This fact sheet provides guidance on research access to archival records involving personal data held by National Records of Scotland (NRS).
NRS is responsible for the selection, preservation and provision of access to the public, legal and private records which constitute Scotland’s national archives. We have a duty to ensure that the personal data contained within these historical records are processed fairly, lawfully, and in a transparent manner in compliance with the Data Protection Laws.
The Data Protection Laws mean the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and any law, statute, subordinate legislation, regulation, order, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements of any regulatory body which relates to the protection of individuals with regard to the processing of their personal data.
This fact sheet explains the responsibilities of researchers using records involving personal data in the course of their research at NRS. The fact sheet offers practical guidance only. It does not represent legal advice nor is it a substitute for it.
Research Use of Personal Data
Personal data can be broadly defined as information about an identifiable living person. For a more detailed explanation of what personal data are see the definitions below.
Article 5 of the UK GDPR allows the processing of personal data for archiving purposes in the public interest and for historical research purposes subject to appropriate safeguards which minimise any adverse impact on living individuals.
Researchers are permitted to use personal data in open records accessed in the NRS search rooms provided they abide by these conditions and by the data protection principles (see appendix).
The DPA provides an exemption under Schedule 2 part 6 section 27 (research and statistics) which allows personal data to be used for historical research purposes provided that it is processed in accordance with the safeguards under Article 89(1) of the UK GDPR.
Section 19 of the DPA makes further provisions and states that the processing of personal data for historical research purposes will not meet the safeguard requirements if it is:
- likely to cause substantial damage or substantial distress to a data subject
- carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research
Researchers are permitted to use personal data in open records accessed in the NRS search rooms provided they abide by these conditions and by the data protection principles.
Closed Records
As a general rule, in order to protect the privacy of the individuals concerned, archival records involving special categories of personal data are closed to public access for the lifetime of the individual. Some types of personal data may be disclosed sooner for the purpose of historical research if access is considered fair and lawful.
NRS determines the appropriate closure periods of records for which it is sole data controller. Where NRS is the joint data controller or data processor periods are determined in consultation with the depositors of the records. Information on closures which may apply are noted in our catalogue.
Records created or owned by bodies subject to the Freedom of Information (Scotland) Act (FOISA) 2002 or the Freedom of Information Act (FOIA) 2000 which involve personal data may be subject to an exemption under section 38 of FOISA or section 46 of FOIA.
You can make a request for a review of whether an exemption should apply by emailing foi@nrscotland.gov.uk. On receipt of your request, a sensitivity review will be conducted to determine the sensitivity and nature of the personal data involved. The access assessment will be made by the data controller of the information in question which is in most cases the record creator. If your request for information is refused, the reasons for the decision will be communicated to you.
In rarer circumstances the record creator may permit access to special categories of personal data in its collections for research purposes which justify such access.
Definitions of Personal Data
The UK General Data Protection Regulation (UK GDPR) has expanded the definition of personal data to include a wide range of personal identifiers, reflecting changes in technology and the way organisations collect information about people.
Personal data "means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
The UK GDPR also replaces sensitive personal data with the term "special categories of personal data" which are "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, …genetic data, biometric data
[processed] for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation".
Arrangements for requesting access vary according to record creator. You should speak to our search room staff if you would like more information.
Special categories of personal data may be processed for historical research purposes in accordance with the safeguards under Article 89(1) of the UK GDPR and section 19 of the DPA. Article 9 of the UK GDPR states that the processing shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Schedule 1 part 1 section 4 further requires that the processing be in the public interest.
Your Responsibilities as a Researcher
As a researcher you are responsible for any personal data concerning living individuals that you collect in NRS whether in the form of notes taken or copies of records obtained. This includes any personal information you may come across in open records. When you take away information you become the data controller of this information and are liable for it and any subsequent use made of it. It is your
responsibility under the Data Protection Laws, to ensure that the personal data which you have gained access to is used only for historical research purposes.
- You must not use data to cause substantial damage or distress to data subjects.
- You must not use data to support measures or decisions concerning individuals.
- You should ensure respect for the principle of data minimisation and only use personal data where it is necessary for your research purpose.
- You should anonymise identities wherever possible. This is good practice when taking notes as it reduces the risk of subsequent unauthorised disclosure or misuse. Also data subjects have a right of access to their information so if you anonymise information it will not be open to subject access requests.
If you intend to publish personal information you should give consideration to the following:
- Whether the data subject is still living.
- Whether the information has already been published or placed in the public domain.
- Whether the individual is a public figure. If so the information is more likely to have already been made public.
- Whether it is in the public interest to publish. Schedule 2 part 5 section 26(1) allows the processing of personal data with a view to the publication for the purposes of journalism, academic purposes, artistic purposes or literary purposes, provided that you reasonably believe publication would be in the public interest – for guidance you should consult the BBC Editorial Guidelines, the Ofcom Broadcasting Code, or the Editors’ Code of Practice.
- Whether you may need to obtain the permission of the data subject prior to publication unless you anonymise the information. Bear in mind that redacting names may not always be sufficient to anonymise information. The context of the personal data can also reveal identity.
Compliance and Unlawful Use
NRS provides access to the personal data in its collections for research purposes and to meet statutory obligations. By signing the declaration at the bottom of the Reader’s Ticket form you are undertaking to abide by the conditions of access and use as outlined in this fact sheet. You are, therefore, taking on responsibility for your own compliance with the Data Protection Laws in relation to any use by you of the personal data obtained from the archival materials made available by NRS. Failure to abide by these terms will lead to the withdrawal of your reader’s ticket.
If you use the personal data which you have accessed at NRS for any purposes other than historical and statistical research or publication of journalistic, academic, literary or artistic material in the public interest, or you process this personal data to support measures or decisions about the subject of the data without their consent, you may be guilty of an offence under part 6 section 170 of the DPA 2018, and could be prosecuted.
Further Information
Further guidance on data protection, including interpretation of what constitutes the public interest, can be found on the website of the Information Commissioner’s Office.
The NRS Data Protection Policy can be found on our website.
If you require further advice about how data protection applies to information processed by NRS please contact our Data Protection Officer directly using the contact details below:
Data Protection Officer
National Records of Scotland
HM General Register House
Edinburgh
EH1 3YY
Email: dataprotection@nrscotland.gov.uk
Appendix: The Data Protection Principles
UK GDPR Article 5 – Principles relating to processing of personal data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes
in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
