We are testing a new beta website for gov.scot go to new site

Content notice

This content is not being updated. Get the latest information on Scottish Government action to help make Scotland a digital nation from https://beta.gov.scot.

Identity Management and Privacy Principles

Identity Management and Privacy

People are often asked by public service organisations to prove that they are who they say they are - either to prevent fraud or to show that they are entitled to receive a particular service or benefit, for example, free medical treatment.

People want to know that public authorities and other organisations respect their privacy and recognise the harm which may be done if personal information is collected or held unnecessarily, or is lost or misused.

The Scottish Government’s Identity Management and Privacy Principles aim to raise confidence in the management of personal data.  The Identity Management and Privacy Principles should be adopted by all Public Service Organisations delivering Scottish public services and they include:

  • Proving Identity or Entitlement
  • Governance and Accountability
  • Risk Management
  • Data and Data Sharing
  • Data use for Research and Statistics
  • Education and Engagement;

Identity Management and Privacy Principles

The Identity Management and Privacy Principles  were developed for Scottish Ministers by an expert group and Version 1 was published in 2010 with an aim that they would help public service organisations comply with data protection and human rights legislation and support good practice.

The Principles were published with a commitment to periodic updates and Version 2.0 is an update  requested by the Data Management Board.  One of the key changes is the inclusion of a section on Research and Statistics.  We have also updated links to new guidance and good practice examples produced by the Information Commissioner’s Office.

The Principles are aimed at policy makers and practitioners in public service organisations to help ensure that respect for privacy is central both to the way public services require their customers to prove identity or entitlement and in the way personal information is used for research and statistics.  The Principles will enable public service organisations to comply with legislative requirements and to achieve good practice.

The Principles apply to systems, either new or those being redesigned or redeveloped, which involve identity management.

Ministerial Support of the Principles

In his foreword to Version 2.0 of the Principles, John Swinney (Cabinet Secretary for Finance, Employment and Sustainable Growth) says:

The Scottish Government wishes to drive forward trustworthy uses of data for public benefit.

This is key to our focus on prevention in delivery of public services. Increasingly we will be using digital technology to support the wider design and delivery of services. Our strategy, shared with the wider public sector, “ Scotland’s Digital Future: delivery of Public Services” therefore sets effective management of data as a key theme. To secure public support it is vital that we maintain and enhance Scotland’s reputation for the safe, secure and transparent use of data, as set out in our Data Vision for Scotland. These Identity Management and Privacy Principles have been updated to support that Vision and its accompanying Action Plan.’

Supported by the Information Commissioner and his office

As an Expert Group member, Ken Macdonald (the Assistant Commissioner for Scotland and Northern Ireland) helped with the production of the Principles.  Ken also sits on the Data Management Board alongside Rosemary Agnew (the Scottish Information Commissioner).  In a joint Information Commissioners’ Statement supporting the Principles (October 2014) Rosemary Agnew and Christopher Graham, the Information Commissioner said:

"These principles were recently extended to consider the handling of data within a research environment and we commend this updated guidance for what is a rapidly changing data environment……..These Principles won’t just encourage openness and transparency to the benefit of the citizen, but, applied properly, will lead to better public administration and more efficient service delivery, and also demonstrate respect for clients. We urge all Scottish public authorities to adopt them as a minimum standard in their handling of personal information.."

Current Version of the Principles

The current version is 2.0: Identity Management and Privacy Principles Version 2.0


The previous version of the Identity Management and Privacy Principles (1.1) is also available

ICO Data sharing code of practice (STATUTORY)

'The data sharing code of practice is a statutory code which has been issued after being approved by the Secretary of State and laid before Parliament. The code explains how the Data Protection Act applies to the sharing of personal data. It provides practical advice to all organisations, whether public, private or third sector, that share personal data and covers systematic data sharing arrangements as well as ad hoc or one off requests to share personal data.

Adopting the good practice recommendations in the code will help organisations to collect and share personal data in a way that complies with the law, is fair, transparent and in line with the rights and expectations of the people whose data is being shared.' (ICO, 11 May 2011).