Data Protection

The Commissioner will handle your information as follows:

Data Protection Act

For the purposes of the Data Protection Act 1998 (‘the Act’), the Commissioner is the data controller of all information capable of identifying living individuals (‘personal data’) contained in or relating to complaints processed by him – for example, the names and other personal details of complainers, councillors, members of devolved public bodies, MSPs and third parties.

In relation to MSPs, the Commissioner keeps all personal data securely for at least 5 years. In relation to councillors and members of devolved public bodies the Commissioner keeps all personal data securely, paper copies will be kept for at least 1 year.

Such information is used by the Commissioner to assist him in doing his job of investigating and dealing with complaints about councillors, members of devolved public bodies and MSPs. It is not disclosed other than to help the Commissioner carry out his job or where required by law or additionally, in relation to MSPs, by Parliamentary Standing Orders – the main example being to produce his report for the Standards, Procedures and Public Appointments Committee. This report is usually made public by the Standards, Procedures and Public Appointments Committee along with its own report to Parliament.


The Commissioner also makes an annual report to Parliament, which may exceptionally contain personal data. The Commissioner might also require to pass information to the police and prosecuting authorities if a complaint potentially involves the commission of a criminal offence by a councillor, member of devolved public bodies or MSP. Individuals can ask to access personal data held about them by the Commissioner (‘subject access’) in return for a fee of up to a maximum of £10. Because the Commissioner performs a regulatory function, some of the processing he carries out may be exempt from some of the provisions of the Act (eg the subject access right) in some circumstances.