Skip to main content
Visit Scotland | Alba

1. Purpose and scope

This policy provides a framework for ensuring that VisitScotland meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18). It applies to all the processing of personal data carried out by VisitScotland including processing carried out by joint controllers, contractors, and processors.

VisitScotland complies with data protection legislation guided by the six data protection principles.

In summary, they require that personal data is:

  • processed fairly, lawfully and in a transparent manner;
  • used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes;
  • adequate, relevant, and limited to what is necessary;
  • accurate and, where necessary, up to date;
  • not kept for longer than necessary; and
  • kept safe and secure.

In addition, the accountability principle requires us to be able to evidence our compliance with the above six principles and make sure that we do not put individuals at risk because of processing their personal data. Failure to do so, can result in breach of legislation, reputational damage, or financial implications due to fines.

To meet our obligations, we put in place appropriate and effective measures to make sure we comply with data protection law. Our staff have access to a number of policies, operational procedures and guidance to give them appropriate direction on the application of the data protection legislation, this includes over arching;

  • Records Management Policy
  • Retention Schedules
  • Policy on Processing of Special Categories of Personal Data and Criminal Offence Data
  • Privacy Notices

2. Information covered by data protection legislation

The UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person.

Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 18, providing the anonymisation has not been done in a reversible way.

Some personal data is more sensitive and is afforded more protection, this is information related to:

  • race or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric ID data;
  • health data;
  • sexual life and/or sexual orientation; and
  • criminal data (convictions and offences)

3. Policy statement and commitment

In order to fulfil our obligations under data protection law VisitScotland is committed to:

  • making data subjects aware of when we collect personal data about them, and explaining the ways in which that information will be used;
  • making data subjects aware of their rights and how they can exercise them;
  • ensuring that there is a lawful basis for any processing;
  • ensuring that processing is fair and will not be unduly detrimental,
  • unexpected or misleading to individuals;
  • processing personal data which are adequate, relevant and limited to what is necessary for the intended purposes;
  • ensuring that personal data are accurate and kept updated;
  • retaining personal data only for as long as they are needed;
  • ensuring appropriate processes are in place to securely delete and remove data from our systems;
  • taking appropriate technical and organisational measures to safeguard the integrity and confidentiality of personal data;
  • ensuring that personal data are not transferred outside the European Economic Area without appropriate safeguards;
  • maintaining records of processing activities and organisational compliance.

With exemptions, where appropriate, for personal data which are processed only for public interest archiving, statistical purposes, or historical research purposes.

4. This is achieved through

Privacy notices

We use privacy notices and privacy information to inform data subjects wherever the collection and processing of personal data takes place, outlining the purposes for which the data will be used, who it will be shared with, how it will be securely retained, and how individuals may access it;

Identification of a Data Protection Officer

We have a Data Protection Officer (DPO) with specific operational responsibility for data protection in VisitScotland;

Information Asset Register

We maintain an information Asset Register that documents VisitScotland records and data protection metadata;

Data sharing

We share information lawfully and in accordance with the Information Commissioner’s Office Data Sharing Code of Practice; entering into data sharing agreements with third parties, which clearly state the terms under which information will be shared;


We require all staff to undertake mandatory training on information governance and security to highlight and increase awareness of their responsibilities in line with data protection.

Data breaches

We consider personal data breach incidents and have a reporting mechanism that is communicated to all staff. We assess whether we need to report breaches to the Information Commissioner’s Office within 72 hours of becoming aware of the incident. We take appropriate action to notify data subjects where there is a high risk to their rights and freedoms.

Information rights

We have clear processes to handle subject access requests and other information rights requests;

Data protection by design and default

We carry out Data Protection Impact Assessments (DPIAs) before we begin any processing of personal data which is likely to result in a high risk to individuals;

Records of Processing Activities (ROPAs)

We record our processing activities;

Policies and procedures

We produce policies, procedures and guidance on information management, security and compliance that we communicate to staff;


Our solicitors oversee that our contracts are compliant with data protection legislation;

5. Roles and responsibilities

Audit and Risk Committee

The Audit and Risk Committee supports the Board with their responsibility for issues of risk, control and governance. It provides assurance for Data Protection by reviewing and noting the Annual Data Protection Report every November.

Heads of Departments (HODs)

HODs are responsible for ensuring that their staff comply with this policy and for implementing appropriate processes, controls and training to ensure compliance annually via email confirmation to the DPO/RM that this has been done.

Senior Information Risk Officer (SIRO)

Director of Corporate Services is VisitScotland’s Senior Information Risk Officer (SIRO). The SIRO is the data controller for VisitScotland and has primary responsibility for ensuring that all collection and processing of Personal Data within the organisation complies with the Data Protection Legislation and principles.

VisitScotland Data Protection Officer (DPO)

The Data Protection Officer ensures this Policy and related procedures and guidelines are kept up to date. The Data Protection Officer also provides training and guidance to staff and acts as a contact point for data subjects and the Information Commissioner. The Data Protection Officer gives advice regarding Data Protection Impact Assessments (DPIAs) and Data Protection related agreements.

Data Governance and Security Group (DGSG)

Data Governance and Security Group membership represents teams responsible for managing key data flows. Members share and discuss data related issues and work to provide a co-ordinated organisational response to ensure legal and regulatory compliance. Line managers must ensure that staff with specific Data Protection Legislation responsibilities (e.g. Information Asset Officers) have these written into their job descriptions and fulfil their Data Protection Legislation responsibilities properly. Such activities should be included in Annual Performance Diaries of line managers and staff members. Line Managers should also ensure that all staff complete the corporate Data Protection Legislation training.

Other roles

Specific roles are assigned throughout VS to manage personal data we process and the associated risks in terms of responsibilities, decision making and monitoring compliance.

Departmental Information Management Owners are Heads of Departments and have responsibility for each identified information asset within their department.

Information Asset Officers have local responsibility for data protection compliance in their team / department. A number of teams are responsible for issuing, reviewing and communicating corporate information management standards and procedures. The teams also advise on compliance with the Data Protection Legislation and implement IT solutions to ensure VisitScotland takes a privacy by design approach.

6. Legislative framework

Compliance with this policy will facilitate compliance with the following acts, regulations and standards:

  • Data Protection Act 2018
  • Development of Tourism Act 1969
  • Environmental Information (Scotland) Regulations 2004
  • Freedom of Information (Scotland) Act 2002
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
  • Public Records (Scotland) Act 2011
  • Tourist Boards (Scotland) Act 2006
  • Tourism (Overseas Promotion) (Scotland) Act 1984
  • United Kingdom General Data Protection Regulation (UK GDPR)

7. Relationship to other VisitScotland policies

This policy forms part of VisitScotland’s overall framework but specifically relates to the following policies, plans and procedures:

  • business continuity management policy and plan
  • cookie policies
  • disciplinary policy
  • flexible, mobile, home, and lone working policies
  • information systems acceptable use policy
  • privacy policies
  • procurement policy
  • records management plan
  • records management policy
  • retention schedules
  • social media policy

8. Monitoring and review

Compliance with this policy and related standards and guidance will be monitored by the Data Protection Officer /RM in consultation with Departmental Information Management Owners, Information Asset Officers, the Data Governance and Security Group, and Senior Information Risk Officer.

An Annual Data Protection Report will be submitted to the Audit and Risk Committee every November.

This policy will be next reviewed in 2026. Further reviews of the policy will then take place at least every three years or at such time that a significant change is made to legislation, regulations, or business practices.

9. Glossary

Term Definition
Personal data Any information relating to an identifiable living individual who can be identified from that data or from that data and other data. This includes not just being identified by name but also by any other identifier such as ID number, location data or online identifier, or being singled out by any factors specific to the physical, physiological, genetic, mental, cultural or social identity of the individual.
Processing Anything that is done with personal data, including collection, storage, use, disclosure, and deletion.
Special category personal data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
Controller The organisation (or individual) which, either alone or jointly with another organisation (or individual) decides why and how to process personal data. The controller is responsible for compliance with the Data Protection Act and General Data Protection Regulation.
Personal data breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Related links