During the course of our work we collect/use personal data for the purpose of processing payment of invoices in return for goods, services or other contractual obligations provided under the Reimbursement of Members’ Expenses Scheme on behalf of Members of the Scottish Parliament.
All claims made under the Reimbursement of Members’ Expenses Scheme are published in line with Section 83 of the Scotland Act which requires the Parliament to ensure that information regarding the sums paid in expenses under the Scheme is published for each financial year. We therefore publish data about suppliers including names of individual suppliers where applicable. Published data also includes Members names and information about payments that they or their suppliers have received.
Normal category data is processed which includes: name, address, telephone number, email address and bank or building society account details for:
Personal data is provided to us directly from individuals (data subjects) through:
Data protection law states that we must have a legal basis for handling your personal data.
The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in terms of Article 6(1)(b) UK GDPR.
The processing is also necessary for the payment of invoices for expenses incurred by Members, and for the publication as described above under sections 81(2) and 83 of the Scotland Act and the Reimbursement of Members’ Expenses Scheme (a parliamentary resolution passed by virtue of section 81(2) and (5)(b) and 83(5) of the Scotland Act 1998.) The processing is therefore necessary to comply with a statutory obligation to which the Scottish Parliamentary Corporate Body (SPCB) is subject in terms of Article 6(1)(c) UK GDPR.
Should the data subject not provide the required information this would result in non-payment. The SPCB would also fail to meet its statutory obligations.
Where necessary, personal data is shared both internally within the Scottish Parliamentary Service and externally with other government agencies and organisations. We share your data with the following:
Supplier data is shared internally with the relevant business areas in order to:
All data relating to the payment of invoices can be shared (usually on a sample basis) with both internal audit (and support) and external auditors in order to review payments to ensure they are processed demonstrating good governance, accountability, integrity and ensure the relevant control measures are in place to reduce risk.
All personal data is shared with the relevant bank or building society to allow payment.
The financial accounting systems we use are provided by a third-party government agency and contractor both of which require access in order to provide administrative and technical support.
Personal data is also provided to the relevant government agencies as part of the National Fraud Initiative. Where possible links to the relevant privacy notices for these organisations can be found here:
Personal data is retained in both paper and electronic format in accordance with the Scottish Parliament records management policy, and access is limited as appropriate. All invoices and any supporting documentation is retained for the current financial year plus 6 years.
In line with the principles underlying the , our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child or adult may be at risk of abuse or harm.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
You have the right to request a copy of the personal information about you that we hold.
Further information on how to make a data protection 'subject access request'
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
You have the right to ask us to delete personal information about you where:
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 30 July 2025.
If you are concerned that we have not handled your personal information properly you can make a complaint to the Information Governance Team of the Scottish Parliament at the following address: [email protected].
We will respond to your complaint without undue delay and within one month. If, having made a complaint, you are still concerned that your personal information has not been handled properly, you can make a complaint to the , or by phone at 0303 123 1113.
If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance and Data Protection Officer at:
The Scottish Parliament
Edinburgh
EH99 1SP
Email: [email protected]
British Sign Language through .
Please contact us if you require information in another language or format.