Privacy and Data Protection

Data protection

We collect and use personal information to deliver Council services. When we do this, we must comply with the General Data Protection Regulation. This is called data protection law.

The Council is committed to ensuring that all personal information about individuals we process is managed appropriately and in compliance with the UK GDPR, the Data Protection Act 2018, and any subsequent data protection legislation (collectively referred to as Data Protection legislation). The Council also has an approved Data Protection Policy, which aims to assist staff in complying with Data Protection legislation.

How we use your personal information

GDPR Statement

1: Lawfulness, fairness and transparency

All data flows into and out of the Council are being assessed to determine the legal basis under which that data is processed and the results of the assessment are being documented. We are satisfied that we will have a legal basis for holding the personal data we hold, and that we will also have a valid legal basis for disclosing this personal data to third parties where this happens.

Privacy notices are presently being drafted to comply with GDPR requirements (and to reflect the legal basis of processing). Please see privacy notices page for further details. We will be reviewing our data processor agreements and data sharing agreements to reflect the new legal requirements.

2: Purpose limitation

The purposes for which data are collected are clearly set out in the relevant privacy statements. This includes reference to further use of data for internal management information purposes. A limited set of data is required for research and archiving purposes; the Council will put in place appropriate safeguards for these activities as required by Article 89 of the GDPR.

3: Data minimisation

In assessing the data flows, the Council will take the opportunity to critically assess the need for each of the data fields in question and where superfluous data is being captured, we will stop capturing this.

4: Accuracy

The Council is continually checking data for accuracy and, where any inaccuracies are discovered, these are promptly corrected and any third party recipients of the inaccurate data notified of the correction.

5: Storage limitation

The Council only keeps personal information for the minimum period of time necessary. Sometimes this time period is set out in the law, but in most cases it is based on business need. We maintain a records retention and disposal schedule which sets out how long we hold different types of information for. You can view the current schedule on our website. Information in the Shetland Archives are held subject to appropriate safeguards in terms of Article 89.

6: Integrity and confidentiality:

The Council has an approved Information Security Policy which sets out roles and responsibilities within the organisation in relation to information security. Our ICT systems have appropriate protective measures in place, and the systems are subject to external assessment and validation. We have policies and procedures in place to reduce the information security risks arising from use of hard copy documentation.


Telling people about how we use their personal information is a key part of data protection law. Our privacy notices tell you how we do this. This includes how we collect, share, and use your information.