The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 cover the whole of the United Kingdom and work in two ways. Firstly, they give you certain rights as an individual. Secondly, organisations that record and use personal data must be open about how the information is used and must follow the six data protection principles.
Data Protection Principles
The GDPR and the Data Protection Act 2018 require all organisations that process personal data to comply with six enforceable principles regarding privacy and disclosure; these vary slightly according to why personal data is being processed. These principles are that data shall be:
- Processed lawfully, fairly and in a transparent manner*
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Processed in a manner that ensures appropriate security
* The requirement for transparency does not apply in the same way to processing of personal data for law enforcement purposes – defined as the prevention, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is because the disclosure of information relating to this processing may prejudice these purposes.
The GDPR and the Data Protection Act 2018 strengthen the rights that you, as a data subject, possess in relation to the personal data that Police Scotland holds about you. These rights are:
- Right of access – you can make a ‘subject access request’ for a copy of the information we hold about you (see Subject Access Requests)
- Right to rectification – you can instruct us to correct any personal data we hold about you that is inaccurate
- Right to erasure (‘right to be forgotten’) – you can ask for us to destroy any personal data that we hold about you
- Right to restrict or object to processing – in some circumstances, you can place restrictions on, for example, who can access your data or who we share it with
All of the above rights are subject to exemptions that we may apply, for example if your data is being processed for law enforcement purposes or under a legal obligation.
Our Privacy Notices explain the variety of purposes for which we process personal data, and the lawful basis that justifies each of these activities under data protection law. Our Appropriate Policy Documents for processing of special categories, as required by the Data Protection Act, are also available on the same page.
See Your Rights for more information on how to use the above rights, what we are required to do in response to a request, and the restrictions and exemptions that we may apply.
Enforcement of the GDPR and the Data Protection Act 2018
The Act is enforced by the Information Commissioner's Office (ICO). If you are unhappy in any way with how we have dealt with your request, you can contact the ICO at:
Information Commissioner’s Office
Tel: 0303 123 1113