Running electoral registration - Scotland

Role as a data controller

Role as a data controller

As ERO, you are a data controller with a statutory duty to process certain personal data to maintain the electoral register. Under data protection legislation you will need to be able to demonstrate that you comply with the principles of processing personal data, ensuring that it is processed lawfully, fairly and in a transparent manner. 

Advice from the Information Commissioner’s Office (ICO) is that all data controllers will need to ensure that they are registered with the ICO. This means that EROs must be registered separately to their council. Under data protection legislation, a public authority must appoint a data protection officer (DPO) to advise on data protection issues. 

As ERO, you are not included in the definition of a public authority contained in Schedule 1 to the Freedom of Information Act 2000 and you are therefore not required to appoint a DPO for the conduct of your duties; however, your appointing council must have a DPO in place and you should liaise with them over good practice in relation to data protection. A key element of data protection legislation is the increased focus on accountability and transparency when processing personal data. 

You must be able to demonstrate that you comply with your obligations under data protection legislation, ensuring that you process personal data lawfully, fairly and in a transparent manner. The key to achieving this is to have and maintain written plans and records to provide an audit trail. You can find more information in our guidance What are the data protection considerations for an Electoral Registration Officer?

Last updated: 25 May 2021