National Records of Scotland (NRS) takes your trust and right to privacy seriously and is committed to ensuring that whenever we process personal information we do this fairly, lawfully and in a transparent manner. We comply fully with all of our obligations under the data protection laws. These laws include the Data Protection Act 1998 (DPA), and any statutory modification or re-enactment thereof, and the EU General Data Protection Regulation (GDPR).
Data Protection Act
The Data Protection Act 1998 (DPA) was enacted to ensure the fair and lawful processing of personal data. The DPA governs how organisations can collect and process information about individuals. It explains the rights of individuals (data subjects) and the responsibilities of the organisations (data controllers) which collect and process personal data. It also details the requirements of any third party organisations (data processors) which process personal data on behalf of data controllers. The DPA is regulated and enforced by the UK Information Commissioner's Office (ICO).
General Data Protection Regulation
A new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which strengthens and unifies data protection for individuals within the European Union, will come into force on 25 May 2018. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens' data privacy and to reshape the way organisations across the EU approach data privacy. NRS is working in collaboration with our partners in government and other sectors to implement the Regulation and to ensure that all of our policies and operations are compliant with it.
Data Protection in NRS
NRS regards the fair, lawful, and transparent treatment of personal information as integral to the success of our business operations and to maintaining the confidence of our customers and stakeholders. Our commitment to effective data protection is set out in the NRS Data Protection Policy.
The data controllers for NRS are the Registrar General for Scotland and the Keeper of the Records of Scotland. These non-ministerial offices are held by the NRS Chief Executive, who is responsible for ensuring that all collection and processing of personal data within NRS complies with the data protection laws.
The NRS Data Protection Officer is the Director of Information and Record Services. She is responsible for monitoring and auditing compliance with the data protection laws, ensuring NRS personnel understand and comply with their obligations, and assessing the risks associated with the processing of personal data.
The registration number of the Registrar General for Scotland’s and Keeper of the Records of Scotland’s entry in the ICO Register of data controllers is Z2886501.
Subject Access Requests
The DPA and the GDPR give data subjects a legal right to access the personal information NRS holds about them. These requests are known as subject access requests and we will process them within one month. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.
Subject access requests must be submitted in writing and anyone making an oral request will be invited to complete our Subject Access Request Form (184 KB PDF). More information about making a subject access request is available in the form.
NRS uses privacy notices to tell you what to expect whenever we collect and process personal information. More information can be found in the Privacy section of this website. If at any time you feel that we are not being transparent enough about how we process your personal data or you would like more information then please let us know using the contact information below.
Data Protection Impact Assessments
NRS uses data protection impact assessments (DPIAs), also known as privacy impact assessments (PIAs), to help us identify the most effective way of complying with our data protection obligations and meeting individuals' expectations of privacy.
DPIAs are a tool organisations can use to identify and reduce risks to privacy. They help minimise the risks of harm to individuals through the misuse of their personal information.
It is NRS policy to carry out DPIAs for all projects which involve the handling of personal data and which may have an impact on privacy. Further information is available on our Data protection impact assessments page.
Research Use of Personal Data in Archival Records
In order to protect the privacy of data subjects, archival records which contain personal data are generally closed to public access for the lifetime of the individual. However, in some instances we may provide access to records containing the personal data of living individuals for research purposes. Guidance on the obligations of researchers who are permitted to access personal data contained in our archive collections is provided in our Data Protection Guidance for Readers.
CCTV is in use at all of our buildings in Edinburgh. The operation of CCTV complies with the Information Commissioner’s Office CCTV Code of Practice. Further information is available on our page about CCTV in NRS.
Right to complain
Should you feel that NRS is handling your data unfairly or unlawfully, you can report your concern to the Information Commissioner’s Office (ICO). For more information visit the ICO website:
NRS Data Protection Officer
HM General Register House
2 Princes Street
Tel: 0131 334 0380