Scottish Government records management plan

Element 9: Data protection

Records involving personal data are managed in compliance with data protection law.

The Keeper will expect an authority's RMP to indicate compliance with its data protection obligations. This might be a high level statement of public responsibility and fair processing.

If an authority holds and processes personal data about stakeholders, clients, employees or suppliers, it is legally obliged to protect that information. Under data protection law an authority must only collect information needed for a specific business purpose, it must keep it secure and ensure it remains relevant and up to date. The authority must also only hold as much information as is needed for business, historical or research purposes and only for as long as is set out on an agreed retention schedule. The person who is the subject of the information must be afforded access to it on request, unless an exemption applies.

Best Practice might include:

• The authority has appointed a Data Protection Officer.
• The authority demonstrates compliance with the accountability principle.
• The authority maintains records of processing activities appropriate to the authority's size.
• The authority has put in place appropriate technical and organisational measures to meet accountability requirements - for example, a data protection policy has been implemented, a data protection officer has been appointed, data breaches are recorded, data protection impact assessments are carried out.
• The authority is transparent about processing of personal data and enables individuals to determine what information the authority holds about them, how it is used, how long it is held and how they can exercise their rights.

Read further explanation and guidance about element 9.

Scottish Government Statement

Scottish Government has wide ranging data protection controls in place including high-level procedures, mandatory staff data protection e-learning training and guidance for specific activities.

Our Data Protection Policy is a statement of public responsibility and demonstrates our commitment to compliance with the Act and the safeguarding and fair processing of all personal data held by SG.

All staff of organisations who are part of the SG file plan are required to complete the "Responsible for Information – General User'" and "Data Protection" e-learning courses on an annual basis and obtain a pass mark.

All the non-ministerial bodies covered by the SG file plan fall under the SG Data Protection registration under their Director General name. Screenshots have been provided to show which Director General (DG) they fall under.

Evidence

E21: SG Data Protection ICO notification

E22: SG Data Protection Policy

E23: SG Data Sharing Template and Guidance – Non-Personal data

E24: SG Data Sharing Template and Guidance – Personal data

E25: Managing Information

E26: SG Subject Access – Guidance

E58: Director General Screen Shots for Data Protection Registration

Further Development

Staff will continue to undertake the "Responsible for Information – General User'" and "Data Protection" e-learning courses on an annual basis and be required to obtain a pass mark.