Model Plan Guidance to Element 9
Model Plan Guidance to Element 9
As a result of changes to the Keeper’s Model Plan, this guidance is currently being reviewed. We hope to have this completed by the end of 2019. In the meantime, if you have any queries about the guidance, please contact the Assessment team.
An authority that handles personal information about individuals has a number of legal obligations to protect that information under the Data Protection Act 1998.
In line with the Keeper of the Records of Scotland's (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act) the following guidance is issued regarding an authority's responsibilities under data protection legislation:
The Data Protection Act is UK-wide legislation and was introduced in 1998. It relates to the security of information and the rights of the individual to access information held about them. Therefore, it has major implications for public authority records management. Many authorities have formally published data protection statements.
The Keeper might expect a public authority's records management plan to include a data protection or privacy statement. This would normally be a document explaining how an authority treats personal information and how a member of the public can determine what information that authority holds about them. Therefore, the Keeper would welcome a high-level, public facing statement (known as a 'privacy statement'; in some organisations). However, the Keeper would not expect a detailed list of records that might be affected by data protection legislation.
If an authority already has a published data protection policy, this should be submitted. As the Public Records (Scotland) Act 2011 does not change existing data protection requirements, there should be no need to create a new document unless one does not already exist. If a public authority does not have a formal data protection (or privacy) statement this would be the ideal opportunity to consider creating one.
The Information Commissioner says:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; make sure you have the right physical and technical security backed up by robust policies and procedures [emboldened by NRS] and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.[footnote 1]
A public authority may have adequate processes in place to fulfil the requirements of the Data Protection Act without publishing a formal statement. If this is the case, evidence supporting these processes should be submitted to the Keeper as part of the authority's proposed Records Management Plan.
Potential evidence that data protection legislation is being properly considered by an authority might include: A copy of an authority's privacy notice or data protection statement issued to all service users; a guide to submitting subject access requests appearing on an authority's website or proof of registration with the Information Commissioner's Office as required under the Data Protection Act 1998
Sample Data Protection Statements
The following sample data protection schedules might give you an idea what such a document should include and how it might be styled.
The Scottish Government has a data protection policy which covers many of the authorities scheduled in the Public Records (Scotland) Act 2011:
SG DP policy statement (257 KB PDF)
East Ayrshire Council (draft) DP Statement (372 KB PDF)
The Scottish Crime and Drugs Enforcement Agency have the following which is mapped against the data protection principles issued by the Information Commissioner:
SCDEA DP policy document (541KB PDF)
And a Data Protection policy:
NHS24 DP Policy (266 KB PDF)
Guidance Specific to Data Protection
If you are creating a data protection statement for your organisation you might want to give consideration to the following principles as published by the Information Commissioner
Under data protection guidance: Public authorities that routinely process sensitive personal information on identifiable living individuals should consider publishing a 'privacy notice'. As the Information Commissioner's Office publishes such a notice, this would seem to be a good place to start when creating your own.
The National Archives (on behalf of the Crown), the Society of Archivists, the Information and Records Management Society and the National Association for Information Management have produced a code of practice you may wish to familiarise yourself with.
The Information Commissioner published new guidance on subject access requests. This includes a downloadable PDF of the ICO's new Subject Access Code of Practice. This appears as a link as part of the News release.
Complete Guidance Documents
If you encounter difficulties opening linked websites, PDF documents and RTF documents listed on this page, please contact us at firstname.lastname@example.org.