Model records management plan guidance

Home
Records and archives
Model records management plan guidance

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Element 9 - Data protection

Records involving personal data are managed in compliance with data protection law.

In line with the Keeper of the Records of Scotland’s (The Keeper) obligations under the Public Records (Scotland) Act 2011 (the Act), the following guidance is issued regarding an authority’s responsibilities under data protection legislation:

The Data Protection Act is UK-wide legislation that was first introduced in 1998 and then reintroduced in a new DP Act in 2018 to take account of the General Data Protection Regulation (GDPR) developed in the EU and adopted by the UK Government. The Data Protection Act relates to the security of information and the rights of the individual to access information held about them, and as such has major implications for public authority records management. Many authorities have formally published data protection statements. Some examples are provided below.

The Keeper expects a public authority’s Records Management Plan (RMP) to include a data protection or privacy statement.

If an authority is registered as a data controller with the Information Commissioner, the Keeper would also expect them to provide him with

1. Their registration number
Each data controller should have been provided with a registration certificate and this will show the registration number. A copy of the current certificate would be good evidence.

2. Data Protection Officer
Each data controller must identify a Data Protection Officer. The Keeper will also need them to be identified in the authority’s Records Management Plan. Often, but not always, this is the authority’s SIRO.

3. Data Protection Policy
A data controller should develop a formal data protection policy or statement. Often this is supported by staff guidance. Both should be provided to the Keeper.

4. Online instructions for Subject Access Requests
If an authority processes (and this includes simply holding) personal information about members of the public, the authority should provide them with instructions on how to exercise their rights under data protection legislation. This should be published on an authority’s website. The Keeper will need the URL in evidence.

However, it is worth noting that the Keeper does not expect a detailed list of all the record types produced by an authority that might be affected by data protection legislation. Furthermore, as the Public Records (Scotland) Act 2011 does not change existing data protection requirements, there should be no need to create a new document unless one does not already exist. If a public authority does not have a formal data protection (or privacy) statement this would be the ideal opportunity to consider creating one.

In the case that a public authority does not process personal information about members of the public, the Keeper accepts that they may have adequate processes in place to fulfil the requirements of the Data Protection Act without publishing a formal public statement. If this is the case, evidence supporting these processes should be submitted to the Keeper as part of the authority’s proposed Records Management Plan.

The Information Commissioner has produced specific guidance for organisations which is available at https://ico.org.uk/for-organisations/

Provision 57 of the Data protection Act 2018: Data protection by design and default (1)Each controller must implement appropriate technical and organisational measures which are designed— (a)to implement the data protection principles in an effective manner, and (b)to integrate into the processing itself the safeguards necessary for that purpose
https://www.legislation.gov.uk/ukpga/2018/12/section/57/enacted

Evidence

Potential evidence that data protection legislation is being properly considered by an authority might include a copy of an authority’s privacy notice or data protection statement issued to all service users, or a guide to submitting subject access requests appearing on an authority’s website and proof of registration with the Information Commissioner’s Office as required under the Data Protection Act 2018.

Sample Data Protection Documentation:

The following sample data protection schedules might give you an idea what such a document should include and how it might be styled.

Any samples should not be taken to represent the current procedures operational in the authority that provided the sample; they are for ‘inspiration’ only.

NRS data protection policy

Most authorities have a Data Protection Policy although, as noted under element 8 above, this may be combined with an Information Security Policy or even included as part of a larger Information Governance Strategy document. Unlike the Information Security Policy is it usual for an authority to publish its Data Protection Policy or an extract from it for the benefit of service users. Therefore will be many examples online (sometimes termed ‘Privacy Policy’). However, here is an examples of what should be contained in a Data protection Policy and how such a policy might be laid out.

File 01 - Argyll and Bute Council - subject access request form

It is important that members of the public (and staff) are able to exercise their subject access rights and therefore it is expected that instructions on how to pursue these rights are made available by the data controller (the public authority). Again there should be plenty of examples online, but here is a sample

File 02 - Scottish Funding Council data protection guidance for staff

The Keeper will expect evidence that staff in a public authority understand their responsibilities in regard to data protection legislation. Staff guidance is less likely to be published online.

Was this page helpful? *

Yes

Yes, but

Your comments