Privacy Policy

Humza Yousaf MSP Data Protection Privacy Notice

This is the Privacy Notice of the office of Humza Yousaf, Member of the Scottish Parliament (MSP)

This privacy notice explains how my office collects and uses personal information about individuals.

My office address and contact details are:

Address: Suite 14, Fairfield Heritage Centre, 1048 Govan Road, G51 4XS

Email: humza.yousaf.msp@parliament.scot

Phone:0141 882 4647

Notification:

How I use your personal data:

I process any personal data under the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (the DPA).

What is personal data?

Personal data is any information from which a living individual can be identified either directly from the information or indirectly from that information together with other information that may be available.

I will hold all personal data securely, I will only use it for the purposes it was collected or acquired for and I will only pass it on to third parties with your consent and where I have a legal basis for doing so.

Further information about the data protection legislation and your rights is available here:

https://ico.org.uk/for-the-public/your-right-to-be-informed-if-your-personal-data-is-being-used

Purposes and categories of processing personal data:

I collect and use personal data to fulfil the following functions and associated activities of my office;

to carry out casework on behalf of my constituents;
to tend to issues and constituency-related campaigns I am involved in;
to maintain supplier relationships;
to process expenses, accounts and associated records.
to process personal information related to employment of MSP staff including recruitment, employee relations and associated responsibilities;

If you contact me with an inquiry or a complaint, I will normally need to store your contact details (such as your name, telephone number, email, date of birth and/or postal address) to deal with your inquiry or complaint. This is considered to be normal category data under the UK GDPR.

Other personal data you may provide to me may include details about your personal and family life, social circumstances and business activities, your employment and education details, financial information or information about your housing situation etc.. Depending on what views, issues or experiences you wish to discuss with me, you may be sharing special category data with me. For example, this could include details revealing race or ethnic origin, political or religious views, sex life or sexual orientation, trade union membership, physical or mental health, genetic or biometric data. I may also process criminal offence data which includes information about criminal convictions and offences or related security measure that you share with me .

If you are a supplier, I will normally need to store your name, contact and payment details for the purposes of the contract between us.

In relation to the recruitment of candidate(s) and employment of MSP staff I may process personal information for the following tasks:

Assessing your suitability for a job vacancy;
Contacting you in relation to your application for employment;
Processing your application for employment;
Making a decision about your recruitment or appointment;
Processing your contract of employment;
Providing and processing payments and benefits to you (including complying with pension auto-enrolment obligations, liaising with your pension provider and determining pension eligibility) and, if applicable, deduct tax and national insurance and any arrestment of earnings order;
Handling any disputes that may arise out of or in the context of your employment;
Monitoring your use of IT in terms of the Scottish Parliament’s https://www.parliament.scot/careers/employee-handbook/policies/use-of-it-and-social-media/acceptable-use-of-it-policy which includes access to your inbox for business purposes in the event of sickness absence or an emergency;
Details of your trade union membership;
Arranging access to learning and development resources;
Assessing entitlement to certain benefits such as Childcare vouchers and the cycle to work scheme;
Providing adjustments to someone with a disability in line with legal obligations under the Equality Act 2010;
Protecting your vital interests or those of another person (in exceptional circumstances, such as a medical emergency); and
Exercising or performing employment law rights and obligations and review equality of opportunity or treatment.

The legal basis for processing personal data:

Data protection law states that I must have a legal basis for handling your personal data. The permitted legal bases can be found in the UK GDPR and the DPA.

Casework

Where it is necessary for me to process data for the purpose of taking reasonable action on behalf of a constituent, I do not require the constituent’s consent for that processing. Please note that for the purposes of processing constituency casework from constituents your personal data will be shared with staff in my office who will provide assistance with your consistency casework. Members of my staff regularly monitor the main inbox and phones so are often the first point of contact when working on a case. The legal basis for the processing is that it is necessary for a task carried out in the public interest or, as regards special category data, the substantial public interest. In particular:

In relation to ‘normal’ category data (such as your name, address, contact information and information about your constituency casework), the legal basis is that the processing is necessary for an activity supporting or promoting democratic engagement (Article 6(1)(e) of the UK GDPR and section 8(e) DPA).

In relation to special category and criminal offence data, the condition for processing is where this is necessary for reasons of substantial public interest, which includes any processing carried out by an MSP, or a person acting with their authority, for the purpose of reasonable actions taken by the MSP in response to a request by an individual to take action on their behalf (Article 9(2)(g) UK GDPR (for special category data) and Article 10 UK GDPR (for criminal offence data) and paragraph 23 of Schedule 1 of the DPA).

Referral of Casework to Committees

Where I am engaged in constituency casework that raises matters relevant to the work of a Scottish Parliament Committee, I may share your personal contact details to the relevant Committee Clerk. The Committee Clerk may then contact you when this is a reasonable response to your concern.
The legal basis for processing is for the purposes of an activity supporting or promoting democratic engagement (Article 6(1)(e) UK GDPR and section 8(e) DPA).

You can find out more about how Committees collect and use personal information about individuals here:

Privacy Notice – Submitting your views to a Committee

Other processing activities

For other activities and functions which involve the processing of personal data, the legal basis for processing may, depending on the circumstances, be:

Processing necessary for a task carried out in the public interest (which includes processing necessary for an activity supporting or promoting democratic engagement (Article 6(1)(e) UK GDPR and section 8(e) DPA). Democratic engagement covers a wide range of political activities inside and outside election periods, including but not limited to: democratic representation, communicating with electors and interested parties, surveying and opinion gathering, campaigning activities, activities to increase voter turnout, supporting the work of elected representatives, prospective candidates and official candidates and fundraising to support any of these activities;
Processing necessary for the pursuit of legitimate interests except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
Consent of the data subject (the person who the personal data relates to). This is subject to the right to withdraw consent;
Processing necessary to comply with legal obligations;
Processing necessary to protect vital interests of individuals; and/or
Processing necessary for the performance of a contract.

As for any sensitive (or special category) data, the conditions for processing relied upon may, depending on the circumstances, be:

Processing necessary to comply with legal obligations;
Explicit consent;
Processing necessary to protect vital interests of individuals;
The data has been manifestly made public by the data subject; and/or
Processing necessary for the establishment, exercise or defence of legal claims.

Parliamentary motions and questions

I may also process your personal data for the purposes of submitting parliamentary motions and parliamentary questions which will be made to the Scottish Parliament and captured on SPTV and in the Official Report of Parliamentary Proceedings. You can access information about personal data processed on SP TV and in the Official Report at the following links:

https://www.parliament.scot/about/information-rights/data-protection/privacy-notices/broadcasting-and-photographs

https://www.parliament.scot/chamber-and-committees/official-report

In these circumstances the legal basis for processing is as follows:

the processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR and section 8(c) DPA) where I am satisfied that the raising of awareness/encouraging debate on an important issue in a motion is necessary to carry out my functions as an MSP.
the processing is necessary for the purposes of the legitimate interests (Article 6(1)(f) UK GDPR). The legitimate interests can be individual interests or broader societal benefits. This may be appropriate, for example, where I consider that it is necessary to include personal data in a motion for the legitimate interest of raising awareness about the efforts of a particular constituent.
consent has been given by the data subject(s) for their information to be used in this way subject to the right to withdraw consent (Article 6(1)(a) UK GDPR).

Where the processing of personal data in these circumstances involves special category and criminal offence data, the conditions for processing are as follows:

The processing is necessary for reasons of substantial public interest in relation to the exercise of a function conferred on a person by enactment or rule of law (Article 9(2)(g) and section 10(3) DPA and paragraph 6, Part 2 of Schedule 1 to the DPA) i.e. parliamentary questions serve a range of functions and are a key mechanism by which MSPs can obtain information from the Scottish Government and the SPCB which closely relates to their role of holding the government to account.
The processing is in connection with the discharge of my role as an MSP in response to a request by an individual or a constituent for me to take action on their behalf (Article 9(2)(g) UK GDPR, section 10(3) and paragraph 23, Part 2 of Schedule 1 to the DPA);
explicit consent (Article 9(2)(a) UK GPDR) has been given by the person named in the motion or who the question is about.
The processing relates to personal data that is manifestly made public by the person whose details are being used (Article 9(2)(e) UK GDPR).

Categories of processing activities and corresponding legal basis:

Processing of personal data means anything from collecting, storing, using to sharing and deleting (see link above for more information).

I process personal data in the following ways:

Processing activity	The legal basis	How long I retain the data	How the data may be shared
Receiving, storing and responding to general enquiries by letter, email or in person	The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Article 6(1)(e) UK GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest.	For constituent data, letters, emails and notes will be digitised (physical copies being shredded or returned immediately) and added to their casefile on Caseworker. Data will be deleted at the individuals request or when Humza ceases to be an MSP. For non-constituent data, letters will be digitised and emailed to Member for consideration with physical copies being shredded. Emails will be responded to and deleted, permanent deletion after 1 year.	For constituent and non-constituent data, letters, emails and notes will not be shared with any third parties until consent is obtained from the individual or their POA. Data may be shared between Member and members of staff for the purpose of confirming what action should be taken.
Receiving, storing and responding to complaints by letter, email or in person	The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest.	For constituent complaints, letters, emails and notes will be digitised (physical copies being shredded or returned immediately) and added to their casefile on Caseworker. Data will be deleted at the individuals request or when Humza ceases to be an MSP. For non-constituent complaints, letters will be digitised and emailed to Member for consideration with physical copies being shredded. Emails will be responded to and deleted, permanent deletion after 1 year. In person complaints won’t be taken forward as we’d encourage the non-constituent to write to the appropriate authority to assist with the complaint.	For constituent and non-constituent data, letters, emails and notes will not be shared with any third parties until consent is obtained from the individual or their POA. Data may be shared between Member and members of staff for the purpose of confirming what action should be taken.
Receiving and storing data in relation to a personal issue or problem raised by a constituent (casework)	The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. For special category data: The processing is necessary for reasons of substantial public interest (article 9(2)(g) UK GDPR and DPA Sch 1, para 23; (this covers any processing carried out by an MSP, or a person acting with their authority, for the purpose of reasonable actions taken by an MSP in response to a request by an individual to take action on their behalf).	For constituent data, letters, emails and notes will be digitised (physical copies being shredded or returned immediately) and added to their casefile on Caseworker. Data will be deleted at the individuals request or when Humza ceases to be an MSP.	For constituent data, letters, emails and notes will not be shared with any third parties until consent is obtained from the individual or their POA. Data may be shared between Member and members of staff for the purpose of confirming what action should be taken.
Collect and use data for the purpose of sending out newsletters with information about surgeries, office contact details and upcoming events and campaigns	The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR).	Constituents and constituency organisations who contact us have their details logged into our caseworker system. They are kept there until they request their details to be removed or updated, or until Member ceases to be the MSP. We also have names and addresses from the Electoral Roll. This forms our constituency contacts database and can be used when reaching out to all members of the constituency. This data is similarly kept until the individual requests it is deleted or updated, or until Member ceases to be the MSP.	Names and addresses would be shared with Royal Mail postal services when posting out newsletters or updates.
Take, store and use photos and videos in connection with my engagements and events I attend in my capacity as a MSP.	The processing is necessary for the performance of a task carried out in the public interest (article 6(1)(e) UK GDPR) or for the purpose of a legitimate interest (article 6(1)(f) UK GDPR) or the data subject has provided consent (article 6(1)(e) UK GDPR). If photographs or videos include images of children, consent will be sought from the parent or guardian for children under the age of 12 years. For children over the age of 12 years the requirement for consent from the child will be dependent on their age and maturity.	All photos are stored on SharePoint and will remain there until they are requested to be deleted or Member ceases to be the MSP.	We obtain consent from organisations and individuals when capturing content at events / engagements to ensure we do not share photos or videos of people who do not wish to have this shared. Selected content may appear on Members social media, specifically Instagram, Facebook and X. It may also appear on the Members website and Newsletters. We store our content on SharePoint which is a private online storage space for my constituency office only. All team members have access to the photographs.
Employment related processing for the purposes of staff recruitment, including pre-employment checks	This processing is necessary for legitimate interests of the MSP (as a prospective employer), to select a suitable employee for an advertised position (article 6(1)(f) UK GDPR).	For successful candidates, their information will be stored on email or on Office Managers private One Drive for the term of their employment. For unsuccessful candidates, their information will be deleted unless they ask us to keep them on file for future opportunities. These emails would be kept in an Outlook folder or a SharePoint folder until the next recruitment period.	This information would not be shared with any third parties, unless requested by the individual. For the purpose of processing New Starts, the information must be shared with the SPCB – specifically IT, Facilities Management, Pay and Pensions, People Services and Security Team.
Appointment of MSP staff	The processing is necessary for the performance of a contract (article 6(1)(b) UK GDPR)	Information will be kept until the staff member ceases to work for Member	For the purpose of processing New Starts, the information must be shared with the SPCB – specifically IT, Facilities Management, Pay and Pensions, People Services and Security Team. Emergency contact details will be shared with all team members.
Making reasonable adjustments for person(s) with disabilities	The processing of special category data is necessary to comply with our legal obligations under the Equality Act 2010 (article 9(2)(g) UK GDPR, s10(3) and para 6(1), 2(a) of Part 2, Schedule 1 to the DPA).	Information will be kept until staff member no longer requires the agreed adjustments or until the end of their employment..	Data will be kept by Office Manager and Member. Information will only be shared with wider team where agreed upon between staff member and Manager. Information may have to be shared with People Services to access support, but will be done so with staff member’s consent.
Assessment of entitlement to benefits such as Childcare vouchers and the cycle to work scheme.	The processing is authorised by the consent of the data subject (article 6 (1)(a) UK GDPR).	Information will be kept until staff member no longer requires the agreed adjustments or until the end of their employment.	Data will be kept by Office Manager and Member. Information will only be shared with wider team where agreed upon between staff member and Manager. Information may have to be shared with People Services to access support, but will be done so with staff member’s consent.
Legal disputes	The processing of special category data may also be necessary for legitimate interests (article 6(1)(f) UK GDPR and article 9(2)(g) UK GDPR and paragraph 33 of Part 3, Schedule 1 to the DPA).	Data will be kept until the legal dispute is resolved. If involving a constituent, it will be kept until they request it be deleted or until Member ceases to be an MSP	Involved parties will have access to the data, it may have to be shared with a legal team or SPCB if the legal dispute is against our office. For constituents and non-constituents, we will not share their legal dispute data unless requested by them.
Monitoring your use of IT in terms of the Scottish Parliament’s https://www.parliament.scot/careers/employee-handbook/policies/use-of-it-and-social-media/acceptable-use-of-it-policy which includes access to your inbox for business purposes in the event of sickness absence or an emergency	The processing is necessary for the performance of a contract (article 6(1)(b) UK GDPR or, where applicable, where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (article 6(1)(f)	Information will be kept until the staff member ceases to work for Member

Sharing of personal data:

I sometimes may be required to share the personal information I hold with other individuals or organisations including for example:

healthcare, social and welfare organisations;
housing providers
local and central government bodies;
educators and examining bodies;
statutory law enforcement agencies;
investigating bodies;
elected representatives and other holders of public office;
financial organisations;
crime prevention agencies and the police.

Employment and pensions

In connection with employment as MSP staff, your personal data may be shared with the following third parties if this is required for performance of duties or by law:

HMRC;
Banks/ Building society;
Our service providers, including IT service providers; payroll and pension administrators; and those involved in providing benefits in connection with your appointment, such as for example childcare vouchers;
Offices within the Scottish Parliamentary Corporate Body (SPCB) including People Services and Legal Services for the purposes of providing advice and support on matters related to your employment;
Health professionals and occupational health providers involved in your care;
Audit (internal and external);

Other third parties as necessary to comply with the law. The SPCB will act as a data processor in order to provide third party pension scheme providers with the home address details of MSP staff in order that MSP staff may enrol on the scheme and receive information from the provider.

The current pension scheme provider is Aviva and their privacy notice is available here:

https://www.direct.aviva.co.uk/MyAccount/Public/MyAvivaPrivacyNotice

Depending on the circumstances, the legal basis for sharing data with these organisations may be that:

the sharing is necessary for complying with a legal obligation to which I am subject (article 6(1)(c) UK GDPR);
the sharing is necessary in order to protect the vital interests of the data subject or of another person (article 6(1)(d));
the sharing is necessary for the performance of a task carried out in the public interest or substantial public interest (article 6(1)(e) or article 9(2)(g) UK GDPR);
The sharing is necessary for the pursuit of a legitimate interest (article 6(1)(f) UK GDPR); or
the sharing is necessary for the performance of a contract (article 6(1)(b) UK GDPR).

I may seek your prior express consent to share your personal data with any of the following:

employment and recruitment agencies;
press and the media;
family, associates and representatives of the person whose personal data I am processing;
enquirers;
subjects of complaints;
political parties;
charitable bodies;

The consequences of my not processing personal data are:

Where I am processing personal data for the performance of a contract, the consequence of not processing the personal data is that I may not be able to fulfil my obligations under that contract.
Where I am processing personal data in accordance with a statutory obligation, the consequence of not processing personal data may be that I am liable to regulatory fines for non-compliance with that statutory duty.

Automated data processing:

I do not use automated processing techniques to process your data.

Sharing or processing personal data outside the European Economic Area:

Please note that sending personal data outside the EEA includes using online services (email distribution, survey software etc.) that are based outside the EEA.

I do not intend to share or process personal data in locations outside the EEA.

Retention of personal data:

I retain personal data for the period that is necessary to carry out casework on behalf of my constituents, work on issues and campaigns I am involved in, and to maintain supplier information, expenses, accounts and associated records.

In relation to employment as a member of staff working for an MSP we will retain all of your personal information during your engagement up until age 100 for the purposes of pension administration and to allow us to assist the employing MSP to establish, exercise or defend legal claims.

Using my website

My website uses cookies to gather information about how visitors use my website to help me improve its performance, and secondly, to improve the visitor experience when using the website by delivering pages more quickly or remembering user settings. Additionally, videos on the website may use cookies created by third-party providers such as Flash or YouTube.

The information I collect is anonymous – it cannot be used to identify you personally. Further information on the way that I use cookies and how you can set your browser to control cookies is available in my cookie policy here: https://humzayousaf.scot/cookie-policy/

Your rights

The UK GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below, although whether you will be able to exercise each of these rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place (see the individual privacy notices listed above for further details in relation to specific processing activities).

Access to your information – You have the right to request a copy of the personal information about you that I hold.

Correcting your information – I want to make sure that your personal information is accurate, complete and up to date and you may me to correct any personal information about you that you believe does not meet these standards.

Deletion of your information – You have the right to ask me to delete personal information about you where:

You consider that I no longer require the information for the purposes for which it was obtained
I am using that information with your consent and you have withdrawn your consent.
You have validly objected to my use of your personal information –my use of your personal information is contrary to law or our other legal obligations.

Objecting to how we may use your information – You have the right at any time to require me to stop using your personal information for direct marketing purposes. In addition, where I use your personal information to perform tasks carried out in the public interest or for a legitimate interest then, if you ask me to, I will stop using that personal information unless there are overriding legitimate grounds to continue.

Restricting how we may use your information – in some cases, you may ask me to restrict how I use your personal information. This right might apply, for example, where I am checking the accuracy of personal information about you that I hold or assessing the validity of any objection you have made to my use of your information. The right might also apply where this is no longer a basis for using your personal information but you don’t want me to delete the data. Where this right is validly exercised, I may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent using your information – Where I use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.

Please contact me using the contact details provided above.

Changes to my privacy statement

I keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information above.

This privacy statement was last updated on 26th January 2026

Contact information and further advice

Address: Suite 14, Fairfield Heritage Centre, 1048 Govan Road, G51 4XS

Email: humza.yousaf.msp@parliament.scot

Phone:0141 882 4647

Complaints

I seek to resolve directly all complaints about how I handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office:

Online: https://ico.org.uk/global/contact-us/email/

By phone: 0303 123 1113

By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.