Office of the Advocate General: Privacy Notice
Published 24 May 2018
© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/office-of-the-advocate-general-privacy-notice/office-of-the-advocate-general-privacy-notice
Office of the Advocate General Privacy notice
Date last modified: 03/09/2021
1. Who we are
The Office of the Advocate General (OAG) is the UK government’s Scottish legal team. We provide legal advice, drafting and litigation services to the UK government in relation to Scotland. We also support the Advocate General in his role as a Law Officer. We are part of the UK Government and part of the UK Governance Group.
OAG is a data controller for some of the information that it holds and processes – a data controller determines the purposes and means of processing personal data. For more information see the Information Commissioner’s Office (ICO) Data Protection Public Register. OAG’s registration number is Z2523124.
2. What data we process
Much of the personal data held and processed by OAG is for the purpose of providing advice to or litigating on behalf of UK government departments. Such personal data is exempt from the requirements of Articles 13 to 15 of the General Data Protection Regulation[1] (GDPR), under which an organisation is required to tell individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices.
OAG holds and processes some data not covered by this exemption, such as information held in connection with its staff or information supplied by individuals making Freedom of Information requests or otherwise corresponding with us. The personal data we collect from you may include: name, address, email address and other information you may choose to provide as part of your request or engagement with us such as phone number and date of birth.
OAG will only process your personal data under a lawful basis set out at Article 6 of the GDPR . When you correspond with us, the lawful basis will normally be that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
When you have made a Freedom of Information request, the lawful basis for processing your personal data is that “processing is necessary for compliance with a legal obligation to which the controller is subject”.
Personal information including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, will not be processed by us unless its processing falls under one of the exceptions in Article 9(2) GDPR.
3. Why we need it
We need this information in order to interact with you and deal with correspondence and Freedom of Information requests in an accurate and timely manner.
4. What we do with it
Your information will be logged on our system as appropriate and will be used for the purpose intended and as an administrative record that requests have been properly and fully actioned.
We will not:
● sell or rent your data to third parties
● share your data with third parties for marketing purposes
We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.
5. How long we keep your data
We will only retain your personal data for as long as it is needed for the purposes set out in this document or for as long as is required by law. In general, this means that we will only hold your personal data for a minimum of 1 years and a maximum of 7 years.
6. Children’s privacy protection
We understand the importance of protecting children’s privacy online. Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13 except as required to fulfil our duties as legal advisers to the UK Government.
7. Where it might go
Your data will be recorded on our system and will also be shared with our staff with your correspondence. Our IT infrastructure and technology has been validated from inception to delivery with supporting contracts to ensure compliance with all data sharing activities.
Your personal data may, throughout the course of its processing, be transferred outside of the European Economic Area (EEA). Where this is the case all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.
8. How we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you – for example, we protect your data using varying levels of encryption. We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.
What are your rights?
You have the right[2] to:
● request information about how your personal data are processed and to request a copy of that personal data
● request that any inaccuracies in your personal data are rectified without delay
● request that any incomplete personal data are completed, including by means of a supplementary statement
● request that your personal data are erased if there is no longer a justification for them to be processed
● request that the processing of your personal data is restricted in certain circumstances – for example, where accuracy is contested
If your personal data is processed on the basis of consent, you have the right to:
● withdraw consent to the processing of your personal data at any time
● request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.
9. Changes to this notice
We may modify or amend this privacy notice at our discretion at any time. When we make changes to this notice, we will amend the last modified date at the top of this notice. Any modification or amendment to this privacy notice will be applied to you and your data as of that revision date. We encourage you to periodically review this privacy notice to be informed about how we are protecting your data.
10. How to contact us
The data controller for your personal data is the Office of the Advocate General. If you have any questions about anything in this document or if you consider that your personal data has been misused or mishandled you can email our Data Protection Officer at SO-and-OAG-DPO@ukgovscotland.gov.uk
Or by post at: OAG Data Protection Officer, c/o Scotland Office, 1 Melville Crescent, Edinburgh, EH3 7HW
You may also make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: casework@ico.org.uk or on 0303 123 1113.
Or by post at: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
[1] Regulation (EU) 2016/679
[2] These rights are subject to exemptions in the GDPR and the Data Protection Act 2018