The National Archives of Scotland Home
A-Z Help Site search
You are in: NAS> Record keeping> Data protection policy
Thursday 23 March 2017

Data protection policy

The National Archives of Scotland (NAS) is required by law to comply with the Data Protection Act, 1998 which was set up to ensure the fair and lawful processing of personal data. The NAS is comitted to ensuring that all employees comply with this Act in order to safeguard the confidentiality of any personal data held by the NAS, in whatever medium.

The NAS needs to collect and keep certain information about its employees and customers to allow us to conduct our business operations. In order to comply with the law the NAS must ensure that personal information be collected and used fairly, stored safely and not disclosed to any person unlawfully. To do this the NAS must comply with the Data Protection Principles, which are set out in the Act.

The NAS regards the lawful and correct treatment of personal information as very important to successful business operations, and to maintaining confidence between those with whom we deal and ourselves.

This policy sets out the procedures and practices the NAS needs to employ in order to comply with the provisions for the lawful and fair handling of personal data set out in the Act.

George P MacKenzie
Keeper of the Records of Scotland
13 December 2001

Scope of the data protection policy

1. This policy aims to fulfil the requirement for fair and lawful processing of personal data in the records which the National Archives of Scotland creates and receives in the course of administering its own business, and in the records or organsations and private individuals deposited with NAS for historical purposes.

2. According to the principles outlined in the Data Protection Act 1998, the personal information which is collected and used by the NAS in the conduct of its business operations must be dealt with properly, regardless of medium.

3. This policy covers:

  • The requirements that must be met for the processing of personal data to be fair and lawful by the National Archives of Scotland, as set out in the Data Protection Act 1998

  • An implementation strategy across the organisation

  • Staff responsibilities in relation to data protection

  • Provision for regular review of the data protection policy and its implementation

Relevant legislation and regulations

This policy complies with the following acts, regulations and best practice standards:

Data Protection Act 1998

Human Rights Act 1998

International Standard on Records Management, ISO 15489

Society of Archivists and Records Management Society Code of Practice for Archivists and Records Managers

Data protection principles

The Data Protection Act 1998 outlines eight principles which underpin the handling of personal data. In order to achieve compliance with the act, the NAS must ensure that personal data is:
  1. Processed fairly and lawfully and is not processed unless certain conditions are met

  2. Obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose

  3. Adequate, relevant and not excessive

  4. Accurate and where necessary up to date

  5. Kept for no longer than necessary

  6. Processed in accordance with the data subjects’ rights

  7. Protected by appropriate security

  8. Not transferred without adequate protection

Data protection processes

In order to fulfil our obligations under the Data Protection Act 1998, the NAS will implement business processes and systems, which will:
  • Observe fully conditions regarding the fair collection and use of information

  • Meet our legal obligations to specify the purposes for which information is used

  • Collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirement

  • Ensure the quality of the information which we use

  • Retain records only for as long as they are need

  • Ensure that people about whom we hold information can exercise their rights fully under the Act

  • Take appropriate technical and organisational security measures to safeguard personal information

  • Ensure that personal information is not transferred abroad without suitable safeguards

  • Ensure the correct management of personal data contained within our deposited collections

This will be achieved by:

  • The appointment of a data protection coordinator with specific responsibility for data protection in the NAS

  • The creation of a data protection procedures manual to document the methods for handling personal data within the NAS

  • The introduction of systematic management of all of the NAS records, regardless of media or format

  • The introduction of training for all the NAS staff in good data protection practice, so that every member of staff understands their responsibility under the act

  • The introduction of retention schedules for all the NAS records to ensure information is only retained for as long as it is required

  • The introduction of the Information Commissioner’s Information Signpost to alert subjects to data processing

  • The introduction of publicised procedures for data subject access to personal data held by the NAS

  • The quick and efficient handling of subject access requests

  • Notification with the Information Commissioner of all uses for of personal data within the NAS

  • The creation of security procedures for both manual and digital records containing personal data

  • A regular review and audit of the way in which personal information is collected, stored and used by the NAS

Staff responsibilities

Everyone within the NAS is responsible for ensuring that they comply with the principles set out in this policy, with specific data protection duties written into job descriptions

Senior Management

  • Senior Management regard the lawful and correct treatment of personal information as of vital importance to successful business operations, and to maintaining confidence between those with whom we deal and ourselves

  • Senior Management will make provision for a regular review of the NAS Data Protection Policy and will investigate modifications when necessary

Data Protection Coordinator

  • Ensure that the NAS Data Protection Notification is kept up to date

  • Support all members of staff to comply with their obligations under the act

  • Issue guidance and training

  • Monitor the proper functioning of data protection systems

Line Managers

  • Ensure that staff with specific data protection responsibilities have these written into their job descriptions

  • Ensure that such staff fulfill their data protection responsibilties properly

  • Ensure that all staff receive the data protection training provided

All staff

  • Familiarise themselves with, and follow, NAS’s data protection policy and practices

  • Ensure that procedures for the collection and use of personal data is complied with in their area

  • Familiarise themselves with the implications of data protection in their job



Privacy statement | Terms of use | Using our site | Contact us | Complaints procedure | Copyright | Back to top
Page last updated: Monday 6 March 2006

The National Archives of Scotland, H.M. General Register House, 2 Princes Street, Edinburgh, EH1 3YY; tel +44 (0) 131 535 1314; email: