Risk Analysis Tracker - Privacy Notice

Information on the Risk Analysis Tracker privacy notice, why we require data, what we do with the data and your rights.

Food Standards Scotland (FSS) is known as the ‘Controller’ of the personal information provided to us.

What information do we hold?

We need to collect and hold personal information on key Food Standards Agency (FSA) and Food Standards Scotland (FSS) staff and external collaborators involved in requesting, producing, coordinating, reviewing and receiving Risk Analysis issues that are uploaded to the Risk Analysis Tracker. This consists of names, job titles/roles and may in some cases include work contact details.

Why we need it

We need to collect and process your personal information in order to: 

  • Grant and administer your access to the Tracker.
  • Communicate with you to obtain updates, answer questions, collaborate or circulate information.
  • Maintain an internal audit trail.

What is the legal basis for our use of your personal data?

We process this information in line with the performance of our statutory duties and the exercise of the official authorities vested in us and the performance of a task carried out in the public interest. In particular, we do this as part of our statutory duties to carry out the risk analysis process using science and evidence to provide advice to government, business and consumers on food safety risks.

Where we get this information from?

We obtain this information directly from you as part of providing FSA/ FSS staff access to the Tracker and indirectly from documents uploaded to and held on the system.

What we do with it

We store the information obtained on an FSA site and use it to securely share risk analysis information between FSA and FSS staff and external collaborators.

No other third parties will have access to your personal information unless there is a lawful or legal basis for the sharing. In line with this, we may also share personal information about you: 

  • where we are legally required to do so (e.g. in connection with criminal investigations, legal proceedings or prospective legal proceedings). 
  • where necessary for establishing, exercising or defending our legal rights and permitted by law; and 
  • with other governments departments and public bodies where the sharing is necessary for them to meet their statutory obligations, or it is in the public interest.

In addition, we use or work with contractors and other third-party service providers, such as IT service providers, who may process your personal data on our behalf. These third parties can only process your personal data on our instruction or with our agreement for specific purpose to enable us to maintain, improve and provide our services.

Data Retention

We retain personal information only for as long as necessary to carry out these functions, and in line with our retention policy. This means that this information will be retained on the Evidence Package Tracker for 10 years. 

All the personal information we process is primarily located on servers within the UK and the European Economic Area (EEA), which means that they are deemed adequate in terms of data protection by the UK government.  In addition, our cloud-based services have been procured through the government framework agreements and have been assessed against the national cyber security centre cloud security principles. For financial and technical reasons, we may on occasion use the services of a supplier outside the UK and European Economic Area (EEA), which means that your personal information is transferred, processed and stored outside the EEA. However, we take steps to ensure that these organisations have in place suitable technical and organisational safeguards either through the agreements we hold with them or by confirming they operate in accordance with the EU-U.S. Privacy Shield Framework

What are your rights?

You have a right to see the information we hold on you by making a request in writing to the email addresses below. If at any point you believe the information we process on you is incorrect you can request to have it corrected. If you wish to raise a complaint on how we have handled your information, you can contact our Data Protection Officer who will investigate the matter.  

If you are not satisfied with our response or believe we are not processing your information in accordance with the law you can complain to the Information Commissioner’s Office (ICO) at: www.ico.org.uk.  

Our Data Protection Officer at Food Standards Scotland is the Interim Director of Policy, Science, Finance and HR who can be contacted at dataprotection@fss.scot.

Last updated 8 December 2020

More on this topic


Privacy notices

How we use personal information in the provision of services.