The names of thousands of people adopted as children were available on a genealogy website, it has emerged.
Safety and privacy fears were raised after a mother found details of adoptions dating back more than 100 years on the Scotland’s People site.
It is operated by National Records of Scotland (NRS), an official arm of the Scottish government.
NRS removed the information 36 hours after the mother complained it could endanger her adopted child.
It said it was taking the issue “extremely seriously” and has launched an investigation.
Scotland’s Children and Young People’s Commissioner said the information could have resulted in “a significant risk of harm”.
‘Worst nightmare’
The mother who raised the concerns – a public sector worker from Central Scotland who wishes to remain anonymous – contacted BBC Scotland News after discovering her child’s details on the site.
She said she was worried that under certain circumstances, the website could allow people to find out the new surname of an adopted child and track them down.
She told the BBC that when adopting her son she had been encouraged to keep his first name.
“I did a search to see how many children with his first name were born in the same year, and to my horror the first entry that came up was his,” she said.
The entry included a reference number which revealed he was on the adoption register.
“I searched for someone else who was adopted and found them too,” the mother said.
“The whole adoption register was there online for everybody to see. I was horrified.”
She added: “It’s every adoptive parent’s worst nightmare that their child’s adoptive name, which has been carefully shielded through the court process, could be made public.
“There’s also a massive concern for adults who don’t know they’ve been adopted.”
Before the information was removed, the Scotland’s People website included the names of thousands of people who had been adopted as far back as 1909.
The most recent entries were from 2022.
Nick Hobbs, the acting Children’s Commissioner in Scotland, backed the mother’s concerns and raised the issue with NRS.
“This is something that raises really serious concerns for us about children’s right to privacy,” he said.
“There’s a significant risk of harm for some children potentially, by people being able to link their current name with their birth name.
“It’s not straightforward to do that but my biggest concern is that you can do it, that that information is available at all.”
‘Longer-term solution’
Mr Hobbs believes the information could breach a child’s right to privacy under the European Convention on Human Rights and the United Nations Convention on the Rights of the Child.
“Having your adoption status searchable on a public database clearly engages your right to privacy under both those international conventions,” he said.
He welcomed NRS’s decision to take the information offline.
“What we need them to do now is work out a longer-term solution that respects their right to privacy and ensures children are kept safe,” he said.
An NRS spokesperson said: “Relevant records have been removed from the website while we investigate this.
“We are taking this extremely seriously and will listen to a wide range of views before making decisions for the longer term.”
The spokesman said NRS had a statutory responsibility to make its registers open and searchable.
He said: “There has been no personal data breach but we have made the Information Commissioner’s Office aware of the complaint raised and the action we are taking as a precautionary step while we review the way we make this information available.”
The NRS declined to say how long the information had been available through the website but said it had not been the result of a recent change.
An spokesperson for the Information Commissioner’s Office said: “It’s important organisations holding sensitive personal data ensure it is handled in line with data protection law.
“National Records of Scotland alerted us to the concerns raised and we provided advice on organisations’ duty to self-assess and conclude if an incident needs to be formally reported to the ICO.
“We don’t appear to have received a formal breach report regarding this.”
Source: BBC News