National Records of Scotland

Preserving the past, Recording the present, Informing the future

Data Protection

Data Protection

Data Protection Act

The Data Protection Act 1998 was enacted to ensure the fair and lawful processing of personal data. The Act governs how organisations can collect and process information about individuals. It explains the rights of individuals (data subjects) and the responsibilities of the organisations (data controllers) which collect and process personal data. It also details the requirements of any third party organisations (data processors) which process personal data on behalf of data controllers. The Act is regulated and enforced by the UK Information Commissioner's Office (ICO).

The Act contains eight principles which all organisations processing personal data must conform to.

General Data Protection Regulation

A new General Data Protection Regulation (GDPR), which intends to strengthen and unify data protection for individuals within the European Union, will come into force on 25 May 2018.  The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens' data privacy and to reshape the way organisations across the EU approach data privacy.  NRS is working in collaboration with our partners in government and other sectors to implement the Regulation and to ensure that all of our policies and operations are compliant with it.”

Data Protection in NRS

NRS regards the fair and lawful treatment of personal information as integral to the success of our business operations and to maintaining the confidence of our customers and stakeholders. Our commitment to effective data protection is set out in the NRS Data Protection Policy.

NRS has also produced two codes of practice to ensure our employees comply with the legislation by following corporate wide policies and procedures for the management and administration of information. The Code of Practice – Business Information (88 KB PDF) applies to corporate information created or received by us in the course of our business transactions. The Code of Practice on Archival Information (397 KB PDF) applies to archival information transferred to the NRS for permanent preservation.

The data controller for NRS is the Registrar General for Scotland and Keeper of the Records of Scotland, Tim Ellis. He is responsible for ensuring that all collection and processing of personal data within NRS complies with the Data Protection Act and its principles.

The registration number of the Registrar General for Scotland and Keeper of the Records of Scotland’s entry in the ICO Register of data controllers is Z2886501.

Subject Access Requests

The Data Protection Act gives data subjects a legal right to access the personal information NRS holds about them. These requests are known as subject access requests and we will process them within one month. Subject access requests must be submitted in writing and anyone making an oral request will be asked to complete a Subject Access Request Form (184 KB PDF). More information about making a subject access request is available in the form.

Research Use of Personal Data in Archival Records

In order to protect the privacy of data subjects archival records which contain personal data are generally closed to public access for the lifetime of the individual. However, in some instances we may provide access to records containing the personal data of living individuals for research purposes. Guidance on the obligations of researchers who are permitted to access personal data contained in our archive collections is provided in our Data Protection Guidance for Readers.


CCTV is in use at all of our buildings in Edinburgh. The operation of CCTV complies with the Information Commissioner’s Office CCTV Code of Practice. Further information is available on our page about CCTV in NRS.

PDF files require Acrobat Reader. Download it free Get Acrobat Reader.