We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Privacy notice - ScotAccount

Last updated
10 Nov 2025

This privacy notice sets out how ScotAccount uses your personal data when you create and use your ScotAccount.

When we use ‘us’ and ‘we’ in this privacy notice, we mean ScotAccount.

ScotAccount is run by the Scottish Government, who act as the data controller of the personal information that you give us. Services that use ScotAccount are responsible for any personal data you provide when you use their online services. Details of this will be in their own privacy notices.

So you understand how your personal data is being processed, you should read:

Changes to this privacy notice

We may change this privacy notice. In that case, the 'last updated' date on this page will change.

Personal data we collect for account creation and sign in

When you create a ScotAccount, you'll be asked to provide:

  • an email address
  • a mobile number or landline number
  • a password

When you register with us, we’ll assign your email address with an account number, which is a randomised and unique identifier. This identifier will be shared with services when you sign in.

We’ll only share your email address and mobile number with a service if they request this information.

Why we collect this personal data

This information is used to create your ScotAccount and to make sure only you can sign in to it. When you create an account, sign in or change any of this personal data we’ll send messages to confirm this. These messages will include emails and one-time passcodes.

We may use your email address to contact you about your ScotAccount, but only if we need to.

Personal data we collect when we verify your identity

ScotAccount lets you share verified information about yourself with other services if they request it.

Services that use ScotAccount may need you to verify who you are before you can access them. To verify who you are, you'll need to provide some personal details about yourself.

ScotAccount offers different checks to verify your identity, either by:

  • matching you to your photo and information on an official document
  • asking security questions about your personal information, bank account, mortgages, loans or credit cards – only you should know the answers

We’ll also perform separate activity history and fraud checks on all users who need to verify their identity.

The way we process your personal data will depend on the type of identity verification check we do. The next section explains this in more detail.

Using an official document to verify your identity

We need to check that:

  • your documents are real
  • you’re a real person
  • you’re the same person as in the document photo

We use an identity checking service called Experian and their subcontractor Mitek to do these checks. Experian acts as a data processor with Mitek as a sub-processor. This means that they may only process your personal data for the purpose of fulfilling our instructions as part of our contract with them.

We need to check the security features on your identity document to prove that it is a genuine document. This means that you’ll need to take a photo of the document with your device’s camera.

We also need to perform two checks. These are:

  • a ‘liveness’ check to make sure you’re a real person
  • a ‘likeness’ check to prove that you’re the same person as in the photo on your official document

We collect the following information from you as part of these checks:

  • name
  • date of birth
  • address
  • photo of your official document
  • photo of yourself

Once we’ve done these checks and confirmed your identity, we’ll delete this information. It will not be used for any further purpose by us, the Scottish Government, our processor, or any other sub-processors.

Answering security questions to verify your identity

We do a knowledge-based verification (KBV) check by asking you security questions about your credit or financial history. Only you should know the answers to these questions. For this check we use your name, date of birth and address to generate relevant questions from Experian. We send your answers to Experian to check that they match the information they already have about you.

When Experian has completed the check, they respond to us with a Pass or Fail outcome. We do not store or save the questions or your answers. We only access the questions that Experian generates. We do not have access to your financial data or your transactions at any time.

Experian acts as an independent data controller when we carry out this check. This means that they’ll retain some of your data to protect against fraud and error and to comply with legal and regulatory requirements.

Read about how Experian uses your data.

Activity history check

We do an activity check when you verify your identity through ScotAccount. This check is to make sure your identity has existed over time. It lowers the risk that someone is using a synthetic, or false, identity or one that belongs to someone who’s died.

We’ll perform a soft search on your credit record to confirm your activity history. The search will not impact your credit score. We use Experian to do this check. They hold information from sources such as the electoral register and financial institutions. They’ll check that the information you’ve provided matches their sources.

The Scottish Government will not be able to see the data that Experian holds about you. Experian only provides the result of the search as a Pass or Fail.

Experian acts as an independent data controller when we carry out this check. This means that they’ll retain some of your data to protect against fraud and error and to comply with legal and regulatory requirements.

Read about how Experian uses your data.

Fraud check

We do a fraud check to make sure that the identity:

  • is not at a higher risk than usual of identity fraud, such as being stolen or misused
  • is not suspected to be a synthetic, or false, identity

We do this by checking the details that you gave us against an independent and authoritative counter-fraud source called Cifas.

Cifas will perform this check and send us a result. The result will tell us whether or not there is any fraud known or suspected about the identity, and details of any associated fraudulent activity.

Fraud prevention agencies use this information to prevent fraud and money laundering and to verify your identity. You can find out more about how we, and these agencies, use your information, and your data protection rights, on the Cifas website.

Read about how we use Cifas to protect the public sector
 

Personal data we collect for security monitoring

The Scottish Government processes some personal data for security monitoring purposes. This includes:

  • online identifiers, such as your IP address
  • the account number that we assign to your email address to identify your ScotAccount

Security monitoring makes sure that the data associated with accounts is secure. It also detects outside attacks and misuse.

Technical information

We’ll collect technical information as part of providing ScotAccount and user support. This includes:

  • online identifiers, such as your IP address
  • the URL of the page you’re on, if you’re using the online form
  • technical information about the device you’re using, such as the model and operating system

Personal data we collect when you contact us

You can contact us if you need help with, or want to provide feedback about, ScotAccount. The easiest way to get in touch with us is using the form on ‘Get help with this page’ link that you’ll find at the bottom of every page.

If you contact us through the form, we’ll collect:

  • your email address, which we’ll use to contact you about your enquiry and to help identify your ScotAccount if necessary
  • the details of your help request
  • some technical information to help us support you

Do not include any sensitive information about yourself when you contact us. We’ll store any data you choose to share in our support systems. We use a company called Atlassian to provide our support technology and only we can access your data.

We store all support enquiries, such as online forms and emails. We use these for:

  • resolving questions and complaints
  • quality monitoring and training
  • monitoring and detecting fraud
  • improving our service

If you contact us through our online form, we collect technical information about your device and use of the service. This is set out under ‘Technical information’ in the section above.

If you agree to web analytics cookies

If you give your consent, we use Google Analytics to collect information about how you use ScotAccount. This includes:

  • information about the pages you use
  • how long you spend on each page
  • how you got to the ScotAccount service
  • what you click on while you use the service
  • technical information including the type of device and web browser you use

The information collected is classed as personal data because Google Analytics assigns a unique identifier to each visitor. However, this does not let us or Google determine your personal information. We will not use analytics data together with any other data that you provide or that we hold in order to find your personal information.

Why we need your information

We collect your personal information as part of using ScotAccount, to:

  • provide you with a ScotAccount to access online services
  • verify your identity
  • provide your ScotAccount mailbox as a secure way for you to read and reply to messages

We also use your information to:

  • keep your ScotAccount secure (using your email address, phone number, password and system logs)
  • verify your identity, if required, and allow you to save it for re-use
  • monitor, detect and investigate fraud
  • contact you about any planned interruptions, problems or changes that may affect your ScotAccount (using your email address)
  • improve the service by understanding how you use it and any problems you experience (using our technical information, Google Analytics, and your feedback)
  • monitor the success rates of identity checks and produce anonymised reports about ScotAccount so we know what to improve
  • help monitor, diagnose and fix technical or debugging issues that affect the service

The legal basis for processing your information

For the purposes of managing your account, verifying your identity and fraud monitoring, the legal basis for ScotAccount processing your information is that it is necessary for the performance of a task carried out in the public interest. (UK GDPR Article 6 (1)(e))

It is lawful for us to use special category data (biometric data from images) for reasons of substantial public interest. This includes:

  • statutory and government purpose for identity checking (paragraph 6, schedule 1, Data Protection Act 2018)
  • preventing or detecting unlawful acts for fraud detection and prevention (paragraph 10, schedule 1, Data Protection Act 2018)

When you agree to save your verified information in your ScotAccount you’re doing so under the legal basis of consent. (UK GDPR Article 6 (1)(a))

You can choose whether you save your information and can delete it at any time. If you do not give consent to store the information from your identity checks, we’ll delete it when you’ve completed the action you’re doing.

Your choices do not affect your ability to use ScotAccount or the online service you’re accessing.

Who your data will be shared with

If you’re interacting with another service that uses ScotAccount, we’ll provide some information to them when you sign in. This includes:

  • your account number
  • your email address (if requested at sign in)
  • your mobile phone number (if requested at sign in)

If they’ve requested an identification check this will include:

  • the result of your identification check
  • your name and date of birth (if verified)
  • your address (if verified)

Before we share your information with another service, we’ll ask you to confirm it. If you do not share, or are unable to share, the information that the service has requested, they may ask you for more information or they may be unable to provide you with the service online.

The Scottish Government has employed a number of third-party organisations who may have access to your data. In each case they’ve only been given the minimum amount of personal data needed to operate the ScotAccount service and to verify your identity.

These organisations are:

  • Experian, as an independent data controller subject to a contract with us for activity history checks (also known as a soft check) and for knowledge-based verification (KBV, also known as security questions)
  • Mitek, as sub-processor to Experian, for official document checks, biometric likeness and liveness checks
  • Cifas, as an independent data controller, subject to a contract with us for independent fraud checks to protect the public sector
  • Scott Logic, as a data processor subject to a contract with us for ongoing development and maintenance of the ScotAccount service

We also work with technology suppliers to provide ScotAccount to you. For example, we use Amazon Web Services (AWS) for external hosting and Atlassian to manage our user support. Our suppliers act as data processors and are subject to contracts with us that restrict them to only processing your personal data for the sole purpose of providing their services under our instructions.

Data collected by Atlassian products may be transferred outside the European Economic Area (EEA) for processing as part of providing support to you. We make sure your information is just as well protected.

Sharing your information to identify crime and protect against fraud

To protect against crime and fraud, we sometimes need to share information with:

  • agencies and departments that run the services you access through your ScotAccount
  • other UK public sector organisations, such as the Home Office
  • law enforcement agencies such as Police Scotland or the National Crime Agency
  • Experian
  • data processors who provide relevant monitoring services

The information we share includes:

  • IP addresses and geolocations
  • account number
  • information about the devices being used
  • identity document details, including name and date of birth
  • addresses
  • phone number
  • email addresses
     

How long we keep your personal data

We’ll keep your sign in data for as long as you choose to have your ScotAccount, to allow it to function. We’ll delete this data if you do not use your ScotAccount for 5 years.

You can delete your ScotAccount at any time. This will delete your account and all information that is stored within it.

Information held in ScotAccount will be retained until you decide to remove it, which you can do at any time while you’re signed in. You can remove information without deleting your account.

We’ll store the biometric data used for identity verification until verification is complete. This may be for up to one week, but the process should usually only take a few minutes. It is not used for any other purposes apart from this.

If you used knowledge-based verification to verify your identity, we do not store or retain the security questions or your answers.

When you contact us for help, we’ll store the information we collect for 12 months. This includes the emails and online forms that you submit to us.

We’ll store information about the action you take when you use ScotAccount in system logs for 12 months.

We’ll also maintain a secure audit trail of all ScotAccount audit logs for 7 years for fraud monitoring purposes.

We’ll store security monitoring data for 6 months.

Your rights

Data protection legislation provides a number of rights in relation to your personal data. These are the right:

  • to be informed about the use of your personal data – this is done through this privacy notice
  • of access – this allows you to access copies of the personal data we hold about you
  • of rectification – this allows you to ask us to correct any personal data we hold about you that is verifiably wrong
  • of erasure – this allows you to ask us to delete any personal data we hold about you
  • to restrict processing – this allows you to ask us to restrict how we use your data
  • to object – this allows you to object to our use of your data

If you make a rights request to the Scottish Government, we must respond within one calendar month, unless an extension can reasonably be applied. These rights are not absolute and may be subject to exemptions. Any exemptions applied to these rights will be made clear to you in the response to your request.

The Information Commissioner’s Office is the regulatory body for data protection in the UK. You can find more information about your rights on their website.

Contact us or make a complaint

If you have any questions about the handling of your personal data, including about accessing, erasing or correcting any personal data that ScotAccount holds about you, email: ScotAccount@gov.scot

If you’re unhappy with the handling of your personal data and want to make a formal complaint, contact the Scottish Government's Data Protection Officer:

Address

Data Protection Officer
Victoria Quay
Commercial Street
Edinburgh
EH6 6QQ

Email

dataprotectionofficer@gov.scot

If you’ve followed our internal complaints process and you’re still unhappy about the handling of your personal data, you have the right to make a further complaint to the Information Commissioner's Office.

Back to top