Skip to main content

Privacy Policy


SEPA seeks to ensure that the information published on its web site is up to date and accurate. However, the information on the website does not constitute legal or professional advice and SEPA cannot accept any liability for actions arising from its use. SEPA cannot be held responsible for the contents of any pages referenced by an external link.

SEPA privacy notice

Who we are

This is the general privacy notice of the Scottish Environment Protection Agency (“SEPA”, “we”, “us” or “our”) established by the Environment Act 1995 and having its principal place of business at Strathallan House, Castle Business Park, Stirling, FK9 4TZ. Our registration number on the ICO Register of Data Controllers is Z6161946.

Everyone has rights with regard to how their personal information is handled.  During the course of our activities SEPA will collect, store and process personal information about our customers, staff and all other individuals who work with us or contact us in order to provide our public services.  We recognise the fundamental importance of handling this information in an appropriate and lawful manner to maintain the confidence and trust of our customers and staff in our processing of their Personal Data.  Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. If SEPA fails to comply with Data Protection Law, then it may be subject to enforcement and sanctions from the Information Commissioner.

What is personal information

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. 

There may also be situations where we process special categories of personal information that need more protection due to its sensitivity.  It’s often information you would not want widely known and is very personal to you.)

Why we use your personal information  

We collect and use personal information to enable us to carry out our regulatory and flooding duties (encompassing our public task), which may include:

  • granting and administering of licences and maintaining public registers
  • investigating of environmental complaints
  • undertaking formal enforcement actions
  • provision of flood warning service
  • the use of CCTV and mobile systems for crime prevention
  • developing policy and undertaking consultations
  • providing advice and information and undertaking research
  • maintaining our own accounts and records
  • delivering internal support functions, including corporate administration and the support and management of our employees
  • and all activities that we are required to carry out as a controller and as a public authority

How the law allows us to use your personal information

We must have a legal basis for using your personal information and make it clear to you, which one is being used. These include:

  • if you, or your legal representative, have given us consent
  • if you have entered into a contract with us, including if you are an employee
  • it is required by law (legal obligation)
  • it is necessary to protect someone in an emergency (vital interests)
  • it is necessary to perform our statutory duties (public task)

We will retain personal information for as long as it required for the legal basis noted above and in accordance with our retention schedule.

Where we need to process any of your personal information, which is defined as special category information, we must also ensure that we have an additional legal basis for doing so.  These include:

  • If you, or your legal representative, have given us consent
  • it is required by law (legal obligation)
  • it is necessary to protect someone in an emergency (vital interests)
  • necessary for the establishment, exercise or defence of legal claims
  •  it is necessary to perform our statutory duties (public task)

We have prepared more detailed privacy notices for some of our services, to provide you with additional information about how we use personal information.  These will be accessible here.

Individuals named in our public registers

As a regulatory authority, we compile and maintain public registers, as part of our statutory duties, and make these registers available for public inspection.

To compile the public registers, we collect and use the personal information from applicants for authorisations and permits issued by SEPA. We collect this information via an application form, usually sent to us by an applicant or agent acting on their behalf.  Once processed, this information is entered on the public register and is available for public inspection. We keep this data for the period set down in our statutory obligations.

How we share personal information

We sometimes need to share your personal information with other organisations for statutory or regulatory reasons, or because doing so is in the general public interest.   Any sharing will be carried out lawfully and securely in accordance with the Data Protection Principles.

These organisations include:

  • UK government bodies (for example HMRC)
  • Scottish Government, its agencies and non-ministerial departments (for example Revenue Scotland)
  • Local government and administration (for example relating to planning consultations)
  • Law enforcement and regulatory agencies (for example Police Scotland and the Crown Office and Procurator Fiscal Services)
  • Audit Scotland and the Audit Commission (for National Fraud Initiative)

Like most organisations, we ask third parties who are part of our own supply chain to collect and use your personal information in order to help us perform our functions. In each case they do this under explicit instructions from us and are not allowed to pass your information to others without our permission, or to use it for any further purpose.

These organisations include

  • the suppliers of our IT systems and infrastructure
  • suppliers of communications systems and services
  • suppliers of office and building services
  • suppliers of professional services (such as recruitment specialist or legal advisors)

They retain your information only as long as is necessary and we ensure that they return to us, or destroy, any remaining information at the end of our contract with them.

As a public body, SEPA is required to comply with statutory obligations to provide access to information (for example the Freedom of Information (Scotland) Act and the Environmental Information (Scotland) Regulations 2004).  It may be necessary for us to disclose your personal information to a third party in response to a relevant statutory request.

Your rights regarding your personal information held by SEPA


What it means


You have the right to clear information about how we collect and use your personal information – this privacy notice is one example of how we do this


To request a copy of your information, please complete the Data Subject Access Request Form or contact


You have the right to ask for any personal information that is inaccurate or incomplete to be corrected

In certain circumstances, you will have the following extra rights:


You have the right to ask for your personal data to be deleted under certain circumstance

Objection to processing

You have the right to object to our use or your personal information under certain circumstances

Restriction on processing

If you make an objection, our use of your personal information may be temporarily suspended whilst we deal with your request


You have the right to ask for a copy of your personal information in a machine readable format to pass to another organisation under certain circumstances

We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact SEPA’s Data Protection Officer, Alison M. Mackinnon at or by calling 01698 839 022 and ask to speak to the Data Protection Officer.  

Changes to our privacy statement

We keep this privacy notice under regular review and will place any updates on the SEPA website.  Paper copies of the privacy notice may also be obtained by contacting


We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office.  They can be contacted at or 0303 123 1113.

This privacy notice was last updated on 03 February 2021.

Using our website


This site uses session cookies to enhance your interaction with our site. Cookies are small text files that are placed on your computer by websites that you visit. A cookie will typically contain the name of the domain from which the cookie has come, the "lifetime" of the cookie, and a value, usually a randomly generated unique number. Cookies can help a website to arrange content to match your preferred interests more quickly. Most major websites use cookies. Cookies cannot be used by themselves to identify you.

Session cookies last only for the duration of your visit and are deleted when you close your browser. These facilitate various tasks such as allowing a website to identify that a user of a particular device is navigating from page to page, supporting website security or basic functionality.They contain no personal information that can be used to identify you. If you are concerned about the potential use of information gathered from your computer by cookies, you can set your browser to prompt you before it accepts a cookie. Most Internet browsers have settings that let you identify and/or reject cookies.

Third Party Cookies

The site uses Google Analytics which generates statistics about visitors.

Google Analytics is a web analytics service provided by Google, Inc. (‘Google’). Google Analytics uses cookies. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google will not associate your IP address with any other data held by Google. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

We sometimes run studies using Hotjar, which is a tool that helps us understand how users interact with the website.

The technology gives us information such as how much time users spend on a page, and what they choose to click on so that we can see what’s working well and what isn’t. We use this information to make improvements to the site to help users find what they’re looking for as easily as possible. We also use Hotjar to get feedback from users.

Hotjar uses cookies and other technologies to collect information on the user such as their:

  • behaviour
  • device type
  • IP addresses (stored anonymously)
  • screen size
  • browser
  • geographic location (country only)
  • preferred language

Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. Details of what cookies Hotjar use are summarized on this website : Cookie Database (Hotjar) 


What if I don't want to accept cookies?

You can choose to restrict or block the cookies set by any website. You’ll need to do this through your browser settings.

Please note: if you block or restrict cookies on your machine, the this website may be unable to function correctly.

You can also visit for comprehensive information on how to block or restrict cookies on a wide variety of browsers. You’ll also find details on how to delete cookies from your computer, as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you’ll need to refer to your handset manual.


If you have any questions about any of the above please contact