National Records of Scotland claims ‘no personal data breach’ occurred but information was taken down and those affected describe grave concern after over 100 years of records were made available

The data-protection regulator has been alerted and a minister has been called on to investigate after complaints were made about publication of thousands of names of adopted children across Scotland.

The Scotland’s People website, which is operated by Scottish Government Body National Records of Scotland (NRS) which is an official arm of the Scottish Government, was alerted after a mother found details of adoptions dating from 1909 until 2022.  

The information was removed from the website 36 hours after the complaint was made.  

Scottish Conservative MSP Roz McCall has written to constitution and external affairs secretary Angus Robertson, whose ministerial responsibilities include NRS, describing the situation as being of “grave concern” to adoptive parents who have “gone to great lengths to protect their children’s adoptive names”.  

McCall, who is the mother of two adopted daughters, said: “It is clear that having your adoption status searchable on a public database breaches a child’s right to privacy under the European Convention on Human Rights and the United Nations Convention on the Rights of the Child.” 

Related content

• Northern Irish police officers’ details leaked in ‘breach of monumental proportions’
• Data offered for sale after ransomware attack on Scottish university
• Regulator reveals cyberattackers accessed emails and electoral register data for over a year undetected

NRS said it is taking the issue “extremely seriously” and has launched an investigation.  

Nick Hobbs, Scotland’s acting children and young people’s commissioner, said that the publication of the information could have caused “a significant risk of harm”.  

He said: “This is something that raises really serious concerns for us about children’s right to privacy. There’s a significant risk of harm for some children potentially, by people being able to link their current name with their birth name. It’s not straightforward to do that but my biggest concern is that you can do it, that that information is available at all.” 

A spokesperson for NRS said: “Relevant records have been removed from the website while we investigate this. We are taking this extremely seriously and will listen to a wide range of views before making decisions for the longer term.” 

The spokesperson said NRS had a statutory responsibility to make its registers open and searchable. 

They added: “There has been no personal data breach, but we have made the Information Commissioner’s Office aware of the complaint raised and the action we are taking as a precautionary step while we review the way we make this information available.” 

A spokesperson for the Information Commissioner’s Office said: “It’s important organisations holding sensitive personal data ensure it is handled in line with data protection law. National Records of Scotland alerted us to the concerns raised and we provided advice on organisations’ duty to self-assess and conclude if an incident needs to be formally reported to the ICO. We don’t appear to have received a formal breach report regarding this.”