National Records of Scotland

Preserving the past, Recording the present, Informing the future

Model Plan Guidance to Element 9

Model Plan Guidance to Element 9

As a result of changes to the Keeper’s Model Plan, this guidance is currently being reviewed. We hope to have this completed by the end of 2021. In the meantime, if you have any queries about the guidance, please contact the Assessment team.

Data protection

An authority that handles personal information about individuals has a number of legal obligations to protect that information under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

In line with the Keeper of the Records of Scotland's (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act) the following guidance is issued regarding an authority's responsibilities under data protection legislation:

The Data Protection Act is UK-wide legislation and was introduced in 1998. It relates to the security of information and the rights of the individual to access information held about them. Therefore, it has major implications for public authority records management. Many authorities have formally published data protection statements.

The Keeper might expect a public authority's records management plan to include a data protection or privacy statement. This would normally be a document explaining how an authority treats personal information and how a member of the public can determine what information that authority holds about them. Therefore, the Keeper would welcome a high-level, public facing statement (known as a 'privacy statement'; in some organisations). However, the Keeper would not expect a detailed list of records that might be affected by data protection legislation.

If an authority already has a published data protection policy, this should be submitted. As the Public Records (Scotland) Act 2011 does not change existing data protection requirements, there should be no need to create a new document unless one does not already exist. If a public authority does not have a formal data protection (or privacy) statement this would be the ideal opportunity to consider creating one.

The Information Commissioner says:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; make sure you have the right physical and technical security backed up by robust policies and procedures [emboldened by NRS] and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.

A public authority may have adequate processes in place to fulfil the requirements of the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) without publishing a formal statement. If this is the case, evidence supporting these processes should be submitted to the Keeper as part of the authority's proposed Records Management Plan.


Potential evidence that data protection legislation is being properly considered by an authority might include: A copy of an authority's privacy notice or data protection statement issued to all service users; a guide to submitting subject access requests appearing on an authority's website or proof of registration with the Information Commissioner's Office as required under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

Sample Data Protection Statements

The following sample data protection schedules might give you an idea what such a document should include and how it might be styled.

The Scottish Government has a data protection policy which covers many of the authorities scheduled in the Public Records (Scotland) Act 2011:

SG DP policy statement (257 KB PDF)

National Records of Scotland Data Protection Policy

Local Government

East Ayrshire Council (draft) DP Statement (372 KB PDF)

The Scottish Crime and Drugs Enforcement Agency have the following which is mapped against the data protection principles issued by the Information Commissioner:

SCDEA DP policy document (541KB PDF)

NHS24 DP Policy (266 KB PDF)

Guidance Specific to Data Protection

If you are creating a data protection statement for your organisation you might want to give consideration to the following Data Protection Act 2018 (DPA 2018), and the UK General Data Protection Regulation (UK GDPR).

Under data protection guidance: Public authorities that routinely process sensitive personal information on identifiable living individuals should consider publishing a 'privacy notice'. As the Information Commissioner's Office publishes such a notice, this would seem to be a good place to start when creating your own.

The National Archives (on behalf of the Crown), the Society of Archivists, the Information and Records Management Society and the National Association for Information Management have produced a code of practice you may wish to familiarise yourself with.

Subject Access Requests

Complete Guidance Documents

Data Protection Act 2018 (DPA 2018), and the UK General Data Protection Regulation (UK GDPR)

The National Archives UK records management guidance

If you encounter difficulties opening linked websites, PDF documents and RTF documents listed on this page, please contact us at

Return to Model Plan

Return to Model Plan or read the complete guidance to Model Plan.

PDF files require Acrobat Reader. Download it free Get Acrobat Reader.