National Records of Scotland

Preserving the past, Recording the present, Informing the future

Data Protection

Data Protection

National Records of Scotland (NRS) takes your trust and right to privacy seriously and is committed to ensuring that whenever we process personal information we do this fairly, lawfully and in a transparent manner. We comply with our obligations under data protection and privacy laws. These laws include the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

General Data Protection Regulation

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which strengthens and unifies data protection for individuals within the European Union, came into force on 25 May 2018. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens' data privacy and to reshape the way organisations across the EU approach data privacy. NRS has worked in collaboration with our partners in government and other sectors to implement the Regulation and to ensure that all of our policies and operations are compliant with it.

Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018) also commenced on 25 May 2018. It repeals the Data Protection Act 1998 and modernises data protection laws to ensure they are effective in the years to come. The DPA 2018 ensures the standards set out in the GDPR have effect in the UK, strengthens or provides exceptions from some of the requirements of the GDPR, extends data protection laws to areas which are outside the scope of the GDPR, and implements the EU Law Enforcement Directive. Data protection in the UK is regulated and enforced by the UK Information Commissioner's Office (ICO).

Data Protection in NRS

NRS regards the fair, lawful, and transparent treatment of personal information as integral to the success of our business operations and to maintaining the confidence of our customers and stakeholders. Our commitment to effective data protection is set out in the NRS Data Protection Policy.

The data controllers for NRS are the Registrar General for Scotland and the Keeper of the Records of Scotland. These non-ministerial offices are held by the NRS Chief Executive, who is responsible for ensuring that all collection and processing of personal data within NRS complies with the data protection laws.

The NRS Data Protection Officer is the Director of Information and Record Services. She is responsible for monitoring and auditing compliance with the data protection laws, ensuring NRS personnel understand and comply with their obligations, and assessing the risks associated with the processing of personal data.

The registration number of the Registrar General for Scotland’s and Keeper of the Records of Scotland’s entry in the ICO Register of data controllers is Z2886501.

Subject Access Requests

The GDPR give data subjects a legal right to access the personal information NRS holds about them. These requests are known as subject access requests and we will process them within one month. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.

Subject access requests must be submitted in writing and anyone making an oral request will be invited to complete our Subject Access Request Form (256 KB PDF). More information about making a subject access request is available in the form.

Privacy Notices

NRS uses privacy notices to tell you what to expect whenever we collect and process personal information. More information can be found in the Privacy section of this website. If at any time you feel that we are not being transparent enough about how we process your personal data or you would like more information then please let us know using the contact information below.

Data Protection Impact Assessments

NRS uses data protection impact assessments (DPIAs), also known as privacy impact assessments (PIAs), to help us identify the most effective way of complying with our data protection obligations and meeting individuals' expectations of privacy.

DPIAs are a tool organisations can use to identify and reduce risks to privacy. They help minimise the risks of harm to individuals through the misuse of their personal information.

It is NRS policy to carry out DPIAs for all projects which involve the handling of personal data and which may have an impact on privacy. Further information is available on our Data protection impact assessments page.

Research Use of Personal Data in Archival Records

In order to protect the privacy of data subjects, archival records which contain personal data are generally closed to public access for the lifetime of the individual. However, in some instances we may provide access to records containing the personal data of living individuals for research purposes. Guidance on the obligations of researchers who are permitted to access personal data contained in our archive collections is provided in our Data Protection Guidance for Researchers.


CCTV is in use at all of our buildings in Edinburgh. The operation of CCTV complies with the Information Commissioner’s Office CCTV Code of Practice. Further information is available on our page about CCTV in NRS.

Right to complain

Should you feel that NRS is handling your data unfairly or unlawfully, you can report your concern to the Information Commissioner’s Office (ICO). For more information visit the ICO website:   

Contact Information

NRS Data Protection Officer
HM General Register House
2 Princes Street
EH1 3YY 

Tel: 0131 334 0380

Email: [email protected]

PDF files require Acrobat Reader. Download it free Get Acrobat Reader.