Privacy

Audit Scotland provides such assistance and support as the Auditor General for Scotland and the Accounts Commission may require in the exercise of their respective statutory functions. Although all three bodies are Data Controllers, Audit Scotland in providing assistance and support will process most if not all of the personal information collected for our statutory work. In this notice we will only refer to Audit Scotland but it should be taken as including the Auditor General and Accounts Commission.

This privacy notice tells you what to expect when Audit Scotland collects personal information either directly from you or through our statutory work. It explains why we collect it, what we do with it, who we share it with, how we protect it and what your rights are in relation to it.

It applies to information we collect about:

If you have any queries or concerns about our use of your personal information or this notice, please contact us at info@audit-scotland.gov.uk or telephone 0131 625 1500 and ask for the Corporate Governance Manager.

A key to explain the icons used in the text below is available here.

Data protection law

Data protection law says that we are allowed to use personal information only if we have a lawful reason to do so. Depending on the nature of the processing, our lawful reasons for processing personal information are:

  • it’s necessary for the performance of a task carried out in the public interest or in the exercise of our official authority (ie to conduct our audit work and associated activities related to our function), or
  • to fulfil a contract we have with you (ie employment contract), or
  • to carry out obligations and exercising specific rights in the field of employment and social security and social protection law, or
  • it’s necessary for compliance with a legal obligation, or
  • it’s in our legitimate interest to do so, or
  • you have given your consent.

Back to top

Our statutory work

Audit Scotland undertakes audits, examinations and National Fraud Initiative (NFI) work under our statutory powers derived from the Public Finance and Accountability (Scotland) Act 2000 and the Local Government (Scotland) Act 1973 and any subsequent amendments to these Acts. Under our statutory powers we may collect information from Scottish public bodies that contain some personal information. In addition, we may collect personal information directly from individuals through surveys and interviews.

Personal information may be used in audit tests (such as when testing payroll or housing benefit systems) and to help form judgments and report on financial, Best Value and value for money audits and to promote economy, efficiency and effectiveness in the use of public money. We will only use this information for the purpose it was collected. We will hold it securely and when it is no longer needed it will be disposed of in accordance with our retention schedule.

The lawful reason for processing personal information in relation to our statutory work is that it is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.

Please note that a separate privacy notice is available for our NFI work and is available within the NFI section of our website here.

Personal information we may collect for our statutory work

In exercising our statutory powers we may require the following types and categories of personal information from the public bodies we audit.

General categories of personal information such as:

  • Personal details
  • Contact details
  • Financial details
  • Employment details
  • Educational details
  • Details of correspondence, claims, complaints, incidents and grievances
  • Responses to surveys and interviews

Special categories of personal information such as:

  • Racial or ethnic origin details
  • Political opinions
  • Religious or philosophical beliefs details
  • Trade union membership
  • Genetic or biometric details
  • Health, sex life or sexual orientation details

Who personal information is processed about

In conducting statutory audits, we may process personal information about:

  • public bodies employees
  • members of the public that receive services from and interact with the public bodies
  • public bodies customers and clients, advisors, suppliers, professional experts, whistleblowers, banks, etc
  • MPs, MSPs, Councillors and Officials
  • regulators, ombudsmen and commissioners
  • members of the public including whistleblowers that write directly to us.

Who we may share personal information with

When undertaking our statutory work, we sometimes need to share the personal information we process with others. Where this is necessary, we will comply with all aspects of data protection legislation. Where necessary we may share information with:

  • auditors, inspectorates and other public bodies
  • professional advisors and consultants
  • regulators, ombudsmen and commissioners
  • healthcare professional, social and welfare organisations
  • police
  • prosecuting authorities and courts
  • external auditors and professional auditing bodies.

Sending personal information outside the European Economic Area (EEA)

We do not send personal information collected during our statutory work outside the EEA.

How long we keep personal information

Personal information collected during the audit is deleted at the end of the audit whenever possible. Sometimes it is necessary to keep personal information longer such as to:

  • demonstrate that audit tests can be repeated
  • evidence audit conclusions and judgements
  • demonstrate the quality of our work to professional bodies.

If personal information cannot be deleted at the end of the audit, it will be kept securely for six years from the conclusion of the audit then deleted.

Automated decisions

Audit Scotland does not make automated decisions on the personal information collected from you or from public bodies under our statutory powers.

Your rights under our statutory work

In carrying out our statutory work, data protection legislation allows, restricts or exempts your rights where your rights would be likely to prejudice the proper discharge of our function. However, where personal information is collected as part of our statutory work we will process it lawfully, fairly and in a transparent manner.

View the information below to find out what rights you have. You can find out more about what these rights mean here.

You have the following rights:

right to appeal to Information Commissioner Right to complain to supervisory authority

These are exempt rights:

right to access Right of access right to rectification Right to rectification right to restrict processing Right to restrict processing right to erasure Right to erasure right to data portability Right to data portability

These are restricted rights:

right to object Right to object

Back to top

Job applicants, current and former Audit Scotland employees

Audit Scotland is the data controller for the information you provide during the recruitment and selection process unless otherwise stated. The processing of your personal information is necessary for compliance with any legal obligations we have and for taking steps prior to entering into a contract of employment. If you have any queries about the recruitment and selection process or how we handle your information, please contact a member of the Human Resources (HR) team on 0131 625 1500.

What information do we ask for and what will we do with it?

We will not collect more information than we need to undertake the recruitment and selection process and will not retain it for longer than is necessary (see the ‘How long is the information retained for’ section below). The information will be used to assess your suitability for employment. You don't have to provide what we ask for but it might affect your application if you don't.

All of the information you provide during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the EEA. The information you provide will be held securely by us and/or our data processors, whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

Application stage and assessment

Our online recruitment application system is managed on our behalf by a data processor (please see ‘Use of data processors’ section below) called iTrent. If you use our online system, you will provide the requested information to them. Once you register and submit an online application form they will hold the information you submit but Audit Scotland will have access to it.

Information we will ask you for

We ask you for your personal details including name and contact details. We will also ask you about your previous employment, experience, education, professional memberships, referees and for answers to questions relevant to the role you have applied for. Our HR team and shortlisting/selection managers will have access to all of this information.

We also ask if you are entitled to work in the United Kingdom (UK) and to complete a diversity monitoring section, which asks for information about your age, disability, ethnic origin, gender and race, religion or belief, and sexual orientation. Diversity monitoring is not mandatory information and therefore a ‘prefer not to say’ option is included in the diversity response section. This information will not be made available to any staff outside of our HR team, including Audit Scotland managers, in a way which can identify you. Any information you do provide will be used only to produce and monitor equal opportunities statistics. Information on a disability may be disclosed to the shortlisting and interview panel in so far that reasonable adjustments may be made to ensure candidates with a disability can compete equally with all other candidates.

Shortlisting

Audit Scotland managers shortlist applications for interview. They will not be provided with your equal opportunities information if you have provided it.

Assessments

We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by Audit Scotland.

If you are unsuccessful following assessment/selection for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

How we make decisions about recruitment

Final recruitment decisions are made by Audit Scotland managers and members of our HR recruitment team. All of the information gathered during the application process is taken into account.

You are able to ask about decisions made about your application by speaking to our HR team by emailing HR@audit-scotland.gov.uk.

Veredus

Veredus sometimes assists us with our recruitment and selection assessment. Veredus is provided with your name, email address and occasionally your telephone number in order to administer the online assessment.

Here is a link to their Privacy policy: www.veredus.co.uk/privacy-policy

Conditional offer

If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the UK and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to:

  • provide proof of your identity – you will be asked to attend our office with original documents, we will take copies
  • provide proof of your qualifications – you will be asked to attend our office with original documents, we will take copies
  • complete a questionnaire about your health to establish your fitness to work. This is done through a data processor (please see below).

We will contact your referees, using the details you provide in your application, directly to obtain references.

If we make a final offer, we will also ask you for the following:

  • bank details – to process salary payments
  • emergency contact details – so we know who to contact in case you have an emergency at work
  • membership of a Pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.

Wellness International

Wellness International provides our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.

We will send you a link to the questionnaire which will take you to Wellness International’s website. The information you provide will be held by Wellness International who will provide us with a fit to work certificate or a report with recommendations. You can request to see the report before it is sent to us. If you decline for us to see it, then this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Wellness International.

After you start

Some roles require a higher level of security clearance – this will be clear on the advert. If this is the case, then you will be asked to submit information online via Disclosure Scotland. You will be required to give details of the following:

  • your address details for the past five years
  • your National Insurance number.

You will also need to supply a copy of one piece of personal ID which includes your date of birth, such as your:

  • passport
  • driving licence
  • birth certificate.

You will also need to supply a copy of one of the following, which includes your current address:

  • utility bill (gas, electric or landline telephone)
  • rental agreement/mortgage (must be typed not handwritten)
  • current bank statement.
  • doctor's letter.

Disclosure Scotland will supply you with a unique reference number. You should give your original basic disclosure form to HR who will hold this information securely for you.

Use of data processors

Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

How long is the information retained for?

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus seven years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 12 months from the closure of the campaign.

Information generated throughout the assessment process, for example interview notes, is retained by us for 12 months following the closure of the campaign.

Equal opportunities information is retained for 12 months following the closure of the campaign whether you are successful or not.

iTrent will provide us with management information about our recruitment campaigns. This is anonymised information which tells us about the effectiveness of campaigns, for example, from which source did we get the most candidates, equal opportunities information for monitoring purposes. This anonymised information will be retained for 12 months from the end of the campaign.

Secondments

We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or from organisations who think they could benefit from their staff working with us.

Applications are sent directly to the appropriate Business Group Lead in Audit Scotland who will discuss it with HR. Once we have considered your application, if we are interested in speaking to you further, we’ll contact you using the details you provided.

We might ask you to provide more information about your skills and experience or invite you to an interview.

If we do not have any suitable work at the time, we’ll let you know but we might ask you if you would like us to retain your application so that we can proactively contact you about possible opportunities in the future. If you say yes, we will keep your application for 6 months, if you say no then your details will be securely destroyed/deleted.

If you are seconded to Audit Scotland, we will hold the information you have supplied and may also ask that you provide further information which gives us details of your personal information for contact details and where applicable information relating to payments of salary/expenses.

You will be expected to adhere to a confidentiality agreement and code of conduct which will be agreed with your organisation.

Your rights

Under data protection legislation, you have rights as an individual which you can exercise in relation to the information we hold about you. Where personal information is collected as part of our recruitment we will process it lawfully, fairly and in a transparent manner.

View the information below to find out what rights you have. You can find out more about what these rights mean here.

You have the following rights:

 right to access Right to access  right to rectification Right to rectification right to restrict processing Right to restrict processing right to object Right to object  right to appeal to Information Commissioner Right to complain to supervisory authority

You have restricted rights:

right to erasure Right to erasure right to data portability Right to data portability

To make a request to Audit Scotland for any personal information we may hold, please follow the process here: Access to personal information

Contact us if you wish to discuss your rights.

Personal information handling arrangements - complaints or queries

Audit Scotland tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of personal information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with clarity in mind. It does not provide exhaustive detail of all aspects of Audit Scotland’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. If you want to make a complaint about the way we have processed your personal information, you can contact our data protection officer at info@audit-scotland.gov.uk.

If you are not satisfied with our response to your complaint/query about how we handle your personal data, or if you believe we are not processing it in accordance with the law you can complain to the Information Commissioner’s Office (ICO) here https://ico.org.uk/concerns/handling/.

Back to top

People who make a complaint or correspond with us

People write to us for a number of reasons such as to raise a concern about a body we audit, to request information or to make a complaint about us.

When we receive a complaint about Audit Scotland, correspondence or concerns about a public body we audit, whistleblowing disclosures, data subject access or complex freedom of information requests, we hold the information, including personal information, in a file.

We will only use the personal information for the reason it was collected. However, we may have to disclose your details to others such as when investigating a complaint, informing the local auditor of your concern or with another regulatory body. If you do not want your personal information disclosed we will try to respect this, but this may not always be possible.

The lawful reasons for processing personal information in relation to complaints, whistleblowing disclosures, Freedom of Information requests and correspondence are:

  • it’s necessary for compliance with a legal obligation, or
  • it’s necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.

Who we may share personal information with

When investigating or responding to a complaint, correspondence or concerns about a public body we audit, whistleblowing disclosures, data subject access or complex freedom of information requests we sometimes need to share the personal information we process with others. Where this is necessary we will comply with all aspects of data protection legislation. We may share information with:

  • auditors, inspectorates and other public bodies
  • professional advisors and consultants
  • regulators, ombudsmen and commissioners
  • healthcare professional, social and welfare organisations
  • police
  • prosecuting authorities and courts
  • external auditors and professional auditing bodies.

Sending personal information outside the European Economic Area (EEA)

We do not send personal information collected when dealing with complaints, correspondence or concerns about a public body we audit, whistleblowing disclosures, data subject access or complex freedom of information requests outside the EEA.

How long we keep personal information

Personal information collected when dealing with complaints, correspondence or concerns about a public body we audit, whistleblowing disclosures, data subject access or complex freedom of information requests is deleted in line with our retention policy. Personal information is kept for:

  • Complaints about Audit Scotland – 3 years or 6 years if investigated by the Scottish Public Services Ombudsman (SPSO).
  • Correspondence about the bodies we audit – 3 years or 6 years if referred to an external body (ie SPSO).
  • Whistleblowing disclosures – 3 years or 6 years if referred to an external body (ie SPSO).
  • Freedom of Information requests – 3 years or 6 years if appealed to the Scottish Information Commissioner.
  • Data subject access requests – 3 years or 6 years if complained to the UK Information Commissioner.

Your rights

Under data protection legislation, you have rights as an individual which you can exercise in relation to the information we hold about you. Where personal information is collected as part of our complaints, whistleblowing, FOI and correspondence activities we will process it lawfully, fairly and in a transparent manner.

View the information below to find out what rights you have. You can find out more about what these rights mean here.

You have the following rights:

right to access Right to access right to appeal to Information Commissioner Right to complain to supervisory authority

You have restricted rights to:

right to rectification Right to rectification right to erasure Right to erasure right to restrict processing Right to restrict processing right to data portability Right to data portability  right to object Right to object

Back to top

Visitors to our website

We collect standard internet log information and details of visitor behaviour patterns when someone visits our website. We do this to find out things such as the number of visitors to the various parts of our site, to monitor the download of our reports and publications, and to help improve the service we provide.

This data collection process is carried out electronically in the background and therefore visitors to our website may not be aware that it is taking place. We believe that this process is not intrusive to the visitors’ privacy as we do not make any attempt to find out the identities of visitors to our website. The standard internet log information collected will only be used for the described purposes and will not be passed on to any other organisation.

Back to top

Use of cookies by Audit Scotland

We use cookies to collect standard internet information from visitors to our website. Cookies are small text files that are placed on your computer when you visit most websites. They are widely used to help websites function, work more efficiently and make the visit to the site more enjoyable, as well as providing information to the site's owner. Our recruitment website also uses cookies to allow visitors to securely apply for vacancies.

Audit Scotland’s website uses Google Analytics, which is a web analysis tool to collect the standard visitor log information we need to help us improve your visit experience. Google Analytics uses first-party cookies for this purpose and an overview of Google Analytics and privacy at Google provides more information.

Cookies used on Audit Scotland website
CookiesNamePurpose
Google Analytics_utma
_utmt
_utmb
_utmc
_utmz
_utmv
_ga
_gat
_gid
APISID
SAPISID
_Secure-APISID
_Secure-3PAPISID
_Secure-3PSID
NID
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
Cookie ComplianceCookieControlCookie Control cookies. This cookie is set to remember the user's preferences about cookies. The cookie will expire after 90 days.
RecruitmentTS0
BIGip
_shibsession
Our website links to an external website at ce0741li.webitrent.com, which advertises our current vacancies and allows users to apply for jobs.

TSO and BIGip:
Cookies are added to this site by Cloud Services architecture to ensure web requests are consistently processed by the same server for the duration of a session.

_shibsession:
Occurs in all Hosted environment with SAML Single Sign on enabled. These cookies are created and maintained by Shibboleth-SP which implements the Shibboleth service for iTrent.
ReachDeck(cookies set by Google for Analytics listed above)This website uses ReachDeck, an accessibility and reading support tool.
ReachDeck uses anonymised Google Analytics to collect general usage statistics.
ReachDeck uses Local Storage in the web browser to remember your settings. This stores information about translation languages, your user preferences such as colours, and translation languages. This does not include any personally identifiable information.
YouTube(various)We embed videos from YouTube. These may set cookies on your computer but YouTube will not store personally identifiable cookie information for playbacks of embedded videos.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org. Deleting or blocking our cookies may result in our website not working properly.

You can opt out of being tracked by Google Analytics here.

Back to top

The search engine on our website is designed to be as powerful and easy to use as other popular search engines. It does not collect information from visitors to our website.

Back to top

Other websites

Our website may contain links to other websites which are outside our control and are not covered by this notice. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.

Back to top

Social media features and widgets

Our website includes social media features, such as Facebook, X (formerly Twitter), LinkedIn, etc. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the company providing them.

Back to top

Subscription service

Audit Scotland provides a subscription service for people to receive email notifications whenever new reports are published; this service is provided on our behalf by Campaign Master. Campaign Master is a UK based, email marketing service which provides people with accessible, relevant, and important Audit Scotland information.

Lawful basis for processing

It is in Audit Scotland’s legitimate interests to inform public bodies and stakeholders of the publication of our reports. Stakeholders who do not wish to receive further notifications can unsubscribe at any time.

People can subscribe to our service by registering their interest on our website; the lawful basis for this type of processing of personal data is consent. Only information subscribed to will be sent. Subscribers can withdraw their consent and delete their subscriptions at any time.

What information does Audit Scotland/Campaign Master collect? How is it used?

Your subscriber profile contains the details required to send you the information you request. It consists of your email address, optional name, and the areas of interest you have chosen to receive information about.

Campaign Master uses this information to provide the services you request. Audit Scotland and Campaign Master never share personally identifiable information with third parties for promotional purposes.

How do I unsubscribe from email updates?

There is an Unscubscribe link in the footer of the emails Audit Scotland sends to you. Please note that clicking on this link from the footer of an email will not just unsubscribe you from that singular topic of updates, but it will also unsubscribe you from all updates from Audit Scotland.

If you wish to change the topics you receive updates about, you can click on the Update preferences link in the footer of the emails.

Your rights

Under data protection legislation, you have rights as an individual which you can exercise in relation to the information we hold about you. Where personal information is collected as part of our subscription service we will process it lawfully, fairly and in a transparent manner.

View the information below to find out what rights you have. You can find out more about what these rights mean here.

You have the following rights:

 right to access Right to access right to rectification Right to rectification right to restrict processing Right to restrict processing right to object Right to object  right to erasure Right to erasure  right to appeal to Information Commissioner Right to complain to supervisory authority

Back to top

Your rights explained

The following section explains the use of the icons in relation to your information rights.

right to access

The right of access

You have the right to obtain from Audit Scotland confirmation that your data is being processed, access to your personal data and other supplementary information.

right to rectification

The right to rectification

You are entitled to have incorrect data rectified or completed if incomplete by Audit Scotland.

right to erasure

The right to erasure

You have the right to request the removal of personal data where there is no compelling reason for its continued processing by Audit Scotland.

right to restrict processing

The right to restrict processing

You will have the right to request the restriction or suppression of personal data by Audit Scotland. When restricted, Audit Scotland is permitted to store data, but not process it.

right to data portability

The right to data portability
 

You have the right to obtain and reuse your personal data across different services. You can move, copy or transfer personal data you have provided to Audit Scotland without hindrance.

right to object

The right to object
 

You will be able to object to Audit Scotland processing your personal data based on legitimate interests.

right to be protected against automated decision making

Automated decision making and profiling rights

You have certain protection rights for automated decision making in cases where there is the risk of a significant legal impact.

right to complain to supervisory authority

The right to complain to a supervisory authority

You have the right to complain about Audit Scotland's processing to the Information Commissioner. However, please speak to us first to see if we can resolve your complaint.

exempt rights

Exempt rights
 

An icon with a red cross signifies that this right is exempt from data protection legislation for this purpose.

Back to top

Data subject access request

You have a right to access the personal data that we hold about you by making a ‘subject access request’ under data protection legislation. You can find more information here

Back to top

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy policy was last updated on 29 November 2023.

Back to top