Data Protection

UK General Data Protection Regulation

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 cover the processing of personal data, including the obtaining, holding, use or disclosure of such information.  They also provides for the rights of individuals to access information held about them.  

Under the UK GDPR, we must only collect personal information which is needed for the purposes of carrying out our functions, and must not keep the information any longer than is necessary for those purposes.  A person who is the subject of information must be given access to it on request. 

The Scottish Law Commission needs to collect, process and hold certain personal information in connection with carrying out its functions.  

The guide is divided into the following sections: 

  • Meanings of “personal data” and “special categories” of data, 
  • Data protection principles, 
  • Lawfulness of processing, and 
  • Making a subject access request. 

Meanings of “personal data” and “special categories” of data 

Article 4 of the UK GDPR defines “personal data” as any information relating to an identified or identifiable natural person. 

It clarifies that an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Article 9 of the UK GDPR provides that certain ‘special categories’ of personal information may not be processed at all, unless the processing comes within one of the cases specified in that Article.  These include that the data subject has given explicit consent to the processing. 

The special categories include 

(a) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.  
(b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 
(c)       the processing of data concerning health; 
(d)       the processing of data concerning a natural person's sex life or sexual orientation. 

Data protection principles 

Article 5 of the UK GDPR provides for the six principles that regulate the processing of personal information.  The principles are that personal information: 

(a) must be processed lawfully, fairly and in a transparent manner; 
(b) must be collected for specified, explicit and lawful purposes, and must not be further processed in a manner which is incompatible with those purposes; 
(c) must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 
(d) must be accurate, and where necessary, kept up to date; 
(e) kept in a form which permits identification for no longer than is necessary for the purposes for which the information is processed; and 
(f) must be processed in a manner that ensures appropriate security of the information, using appropriate technical and organisational measures. 

Lawfulness of processing 

Article 6 of the UK GDPR sets out the processing of personal information will only be lawful if the processing falls within specified categories.  These include that the: 
(a) data subject has consented to the processing; 
(b) processing is necessary for the performance of a contract to which the data subject is a party; and 
(c) processing is necessary for the performance of a task carried out in the public interest. 

Making a subject access request 

The UK GDPR gives individuals who are the subject of personal data various rights in relation to their information, including a right of access to personal data about them. 

You can request information that the Commission holds about you by making a Subject Access Request. Your request must be in writing, and should be sent to us as follows: 

Email - info@scotlawcom.gov.uk  

Post 
Chief Executive 
Scottish Law Commission 
Parliament House 
11 Parliament Square 
Edinburgh 
EH1 1RQ 

As required by the UK GDPR, we will respond to your request without undue delay, and in any event within one month of receipt. 

Further information about your rights, and our responsibilities under the UK GDPR can be obtained from the Information Commissioner’s Office.