to SEPA data

The DPO may require staff to complete pre-DPIA screening questions in order to determine whether a full DPIA is required. No processing of personal data pursuant to such a project or activity may be undertaken meantime without the approval of the DPO.

Staff must comply with any directions given by the DPO and the terms of the Data Protection Impact Assessment process, which forms part of the Relevant Policies and Guidance.

Record keeping

Data Protection Law requires us to keep full and accurate records of all our data processing activities. The Register of Processing Activities (RoPA) is maintained by the DPO. Staff must ensure that they update the DPO regarding the processing of personal data carried out as part of their work duties. One of the ways in which we do this is the completion of DPIAs and Notifications of Processing (NOPs).

Training and audit

Staff must undergo all mandatory data privacy related training.

Where a staff member has management responsibility for other Personnel,

• they must ensure their team undergo similar mandatory training as well.
• they must regularly review all the systems and processes under their control to ensure they comply with this policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.

Automated processing (including profiling) and automated decision making

Specific restrictions apply under Data Protection Law in relation to Automated Decision Making.

A DPIA must be carried out before any Automated processing (including profiling) or ADM activities are undertaken

Sharing personal data

The DPO should be consulted, prior to any sharing, and approval obtained by the IAO.

Generally we are not allowed to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.

Staff may only share the personal data we hold with another employee, agent or representative of our group if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

The proposed sharing of personal data may require the conduct of a DPIA beforehand. Staff may only share the personal data we hold with third parties, such as our service providers if:

• they have a need to know the information for the purposes of providing the contracted services
• sharing the personal data complies with the Privacy Notice provided to the Data Subject
• the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place
• the transfer complies with any applicable cross border transfer restrictions; and a fully executed written contract that contains GDPR approved third party clauses has been obtained; and the DPO has authorised the data sharing.

The DPO may issue authorisations of a specific or general nature regarding the sharing of personal data with specific third parties and where these have been issued staff must ensure that they comply with their terms.

Staff sharing data should comply with the Information Commissioner’s Office Data Sharing Code of Practice, which has been summarised below:

• Identify the objective in sharing the data
• Be clear as to what data we are sharing
• Consider the benefits and risks of sharing and not sharing
• Put in place a Data Sharing Agreement
• Ensure the data protection principles are followed
• Check data sharing is fair and transparent
• Identify at least one lawful basis of sharing the data before you start sharing
• Put in place policies & procedures that allow data subjects to exercise their individual rights easily
• Document decisions about the data sharing, evidencing your compliance with data protection law
• Put in place quality checks on the data
• Arrange regular reviews of the data sharing arrangements
• Agree retention periods and make arrangements for secure deletion.

Changes to this policy

This policy may be changed from time to time. Where changes are made staff will be notified but it is the responsibility of staff to check back regularly to obtain the latest copy of this policy.