Privacy Policy

Data Protection Privacy Notice  

Paul McLennan MSP  

This the Privacy Notice of the office of Paul McLennan MSP Member of the Scottish Parliament for East Lothian Constituency. 
 
This privacy notice explains how my office collects and uses personal information about individuals. 
 
My office address and contact details are:  
Address: 5a Mitchell’s Close, Haddington EH41 3NB 
Email: Paul.McLennan.MSP@parliament.scot  
Phone: 01620 849240 
 
How I use your personal data: 
My staff and I process any personal data under the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the DPA). 
 
What is personal data? 
Personal data is any information from which a living individual can be identified. 
My staff and I will hold all personal data securely, I will only use it for the purposes it was collected or acquired for and I will only pass it on to third parties with your consent or according to a legal obligation. 
Further information about the data protection legislation and your rights is available here: 
https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/ 
 
Purposes and categories of processing personal data: 
My staff and I collect and use personal data to fulfil the following functions and associated activities of my office; 
 

• to carry out casework on behalf of my constituents 

• to tend to issues and campaigns I am involved in 

• to maintain supplier relationships 

• to process expenses, accounts, and associated records 

• to process personal information related to employment of MSP staff including recruitment, employee relations and associated responsibilities 

 
If you contact me with an inquiry or a complaint, I will normally need to store your contact details to deal with your inquiry or complaint.  This is considered to be normal category data under the UK GDPR. 
Other personal data you may provide to me may include details about your personal and family life, social circumstances and business activities, your employment and education details, financial information or information about your housing situation etc.. Depending on what views, issues or experiences you wish to discuss with me, you may be sharing special category data with me. For example, this could include details revealing race or ethnic origin, political or religious views, sex life or sexual orientation, trade union membership, physical or mental health, genetic or biometric data or any criminal offences. 
 
If you are a supplier, my staff and I will normally need to store your name, contact and payment details for the purposes of the contract between us.   
 
The legal basis for processing personal data: 
Data protection law states that I must have a legal basis for handling your personal data. The permitted legal bases can be found in the UK GDPR and the DPA. 
 
Casework 
Where it is necessary for me to process data for the purpose of taking reasonable action on behalf of a constituent, my staff and I do not require the constituent’s consent for that processing.  The legal basis for the processing is that it is necessary for a task carried out in the public interest or as regards special category data, the substantial public interest. In particular: 
 

• In relation to ‘normal’ category data, the legal basis is that the processing is necessary for an activity supporting or promoting democratic engagement (article 6(1)(e) UK GDPR and section 8(e) DPA). Democratic engagement covers a wide range of political activities inside and outside election periods, including but not limited to: democratic representation, communicating with electors and interested parties, surveying and opinion gathering, campaigning activities, activities to increase voter turnout, supporting the work of elected representatives, prospective candidates and official candidates and fundraising to support any of these activities; 

• In relation to ‘special category data’, the legal basis is that the processing is necessary for reasons of substantial public interest,  which includes any processing carried out by an MSP, or a person acting with their authority, for the purpose of reasonable actions taken by the MSP in response to a request by an individual to take action on their behalf (Article 9(2)(g) UK GDPR and paragraph 23 of Schedule 1 of the DPA). 

  
Other processing activities 
For other activities and functions which involve the processing of personal data, the legal basis for processing may, depending on the circumstances, be: 
 

• Processing necessary for a task carried out in the public interest (which includes processing necessary for an activity supporting or promoting democratic engagement (article 6(1)(e) UK GDPR and section 8(e) DPA). Democratic engagement covers a wide range of political activities inside and outside election periods, including but not limited to: democratic representation, communicating with electors and interested parties, surveying and opinion gathering, campaigning activities, activities to increase voter turnout, supporting the work of elected representatives, prospective candidates and official candidates and fundraising to support any of these activities; 

• Processing necessary for the pursuit of legitimate interests; 

• Consent of the data subject (the person who the personal data relates to.); 

• Processing necessary to comply with legal obligations; 

• Processing necessary to protect vital interests of individuals; and/or 

• Processing necessary for the performance of a contract. 

  
As for any sensitive (or special category) data, the legal basis relied upon may, depending on the circumstances, be: 
 

• Processing necessary to comply with legal obligations; 

• Explicit consent; 

• Processing necessary to protect vital interests of individuals; 

• The data has been manifestly made public by the data subject; and/or 

• Processing necessary for the establishment, exercise or defence of legal claims. 

 
Categories of processing activities and corresponding legal basis: 
Processing of personal data means anything from collecting, storing, using to sharing and deleting (see link above for more information). 
My staff and I process personal data in the following ways:  
Processing activity  
Receiving, storing and responding to general enquiries by letter, email or in person 
The legal basis 
The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (article 6(1)(e) UK GDPR).  The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 
How long I retain the data 
Any personal data you provide will be held securely and will be used only for the purpose(s) you have specified – personal data provided will be held securely generally for approximately 1 year and for a maximum of 5 years, depending on the nature and circumstances of the enquiry. 
 

How the data may be shared 
Securely and sensitively with third parties including, but not limited to, officials and elected representatives of local and national authorities and bodies, but only for the purpose(s) you have specified. 
For clarity, your personal data will not be passed to anybody beyond the purpose(s) you have specified without your consent unless certain limited circumstances apply which legally allow this to take place. 
Processing activity 
Receiving, storing and responding to complaints by letter, email or in person 
The legal basis 
The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 
How long I retain the data 
Any personal data you provide will be held securely and will be used only for the purpose(s) you have specified – personal data provided will be held securely generally for approximately 1 year and for a maximum of 5 years, depending on the nature and circumstances of the enquiry. 
How the data may be shared 
Securely and sensitively with third parties including, but not limited to, officials and elected representatives of local and national authorities and bodies, but only for the purpose(s) you have specified. 
For clarity, your personal data will not be passed to anybody beyond the purpose(s) you have specified without your consent unless certain limited circumstances apply which legally allow this to take place. 
Processing activity 
Receiving and storing data in relation to a personal issue or problem raised by a constituent (casework). 
The legal basis 
The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 
For special category data: 
The processing is necessary for reasons of substantial public interest (article 9(2)(g) UK GDPR and DPA Sch 1, para 23; (this covers any processing carried out by an MSP, or a person acting with their authority, for the purpose of reasonable actions taken by an MSP in response to a request by an individual to take action on their behalf). 
How long I retain the data 
Any personal data you provide will be held securely and will be used only for the purpose(s) you have specified – personal data provided will be held securely generally for approximately 1 year and for a maximum of 5 years, depending on the nature and circumstances of the enquiry. 
How the data may be shared 
Securely and sensitively with third parties including, but not limited to, officials and elected representatives of local and national authorities and bodies, but only for the purpose(s) you have specified. 
For clarity, your personal data will not be passed to anybody beyond the purpose(s) you have specified without your consent unless certain limited circumstances apply which legally allow this to take place. 
 

Processing activity 
Collect and use data for the purpose of sending out newsletters with information about surgeries, office contact details and upcoming events and campaigns 
The legal basis 
The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR). 
How long I retain the data 
Any personal data you provide will be held securely and will be used only for the purpose(s) you have specified, until if and when consent is withdrawn. 
How the data may be shared 
Personal data will not be shared. 
 

Processing activity 
Take, store and use photos and videos in connection with my engagements and events I attend in my capacity as an MSP.  
The legal basis 
The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR) or for the purpose of a legitimate interest (article 6(1)(f) UK GDPR) or the data subject has provided consent (article 6(1)(e) UK GDPR). 
How long I retain the data 
Any personal data you provide will be held securely and will be used only for the purpose(s) you have specified – personal data provided will be held securely generally for approximately 1 year and for a maximum of 5 years, depending on the nature and circumstances of the media. 
​How the data may be shared 
On Paul McLennan MSP’s social media accounts and website, and in newsletters, surveys and reports. 
 
Processing activity 
Employment related processing for the purposes of staff recruitment, including pre-employment checks 
The legal basis 
This processing is necessary for legitimate interests of the MSP (as a prospective employer), to select a suitable employee for an advertised position (article 6(1)(f) UK GDPR). 
How long I retain the data 
For employees data will be held during the course of employment for the fulfilment of the relevant employment contract. 
For former employees data will be held for one year after termination of the relevant contract of employment. 
For placements on work experience or internships any personal data provided will be held securely generally for approximately 1 year and for a maximum of 5 years. 
For vacancy applicants data will be held for 6 months after the relevant recruitment process has concluded. 
  
Processing of personal data in parliamentary motions and questions including  special category and/or criminal offence data: 
  
The processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR and section 8(c) DPA) – where the Member is satisfied that the raising of awareness/encouraging debate on an important issue in a motion or parliamentary question is necessary to carry out their functions as an MSP. 
  
Other legal bases include: The processing is necessary for the purposes of the legitimate interests pursued by a Member of a third party 
(Article 6(1)(f) UK GDPR). 
  
Consent has been given by the data subject(s) for their information to be used in this way and they have been supplied with all the relevant information about what consent means and under what circumstances and up to what point it can be withdrawn (Article 6(1)(a) UK GDPR) 
  
For special category data: The processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR) with a substantial public interest condition (Article 9(2)(g) UK GDPR and paragraph 6(2)(a) of Part 2 to Schedule 1 of the DPA) – as the processing is necessary for reasons of substantial public interest in relation to the exercise of the function of a person conferred by enactment or rule of law i.e. parliamentary motions and questions serve a range of functions and are a key mechanism by which Members gain information and raise issues. This is key to the role of MSPs, which is in turn underpinned by the Scotland Act 1998 and the Standing Orders. Members give notice of proposed motions and questions to the Chamber Desk for review in line with both their and the SPCB’s functions. 
Other conditions which may apply for the processing of special category data in relation to parliamentary motions and questions will include:  
  
Where the processing relates to personal data which are manifestly made public by the data subject (Article 9(2)(e) UK GDPR).  
  
Where explicit consent is given to the processing from the data subject (Article 9(2)(a) UK GDPR). 
  
Criminal offence data: The processing of personal data relating to criminal convictions and offences, or related security measures based on Article 6(1)(e) is authorised by domestic law, with a substantial public interest condition (Article 10 UK GDPR and paragraphs 6, 23 and 32, Parts 2 and 3 of Schedule 1 to the DPA) 
Where the processing is necessary for reasons of substantial public interest and the exercise of a function conferred on a person by enactment or rule of law (paragraph 6(2)(a), Part 2 of Schedule 1 to the DPA). 
Where the processing is carried out by an MSP, or a person acting with their authority, for the purpose of reasonable actions taken by an MSP in response to a request by an individual to take action on their behalf (paragraph 23, Part 2 of Schedule 1 to the DPA) 
Where the data subject has given consent to the processing (paragraph 29, Part 3 of Schedule 1 to the DPA); 
Where the processing relates to personal data which is manifestly made public by the data subject (paragraph 32, Part 3 of Schedule 1 to the DPA). 
 
 
Sharing of personal data: 
My staff and I sometimes may be required to share the personal information I hold with other individuals or organisations including for example: 
 

• healthcare, social and welfare organisations; 

• local and central government bodies; 

• educators and examining bodies; 

• statutory law enforcement agencies; 

• investigating bodies; 

• elected representatives and other holders of public office; 

• financial organisations; 

• crime prevention agencies and the police. 

 
This includes the following: 
 

• Scottish Government Ministers and officials; 

• Elected Councillors and officials working for East Lothian Council and other local authorities as appropriate; 

• NHS Lothian; 

• Police Scotland; and 

• Charities and support agencies. 

 
Depending on the circumstances, the legal basis for sharing data with these organisations may be that: 
 

• the sharing is necessary for complying with a legal obligation to which I am subject (Art 6(1)(c) UK GDPR); 

• the sharing is necessary in order to protect the vital interests of the data subject or of another person (Art 6(1)(d)); 

•  the sharing is necessary for the performance of a task carried out in the public interest or substantial public interest (Art 6(1)(e) or Art 9(2)(g) UK GDPR); 

• The sharing is necessary for the pursuit of a legitimate interest (Art 6(1)(f) UK GDPR); or 

• the sharing is necessary for the performance of a contract (Art 6(1)(b) UK GDPR). 

 
My staff and I may seek your prior express consent to share your personal data with any of the following: 
 

• employment and recruitment agencies; 

• press and the media; 

• family, associates and representatives of the person whose personal data I am processing; 

• enquirers; 

• subjects of complaints; 

• political parties; 

• charitable bodies; 

• parliamentary staff for the purposes of submitting motions and questions 

 
The consequences of my not processing personal data are: 
 

• Where my staff and I am processing personal data for the performance of a contract, the consequence of not processing the personal data is that I may not be able to fulfil my obligations under that contract. 

• Where my staff and I am processing personal data in accordance with a statutory obligation, the consequence of not processing personal data may be that I am liable to regulatory fines for non-compliance with that statutory duty. 

 
Automated data processing: 
My staff and I do not use automated processing techniques to process your data. 
 
Retention of personal data: 
My staff and I retain personal data for the period that is necessary to carry out casework on behalf of my constituents, work on issues and campaigns I am involved in, and to maintain supplier information, expenses, accounts and associated records. 
 
 
Normal category data: 
If you contact me with an inquiry or a complaint, I will normally need to store your contact details to deal with your inquiry or complaint.  This is considered to be normal category data under the UK GDPR. 
 
Using my website: 
My website uses cookies to gather information about how visitors use my website to help me improve its performance, and secondly, to improve the visitor experience when using the website by delivering pages more quickly or remembering user settings.  Additionally, videos on the website may use cookies created by third-party providers such as Flash or YouTube.    
The information my staff and I collect is anonymous – it cannot be used to identify you personally.  Further information on the way that I use cookies and how you can set your browser to control cookies is available in Weebly’s privacy policy here:  www.weebly.com/uk/privacy 
 
Your rights 
The UK GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below, although whether you will be able to exercise each of these rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place (see the individual privacy notices listed above for further details in relation to specific processing activities). 
 
Access to your information – You have the right to request a copy of the personal information about you that my staff and I hold.  
 
Correcting your information – I want to make sure that your personal information is accurate, complete and up to date and you may me to correct any personal information about you that you believe does not meet these standards. 
 
Deletion of your information – You have the right to ask me to delete personal information about you where: 
 

• You consider that my staff and I no longer require the information for the purposes for which it was obtained 

• Mt staff and I am using that information with your consent and you have withdrawn your consent. 

• You have validly objected to my use of your personal information –my use of your personal information is contrary to law or our other legal obligations. 

  
Objecting to how we may use your information – You have the right at any time to require me to stop using your personal information for direct marketing purposes.  In addition, where my staff and I use your personal information to perform tasks carried out in the public interest or for a legitimate interest then, if you ask me to, I will stop using that personal information unless there are overriding legitimate grounds to continue. 
 
Restricting how we may use your information – in some cases, you may ask me to restrict how my staff and I use your personal information.  This right might apply, for example, where I am checking the accuracy of personal information about you that my staff and I hold or assessing the validity of any objection you have made to my use of your information.  The right might also apply where this is no longer a basis for using your personal information but you don’t want me to delete the data.  Where this right is validly exercised, my staff and I may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so. 
 
Withdrawing consent using your information – Where my staff and I use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given. 
 
Please contact me using the contact details provided above. 
 
Changes to my privacy statement 
I keep this privacy statement under regular review and will place any updates on my website – https://paulmclennan.scot/ .  Paper copies of the privacy statement may also be obtained using the contact information above. 
This privacy statement was last updated on 8^th Nov 2024. 
 
Contact information and further advice 
Any requests regarding the details mentioned in this privacy notice can be sent to Paul McLennan MSP, 5A Mitchells Close, Haddington EH41 3NB email Paul.McLennan.msp@parliament.scot 
 
Complaints 
I seek to resolve directly all complaints about how I handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office: 
Online: https://ico.org.uk/global/contact-us/email/ 
By phone: 0303 123 1113 
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF 

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Cookies