Privacy Notice

We are committed to protecting the privacy of the people whose personal information we hold and to meeting our data protection obligations under the General Data Protection Regulation and UK Data Protection Act 2018. This Privacy Notice explains how we meet those commitments in practice. 

Who we are

We are the Care Inspectorate, the independent regulator of social care and social work services across Scotland, formed under the Public Services Reform (Scotland) Act 2010.

We are a registered ‘data controller’ with the UK Information Commissioner and our registration number is Z2582022.

How to contact us

If you have any questions about this privacy notice or our data protection policies generally, please contact us through our information requests portal.

You can also contact us by email This email address is being protected from spambots. You need JavaScript enabled to view it. 

By phone: 0345 600 9527

By post: The Data Protection Officer, Compass House, 11 Riverside Drive Dundee, DD1 4NY

What is our legal basis for processing your data

As the scrutiny and improvement body for social care and social work services across Scotland, we have powers under Part 5 of the Public Services Reform (Scotland) Act 2010 to collect and process personal information about people experiencing care and people who provide, manage, and work for care services.

The main legal basis we rely on to process your personal data is that it is necessary to perform our public tasks as a regulator and we will process sensitive personal data to ensure high standards of care.

In addition, under Section 44(1) b of the Public Service Reform (Scotland) Act 2010 we have “the general duty of furthering improvement in the quality of social services” and we may process personal data and sensitive personal data in furtherance of this duty.

We also process personal information for a number of other purposes:

  • to fulfil a contract with you as an employee or contractor
  • to meet specific legal and statutory obligations
  • because the processing is within our legitimate interests as a business.
  • for research, historic and statistical purposes

Whose personal data do we process and why

People experiencing care

Access to personal information about people experiencing care plays an essential role in the Care Inspectorate’s inspections and the wider regulation of health and social care services in Scotland.

Our statutory powers under Part 5 of the Public Services Reform (Scotland) Act 2010 allow us to obtain and review the personal details of individual people experiencing care. This includes information from medical and care records, where it is necessary to do so as part of our regulatory care service inspections and when undertaking investigations related to complaints and enforcement action. These powers mean that we do not need to get a person’s consent to obtain this information.

We may need to access personal and sensitive personal information of people experiencing care to allow our inspectors to assess whether:

  • providers of care are using care plans to ensure that people experience person-led care that meets their clinical and personal needs, particularly older people and people with long-term conditions (such as diabetes or dementia), people with a learning disability, and other people who may be vulnerable because of their circumstances
  • lessons have been learned from complaints and serious incidents to improve safety and care, and whether care providers have met their duty of candour obligations to explain and apologise for serious mistakes
  • the rights of people who have been detained under the Mental Health Act are being respected and protected
  • medication records are kept properly
  • information has been shared properly (lawfully, effectively and appropriately) between care services
  • people are properly involved in decisions about their care, they are asked to give their consent about their care, and their decisions are respected
  • safeguarding concerns are being appropriately acted on to ensure that people who may be vulnerable are being protected from abuse and harm.

We also obtain information in a number of other ways, out with our inspections, to help us to monitor the quality of care, prioritise our work, and identify problems with services that may require us to take regulatory action. We do this in a number of ways, for example:

  • we invite people who use services to share their experiences with us
  • we share information locally and nationally with other organisations involved in commissioning, providing and regulating care, for example, local authorities, Healthcare Improvement Scotland, and professional regulators like the Scottish Social Services Council and the Nursing and Midwifery Council.

Where possible, we will use anonymised information or information other than personal information to carry out our work, but looking at, and using, personal information is often the only practical way in which we can carry out our work effectively. For example, it may be difficult and time consuming for a care provider to make anonymised copies of any records we need to see as we request them during an inspection. In other cases, we may need to know whose records we are looking at because we are trying to understand how that person’s needs have been met.

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable , for example, if the complaint is in relation to the care of an individual. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle each complaint on an anonymous basis.

Similarly, where enquiries are submitted to us in relation to care services or our own operations, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Adults with Incapacity (AWI)

We may also process personal or sensitive personal information in order to process applications made under Part 4 of the Adults with Incapacity (Scotland) Act 2000. We will minimise the information processed to ensure only the minimum required to conduct this process is utilised. After the procedure for processing an application has been closed, we will only retain information for the purposes of carrying out our statutory monitoring duties, in line with our review and retention policy.

Care service managers, owners and workers

As the independent regulator of social care and social work services across Scotland, we have powers under Part 5 of the Public Services Reform (Scotland) Act 2010 to collect and process personal information about people who provide, manage and work for care services. This can include their name, address and other contact details, date of birth, qualifications, training and experience, data relevant to disclosure and PVG checks, employment history including any disciplinary action and outcome.

We process this personal information for a number of purposes:

  • processing applications for the registration of new care services
  • maintaining a public register of regulated care services
  • administering regulatory notifications and annual returns
  • inspecting social work services and registered care services to support improvement in the quality of care experienced by people and their carers
  • investigating any complaint raised against a care service or the Care Inspectorate itself, including making any necessary publications about the investigation
  • taking formal enforcement action to require care services to improve the quality of their care
  • providing information and advice to people who provide care services, or who are considering becoming care service providers
  • sending communications connected with care service registration or notifications
  • dealing with any calls to our contact centre
  • policy development, research and engagement activities to improve care quality standards.

Illegally operating care services

We may also process information in furtherance of our investigation into illegally operating care services.

Participants in our research and policy work

As previously mentioned under Section 44(1) b of the Public Service Reform (Scotland) Act 2010 we have “the general duty of furthering improvement in the quality of social services” and we may process personal data and sensitive personal data in furtherance of this duty.

We may also ask whether you wish to take part in a research project, consultation or survey out with this duty. Participation is entirely voluntary and any information is collected with your consent.

Where possible we will avoid collecting personal information about you, in all our activities and try to use anonymised or pseudonymised data. Where this cannot be avoided, we delete your personal data as soon as it is no longer required, or anonymise it at the earliest opportunity.

We will inform you that research-related information may be held by external researchers with whom we are working.

If you choose to provide us with information that identifies you, this will not be published in any reports.


We may also engage or collaborate or share information with academia (i.e. Colleges and Universities or their students) in relation to our regulatory or improvement activities. We will always utilise data which is already publicly available in the first instance.

If it is not possible to use publicly available information, we will always assess and assure a lawful basis and purpose, which furthers our regulatory and improvement activity before any data sharing takes place.

Participants in our communications and engagement work

The Care Inspectorate also conduct communications and engagement activities be open, transparent and accessible and provide the right information, at the right time, in the right way to our stakeholders.

Communications and engagement activities may also support and promote projects and initiatives which are part of our improvement work, both internally and externally. Additionally, communications and engagement activities may also have an educational and training function, to showcase best practice in care and people’s experiences of care, for example.

Participation in communication and engagement activities is usually voluntary and, in these instances, we may require your consent. You can withdraw your consent for the use of your personal data in communication and engagement activities at any time.

People who use our websites and engage with us on social media

To access some of the services available via our websites you will need to register with us. This includes subscription to our Hub e-newsletter and online account. During the registration process you will be asked to submit personal information about yourself, for example name and email address. By entering your details in the fields requested, you enable us to provide you with those services or to contact you as agreed during the registration process.

When you provide such personal information, you accept that we may retain your personal information and that it may be held by us or any third party that processes it on our behalf for the purposes of providing the information or services which you have requested.

When you subscribe to our services, you can cancel your subscription at any time and are given an easy way of doing this. We will then delete your personal data in line with our retention policy.

Where we require your consent to use the personal information provided, we will state this at the point of collection of that information and let you know how to withdraw your consent should you wish to in the future.

In addition, we may also collect personal information from you when you correspond with us, for example, when you phone, email or write to us or when you engage with us on our social media sites.


We also collect certain information automatically about visitors to our websites, using cookies. Cookies are small text files that are placed on your computer by websites that you visit. When someone visits or any of our other websites, we use cookies to collect standard internet log information and details of visitor behaviour patterns.

We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. You can read more about how we use cookies on our Cookies page.

Links to other sites

This privacy notice applies solely to information collected by us. Our websites and social media channels may contain links to other websites. We are not responsible for the privacy practices of other sites. When you leave our site please be sure to read the privacy statements of every site that collects personal data about you.

Job applicants

We need to process personal data about people applying to work for us so that we can carry out our role, for example by ensuring that we have the right staff to perform our inspections, and so we can meet our legal and contractual responsibilities as an employer.

When you apply to work at the Care Inspectorate, we will only use the information you supply to us:

  • to process your application
  • to monitor recruitment statistics.

Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from Disclosure Scotland, we will not do so without informing you beforehand unless the disclosure is required by law.

We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Current and former employees

We need to process personal data about our own staff so that we can carry out our role, for example by ensuring that we have the right staff to perform our inspections, and so we can meet our legal and contractual responsibilities as an employer.

The personal information we hold about you includes identifiers such as names and National Insurance numbers, characteristics such as ethnic group, employment contract and remuneration details, qualifications and absence information.

Some of the data you supply will be anonymised and used for statistical purposes for:

  • improving the management of workforce data
  • enabling the development of a comprehensive picture of the workforce and how it is deployed
  • informing the development of recruitment and retention policies
  • allowing better financial modelling and planning
  • enabling ethnicity and disability monitoring.

We will not share information about you with third parties without your consent unless the law requires us to, for example we are required by law to pass on some of this personal data to the HMRC.

We use our employees’ personal details to fulfil our obligations to them and the law and process their data under contract to satisfy our obligations in relation to:

  • training
  • development
  • business continuity
  • health and safety
  • pay and pensions

and many others…..

We retain different categories of employee personal data for different periods of time throughout and after employment, in accordance with the requirements in our retention schedule and then destroy it confidentially.

Professional registration 

We may also process personal data about our own staff and other non-contracted individuals (e.g. Locum Inspectors) in order to manage, support and maintain details of professional registration in accordance with contractual and/or regulatory or professional requirements to be registered with a relevant professional regulator.  

The personal information we may process in relation to professional registration activity includes identifiers such as names and registration numbers, conditions of registration and absence information where this is applicable.

Inspection volunteers, associate assessors and involved people

We process the personal details of our inspection volunteers and associate assessors at selection stage, to support you in your inspection role and when you participate in other engagement activities. This includes your contact details, disclosure checks, and any support needs you may have. For inspection volunteers we will also data collect data to enable ethnicity and disability monitoring (which is anonymised), and to understand your personal experience of using care services.

We also process the personal data of people experiencing care and carers who volunteer to take part in consultation and engagement activities as part of our Involving People Group.

Students and Professionals Shadowing Regulatory and Improvement Activities

We process the personal details of students to provide support during placements at the Care Inspectorate with their consent. In order for students to get the best out of their placements at the Care Inspectorate we may let them shadow our regulatory or improvement activity and lead on key projects where appropriate. We will make this clear to all care services, people experiencing care and other partners as appropriate if a student is accompanying a Care Inspectorate employee. We will use the lawful basis of Legitimate Interest after performing a Legitimate Interest Assessment.

We may also let other fellow health and social care professionals shadow our regulatory or improvement activities. A legitimate interest assessment will be performed prior to each activity and a confidentiality undertaken will have been signed.

Sharing your data

We regularly need to share personal information with other organisations when fulfilling our statutory functions and obligations. Where this is necessary we are required to comply with data protection legislation. We will only disclose or share confidential personal information with your consent or where it is necessary to do so to perform our regulatory functions or for another legitimate and lawful purpose such as complying with employment or health and safety legislation. 

We have memoranda of understanding and data sharing agreements with partner agencies with whom we regularly share personal information to ensure that this information is properly protected and appropriately, fairly and lawfully handled and disposed of. These include, but are not limited to:

  • Disclosure Scotland
  • Education Scotland
  • Healthcare Improvement Scotland (HIS)
  • Mental Welfare Commission
  • Nursing and Midwifery Council (NMC)
  • Scottish Care (Independent Care Sector)
  • Scottish Social Services Council (SSSC)
  • Scottish local authorities

We may share any information that you provide to us, including information about your identity and the identities of others, with Police Scotland and other agencies involved in the prevention, detection, investigation or prosecution of crime or other unlawful activities. We will only do so when it is considered necessary and proportionate to do so.

There is a specific Privacy Notice regarding our obligations under the National Fraud Initiative which can be found here.

Processing your data on our behalf

The Care Inspectorate employs a number of data processors who process personal data on our behalf, for example for payroll processing.

We have contractual instructions, data processing agreements and compliance monitoring controls in place to ensure these organisations:

  • only act under our instructions when they are processing your personal data on our behalf
  • use appropriate technical and organizational measures to protect your personal data.
  • delete or return data to us during the processing contract and when that contract ends.
  • get our permission before engaging sub-contractors to carry out any part of the service.

The Care Inspectorate will never sell or inappropriately disclose your personal data to any other external organisation or individual.

Overseas Transfers

It may sometimes be necessary to transfer your personal information overseas, out with the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of Data Protection legislation.


Our headquarters at Compass House utilises CCTV cameras for the security of the estate and our staff. There are signs in the vicinity of the CCTV that explain why we are have the CCTV, that it is recorded 24 hours a day and that video evidence from these recordings can be used in a court of law.

There may also be CCTV cameras at other offices where we are a tenant. We will not manage the CCTV in these premises but there are local notices that will advise who is responsible for the CCTV cameras and how to contact them.

Protecting Your Personal Data

We are committed to ensuring that your right to privacy is respected and that your personal information is secure and only available to those who have a right to see it. Examples of some of the measures we use, where appropriate, to protect your information includes:

  • controlling access to our systems and networks to stop people who are not allowed to view your personal information from getting access to it
  • encrypting the information so that it is hidden and cannot be read without special knowledge such as a password.
  • regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)
  • training our staff so they are aware of how to handle information and how and when to report when something goes wrong
  • having joint procedures and agreements in place to protect personal information that we share, disclose or transfer to external parties, including our partners and third parties who process personal data on our behalf
  • having monitoring and incident management procedures in place to detect and resolve any personal data breaches as quickly as possible and improving our controls by addressing the underlying causes of such breaches.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

We have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents. He is supported by Information Asset Owners with responsibility for the governance of information at operational level.

Everyone working for the Care Inspectorate is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised or consented to by the individual, for example a person experiencing or providing care, or a Care Inspectorate employee, unless it is required or permitted by the law. We must also ensure that any impact on the privacy of an individual as a result of our actions is compliant with Article 8 of the Human Rights Act 1998.

How Long We Keep Your Data

We will only retain your information for as long as we consider necessary to support our statutory functions and to satisfy any legal, accounting, or reporting requirements. At the end of this period the information will be destroyed or deleted in line with our confidential destruction procedures.

We retain de-personalised statistical information to help inform our work, but no individuals are identifiable from that data.

Your rights

The law gives you a number of rights to control what personal information is used by us and how it is used by us. To find out more, please read the information on our Information and Data page which provides more information

Accessing your personal information (Subject Access Request)

You have a right to know what personal information we hold about you and to receive a copy of it, subject to some exemptions, by making a ‘subject access request’. We try to be as open as we can be in terms of giving people access to their personal information.

To find out more, please read the information on our Information and Data page which provides more information about this process and includes a form for you to complete and send to us, if you would like to make a subject access request.

Requesting correction of your personal information

This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Objecting to our processing of your personal information

You have the right to object to the Care Inspectorate using your information where we are relying on a legitimate interest (or those of a third party) and we would have to stop unless we have a sound overriding reason to continue

Erasure, restriction and portability

In specific circumstances, you have the right to have your personal data deleted, to put limits on what the Care Inspectorate may do with it or to receive a copy in machine-readable form to take to another organisation.

There are also specific legal rights relating to automated decision making but the Care Inspectorate does not carry out this kind of processing.

If you want to exercise any of these rights, please contact us using the details above.

For more information on your rights under the GDPR see 

Complaints or queries about how we process your personal information

If you have any complaints or queries about how we process your personal information you should contact our Data Protection Officer via our information portal, by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or by calling 0345 600 9527.

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you are dissatisfied with our response to a complaint you send us, or have any concerns about our handling of your personal data, you can complain to the Information Commissioner's Office by using the details below:

Mail: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113


Changes to this notice

We keep our Privacy Notice under regular review and we will place any updates on this web page. This notice was last updated on 27 July 2023.