Fergus Smith found a way to get free access to records on the Scotland’s people website
By David Cowan
Home affairs correspondent, BBC Scotland
A researcher has revealed that he gained unauthorised access to thousands of records on a genealogy website run by a government agency.
Fergus Smith said he stumbled across a way of viewing birth, death and marriage certificates without paying.
Scotland’s People is run by National Records of Scotland, a non-ministerial Scottish government department.
In response to Mr Smith’s claims, NRS said immediate action had been taken once it was made aware of the issue and “only one customer” had been involved.
Formed in 2011, NRS collects and preserves public records and has strict rules on what can be viewed by the public.
Access to birth records is controlled for 100 years, marriage records for 75 years and death records for 50 years.
Under supervision and for a fee, images of the certificates can be viewed on computers at NRS’s Scotland’s People centre in Edinburgh and in other regional hubs.
People can take notes but they cannot save or print the records.
An alternative is to buy copies of the certificates through the Scotland’s People website, without seeing them first.
What people should not be able to do is search the site and look at images of the certificates on a laptop in the comfort of their own home.
Image source, Scotland’s people
The Scotland’s People website is operated by National Records of Scotland (NRS), an official arm of the Scottish government
That is what Mr Smith says happened last November, when he was carrying out historical research.
“I accidentally discovered that it was possible to view all the hidden records,” he told BBC Scotland News.
“I then poked around a wee bit more and realised I could view anything, including random people’s birth certificates.”
Mr Smith said NRS had updated the website in advance of the publication of the 1921 Scottish census.
“It was more than a little disconcerting that they had managed to break the security so badly.
“Every single person born or married in Scotland, I had access to all their data.
“I shouldn’t have been able to do that and it wasn’t difficult.”
Urgent review
Mr Smith said he hesitated to tell NRS because he feared they would accuse him of hacking and “they’d shoot the messenger”.
After seeking the advice of another researcher, he informed NRS on 2 December.
In a statement, NRS said: “Following an urgent review, it was concluded that only one customer had accessed images in this way.
“This incident did not meet the threshold for reporting as a personal data breach to the Information Commissioner’s Office.”
Last week NRS removed thousands of names from Scotland’s People following complaints from an adoptive mother.
She had discovered that she was able to find details of her child on the site which gave his adopted surname and linked him to Scotland’s confidential adoption register.
The mother’s concern was that under certain circumstances, the website could allow people to find out the new name of an adopted child and track them down.
NRS responded by removing all references to people who had been adopted from the website. It is reviewing whether any of the information can go online again.
A charity which has been involved in adoption in Scotland for more than a century backed the mother’s concerns.
The chief executive of St Andrew’s Children’s Society, Stephen Small, said: “There’s nothing more sacrosanct in adoption than confidentiality.”
The NRS website states that adoption processes are among the most confidential records that it holds and are closed to general public access for 100 years.
NRS informed the Information Commissioner’s Office when it removed the names last week.
A spokesperson for the commissioner’s office said it was engaging with NRS to understand what happened.
