This is an HTML version of an attachment to the Freedom of Information request 'Service providers and PII'.

Gabby Dunne 
If calling please ask for:
Kenny McKaig 01382 434577
Dear Sir/Madam
Freedom of Information Request Reference No. 20180717003   
I refer to your request of 17/07/2018
The answers to your questions are as follows:  
1. Do you use an external IT service provider/Managed Service Provider (MSP)? 
- Yes 
2. Does your provider/MSP serve as a processor of your Personally Identifiable Information (PII)?
- Yes
3. Does your contract/Service Level Agreement (SLA) with the provider(s) have clear provisions for the allocation of 
responsibilities in the event of a data breach?
- Yes
4. Have you revisited your original contract(s) to ensure compliance with the General Data Protection Regulation 
- No
5. Does the contract/SLA define the time frame in which a security breach at the provider must be reported to you?
- Yes 
6. Do you have policies in place for privileged account management?
- Yes
7. Has your service provider/MSP suffered a data breach involving your organisation’s PII in the last 12 months? 
- No
8. If yes, how long did it take for them to notify you?
- - 31 mins – 1 day 
- 1 – 2 days 
- 2 – 3 days 
- More than 3 days

Your Right to Appeal
If you are unhappy with this reply you may require the Council to review its actions and decisions in relation to your 

The requirement for review must:-
be in writing or other permanent form (please address it to me);
state your name and give an address for correspondence;
specify the original request for information and the matter which gives rise to your dissatisfaction; and
be made within 40 working days of the date of this response, although the Council may, if it considers it 
appropriate to do so, consider requirements for review after that time has passed. 
Your requirement for review will be dealt with by the Chief Executive. He will reply to you in writing promptly and in any 
event within 20 working days. He may:-                 
confirm my decision with or without modification;
substitute a different decision for my decision;
and will give you his reasons for so doing. If you are unhappy with the Chief Executive's decision you may then appeal 
to the Scottish Information Commissioner. You must submit your appeal to the Scottish Information Commissioner 
within six months of receiving the Chief Executive's decision.
Further details on the Scottish Information Commissioner's appeal procedure can be found using the direct link or email xxxxxxxxx@xxxxxxxxxxxxxxxxxx.xxxx or telephone (01334) 464610 or write 
to Scottish Information Commissioner, Kinburn Castle, Doubledykes Road, St Andrews, Fife, KY16 9DS.
Yours faithfully
Kenneth McKaig
Legal Manager