Core Privacy Notice

The Data Protection Act 1998 and General Data Protection Regulation

Whose personal data do we process and why?

Sharing your information

Protecting your personal information

How long we keep your personal data

Your rights regarding the personal data we hold about you

As the scrutiny and improvement body for social care and social work services across Scotland, we have powers under Part 5 of the Public Services Reform (Scotland) Act 2010 to collect and process personal information about people who provide, manage, work for and use care services. We also process personal information for a number of other purposes including, but not restricted to, the employment of staff, business administration and for any other purposes required under our statutory powers.

We are committed to protecting the privacy of the people whose personal information we hold and to complying with the Data Protection Act 1998. This Privacy Notice explains how we meet those commitments in practice.

The Data Protection Act 1998 and General Data Protection Regulation

The Data Protection Act 1998 (the ‘Act’) came into force on 1 March 2000. It sets down rules for processing personal information and applies to some paper records as well as those held electronically. The General Data Protection Regulation will replace the Act on 25th May 2018 and we will replace this privacy notice from that point.

We are a ‘data controller’ under the Data Protection Act 1998. We have notified the Information Commissioner that we process personal data and our registration number is Z2582022.

Whose personal data do we process and why?

We process the personal data of a number of different groups of people for a range of explicit purposes. This section provides a summary of whose personal data we process and why. It is not an exhaustive list but provides an indication of key groups and purposes.

Care service managers, owners and workers

People experiencing care

Participants in our research and policy work

People who use our websites and engage with us on social media

Care Inspectorate job applicants, employees and ex-employees

Care service managers, owners and workers

As the independent regulator of social care and social work services across Scotland, we have powers under Part 5 of the Public Services Reform (Scotland) Act 2010 to collect and process personal information about people who provide, manage and work for care services. This can include their name, address and other contact details, date of birth, qualifications, training and experience, data relevant to disclosure and PVG checks, employment history including any disciplinary action and outcome.

We process this personal information for a number of purposes:

  • processing applications for the registration of new care services
  • maintaining a public register of regulated care services
  • administering regulatory notifications and annual returns
  • inspecting social work services and registered care services to support improvement in the quality of care experienced by people and their carers
  • investigating any complaint raised against a care service or the Care Inspectorate itself, including making any necessary publications about the investigation
  • taking formal enforcement action to require care services to improve the quality of their care
  • providing information and advice to people who provide care services, or who are considering becoming care service providers
  • sending communications connected with care service registration or notifications
  • dealing with any calls to our contact centre
  • policy development, research and engagement activities to improve care quality standards. 

People experiencing care

Access to personal information about people experiencing care plays an essential role in the Care Inspectorate’s inspections and the wider regulation of health and social care services in Scotland.

Our statutory powers under Part 5 of the Public Services Reform (Scotland) Act 2010 allow us to obtain and review the personal details of individual people experiencing care. This includes information from medical and care records, where it is necessary to do so as part of our regulatory care service inspections and when undertaking investigations related to complaints and enforcement action. These powers mean that we do not need to get a person’s consent to obtain this information.

We may need to access personal and sensitive personal information of people experiencing care to allow our inspectors to assess whether:

  • providers of care are using care plans to ensure that people experience person-led care that meets their clinical and personal needs, particularly older people and people with long-term conditions (such as diabetes or dementia), people with a learning disability, and other people who may be vulnerable because of their circumstances
  • lessons have been learned from complaints and serious incidents to improve safety and care, and whether care providers have met their duty of candour obligations to explain and apologise for serious mistakes
  • the rights of people who have been detained under the Mental Health Act are being respected and protected
  • medication records are kept properly
  • information has been shared properly (lawfully, effectively and appropriately) between care services
  • people are properly involved in decisions about their care, they are asked to give their consent about their care, and their decisions are respected
  • safeguarding concerns are being appropriately acted on to ensure that people who may be vulnerable are being protected from abuse and harm.

We also obtain information in a number of other ways, outwith our inspections, to help us to monitor the quality of care, prioritise our work, and identify problems with services that may require us to take regulatory action. We do this in a number of ways, for example:

  • we invite people who use services to share their experiences with us
  • we share information locally and nationally with other organisations involved in commissioning, providing and regulating care, for example, local authorities, Healthcare Improvement Scotland, and professional regulators like the Scottish Social Services Council and the Nursing and Midwifery Council.

Where possible, we will use anonymised information or information other than personal information to carry out our work, but looking at, and using, personal information is often the only practical way in which we can carry out our work effectively. For example, it may be difficult and time consuming for a care provider to make anonymised copies of any records we need to see as we request them during an inspection. In other cases, we may need to know whose records we are looking at because we are trying to understand how that person’s needs have been met.

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the complaint is in relation to the care of an individual. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle each complaint on an anonymous basis.

Similarly, where enquiries are submitted to us in relation to care services or our own operations, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Participants in our research and policy work

We may ask whether you wish to take part in a research project, consultation or survey. Participation is entirely voluntary and any information is collected with your consent.

Where possible we will avoid collecting personal information about you, when collecting this information. Where this cannot be avoided, we delete your personal data as soon as we have collated the information into an anonymised format.

We will inform you that research-related information may be held by external researchers with whom we are working.

If you choose to provide us with information that identifies you, this will not be published in any reports.

People who use our websites and engage with us on social media

To access some of the services available via our websites you will need to register with us. This includes subscription to our Hub e-newsletter and online account. During the registration process you will be asked to submit personal information about yourself, for example name and email address. By entering your details in the fields requested, you enable us to provide you with those services or to contact you as agreed during the registration process.

When you provide such personal information, you accept that we may retain your personal information and that it may be held by us or any third party that processes it on our behalf for the purposes of providing the information or services which you have requested.

When you subscribe to our services, you can cancel your subscription at any time and are given an easy way of doing this. We will then delete your personal data in line with our retention policy.

Where we require your consent to use the personal information provided, we will state this at the point of collection of that information and let you know how to withdraw your consent should you wish to in the future.

In addition, we may also collect personal information from you when you correspond with us, for example, when you phone, email or write to us or when you engage with us on our social media sites.


We also collect certain information automatically about visitors to our websites, using cookies. Cookies are small text files that are placed on your computer by websites that you visit. When someone visits or any of our other websites, we use cookies to collect standard internet log information and details of visitor behaviour patterns.

We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. You can read more about how we use cookies on our Cookies page.

Links to other sites

This privacy notice applies solely to information collected by us. Our websites and social media channels may contain links to other websites. We are not responsible for the privacy practices of other sites. When you leave our site please be sure to read the privacy statements of every site that collects personal data about you.

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Care Inspectorate job applicants, employees and ex-employees

We need to process personal data about our own staff and people applying to work for us so that we can carry out our role, for example by ensuring that we have the right staff to perform our inspections, and so we can meet our legal and contractual responsibilities as an employer.

Job applicants

When individuals apply to work at the Care Inspectorate, we will only use the information they supply to us:

  • to process their application
  • to monitor recruitment statistics.

Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from Disclosure Scotland, we will not do so without informing them beforehand unless the disclosure is required by law.

We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Current and former employees

The personal information we hold about our current employees includes identifiers such as names and National Insurance numbers, characteristics such as ethnic group, employment contract and remuneration details, qualifications and absence information.

Some of the data you supply will be anonymised and used for statistical purposes for:

  • improving the management of workforce data
  • enabling the development of a comprehensive picture of the workforce and how it is deployed
  • informing the development of recruitment and retention policies
  • allowing better financial modelling and planning
  • enabling ethnicity and disability monitoring. 

We will not share information about you with third parties without your consent unless the law requires us to, for example we are required by law to pass on some of this personal data to the HMRC.

We retain different categories of employee personal data for different periods of time throughout and after employment, in accordance with the requirements in our retention schedule and then destroy it confidentially.

Inspection volunteers

We process the personal details of our inspection volunteers for the purpose of recruitment and to support them in their inspection role. This includes name, contact details, criminal convictions, data to enable ethnicity and disability monitoring (which is anonymised), personal (non-work) experience of using care services and any support needs they may have.

Sharing your information

We regularly need to share personal information with other organisations when fulfilling our statutory functions and obligations. Where this is necessary we are required to comply with all aspects of the Data Protection Act. We will only disclose or share confidential personal information with your consent or where it is necessary to do so to perform our regulatory functions or for another legitimate and lawful purpose such as complying with employment or health and safety legislation.

We work closely with other organisations that manage and oversee the health and social care system. We will share information with these organisations for example where we are carrying out joint inspections with partner agencies, investigating complaints or taking enforcement action.

We have memoranda of understanding with partner agencies with whom we regularly share personal information to ensure that this information is properly protected and appropriately, fairly and lawfully handled and disposed of. These include, but are not limited to:

  • Disclosure Scotland
  • Education Scotland
  • Healthcare Improvement Scotland (HIS)
  • Mental Welfare Commission
  • Nursing and Midwifery Council (NMC)
  • Scottish Care (Independent Care Sector)
  • Scottish Social Services Council (SSSC)
  • Scottish local authorities

We may share any information that you provide to us, including information about your identity and the identities of others, with Police Scotland and other agencies involved in the prevention, detection, investigation or prosecution of crime or other unlawful activities. We will only do so when it is considered necessary and proportionate to do so.

The Care Inspectorate employs a number of data processors who process personal data on our behalf, for example for payroll processing. We have measures in place with our data processors to ensure the security of data processed by them. Under the General Data Protection Regulation, our data processors will have direct duties and liability for non-compliance or acting outside of instructions provided by us. These duties will include:

  • processing data only as instructed;
  • using appropriate technical and organizational measures to process personal data;
  • deleting or returning data to us during to processing contract and when that contract ends;
  • securing permission to engage other processors.

We are updating contractual instructions, data sharing agreements and compliance monitoring controls with our data processors to ensure they meet the requirements of the General Data Protection Regulation when it comes into force in May 2018.

The Care Inspectorate will never sell, assign, inappropriately disclose or rent your personal data to any other external organisation or individual.

Overseas Transfers

It may sometimes be necessary to transfer your personal information overseas. When this is needed, information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the Data Protection Act.

Protecting Your Personal Information

We are committed to ensuring that your confidentiality is protected and your personal information is secure. To prevent unauthorised access or disclosure, we have put in place appropriate technical and organisational procedures to safeguard and secure the personal data for which we are responsible. This includes:

  • ensuring the information is retained in a secure environment to ensure it is protected and that only those with a legitimate business need can access it.
  • having robust procedures in place to protect personal information that we share, disclose or transfer to external parties, including our partners and third parties who process personal data on our behalf
  • having monitoring and incident management procedures in place to detect and resolve any personal data breaches as quickly as possible, to improve our controls by addressing the underlying causes of such breaches and, for serious breaches, to notify the UK Information Commissioner and those affected.

We have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents. He is supported by Information Asset Owners with responsibility for the governance of information at operational level.

Everyone working for the Care Inspectorate is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised or consented to by the individual, for example a person experiencing or providing care, or a Care Inspectorate employee, unless it is required or permitted by the law. We must also ensure that any impact on the privacy of an individual as a result of our actions is compliant with Article 8 of the Human Rights Act 1998.

How long we keep your personal data

We will only retain your information for as long as we need to support the purposes for which it was collected. Records are maintained in line with the Care Inspectorate retention schedule which determines the length of time records should be kept. At the end of this period the information is destroyed or deleted in line with our confidential destruction procedures. We retain de-personalised statistical information to help inform our work, but no individuals are identifiable from that data.

Your rights regarding the personal data we hold about you

The Data Protection Act 1998 gives you a number of rights relating to the personal data we hold about you.

Accessing your personal information

You can find out if we hold any personal information about you, and request a copy of that information, subject to some exemptions, by making a ‘subject access request’. We try to be as open as we can be in terms of giving people access to their personal information.

To find out more, please read our Subject Access Request Procedure which provides more information about this process and includes a form for you to complete and send to us, if you would like to make a subject access request.

Correcting, deleting or objecting to the processing of your personal information

Subject to some legal exceptions, you have the right to:

  • have any inaccuracies corrected
  • have your personal data erased
  • object to processing.

To learn more about these rights please see the ICO website.

You should make requests for any of these actions in writing by emailing the information governance team - This email address is being protected from spambots. You need JavaScript enabled to view we may need to refuse a request to delete, correct or stop processing personal data as a result of our legal obligations or to help us carry out our functions.

Complaints or queries about how we process your personal information

If you have any complaints or queries about how we process your personal information you should contact our information governance team. This email address is being protected from spambots. You need JavaScript enabled to view it.

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you are dissatisfied with our response to a complaint you send us, or have any concerns about our handling of your personal data, you can complain to the Information Commissioner's Office by using the details below:

Mail: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113

Changes to this notice

We keep our Privacy Notice under regular review and we will place any updates on this web page. This notice was last updated on 14 February 2018. 

How to contact us

Our contact details are:

The Care Inspectorate
Compass House
11 Riverside Drive
This email address is being protected from spambots. You need JavaScript enabled to view it.
0845 600 9527