We've made changes to the Online Tobacco Register. Find out more

Tobacco and Vape Register Privacy Notice

Last updated
4 February 2025

This privacy notice sets out how Scottish Government uses your personal data when you create your registration on the Tobacco and Vape Register.

The Register is operated by ePass on behalf of the Scottish Government. The Scottish Government will act as the data controller for your information.

  1. Personal data collected by ePass for account creation and sign in

When you create a registration, you'll be asked to provide:

  • Prove of identity via ScotAccount. You will also receive a GUID (Unique Identifier).
  • Name and address
  • a phone/mobile number
  • email address
  • a password
  • Name and address of your premises
  • Company Number
  • Confirmation of products being sold .i.e. tobacco, vapes or both

A random unique identifier, will be assigned to your registration, this unique identifier will be shared with a public body if you interact with them through our service.

The Register allows you to store verified information about yourself, your premises and products being sold. This information will also be shared with other public bodies when required.

  1. Why we collect this personal data

This information is used to create your registration on the tobacco and vape register and make sure only you can sign in to it. When you create a registration, sign in or change any of this personal data we will send messages to confirm this. We use GOV.SCOT to send these messages. We also use some personal data to keep accounts secure, and to work out if someone is attempting to access your registration when they shouldn't.

We may use your email address to contact you about your registration or share other important information, but only if we need to.

  1. Who your data will be shared with

If you are interacting with a Scottish public body some information will be provided to them.

  • Unique Identifier
  • Name and address of premises
  • Products being sold

  1. Further contacts

If you have any questions about the handling of your personal data, including about accessing, erasing or correcting any personal data held about you by the register, you should contact: [email protected]

  1. Personal data collected when verifying your identity

Some services partnered with ePass, will require you to verify who you are before you're allowed access to the Register. To verify who you are, you'll need to provide the following via ScotAccount:

  • an image of yourself
  • an image of an official piece of identification, such as your driving licence or passport
  • your home address
  • your date of birth

  1. Why we collect this personal data

When you provide these details, they will be transferred to Experian, our data processor, and Mitek, our data sub-processor, to be checked.

Once confirmed, the data used will be deleted and not used for any further purpose by the Scottish Government, our processor, or any further sub-processors.

  1. Personal data collected for security monitoring

The Scottish Government processes some personal data for security monitoring purposes. This includes your:

  • IP address
  • GUID (Unique Identifier)

  1. Why we collect this personal data

Security monitoring makes sure:

  • the data associated with accounts is secure
  • outside attacks and misuse are detected

Security monitoring identifies:

  • failed sign in attempts - this is so multiple attempts can be identified
  • the geographic location of sign ins - this is to identify issues such as a user logging in from Edinburgh and then logging in from Australia a few minutes later, which would indicate that a third party has accessed the account

All data we collect for security monitoring is "pseudonymised". This means the data cannot be used to identify you directly. Access to this data is limited to the Scottish Government's Security Operations Centre.

  1. The lawful basis

The lawful basis being relied on to process your personal information is article 6(1)(e) of the UK GDPR, ‘Processing is necessary for a task carried out in the public interest’.

The lawful basis for collecting sensitive personal data is Article 9(2)(g)

  1. How long we keep your personal data

Your sign-in data will be kept for as long as you choose to have your registration and ScotAccount. Maintaining your personal data is necessary for it to function.

Information held in both the Register and ScotAccount will be retained until you decide to remove it, which can be done at any time while logged in.

Information shared to public bodies will be subject to the retention schedule of those organisations.

You can delete both your registration and ScotAccount at any time.

If you start creating your ScotAccount but do not finish, we will store any personal data you've entered for a week before removing it. Once your data has been removed, you will need to restart the account creation process if you still want a ScotAccount.

The biometric data used for identity verification will be stored until verification is completed. Although the process should only take a few minutes, it may be stored for a maximum of one week while awaiting completion of verification. It is not re-used for any other purposes beyond this.

Security monitoring data is retained for six months, in line with National Cyber Security Centre standards.

GOV.UK retain your phone number or email address for 7 days when we send you a message.

Experian is required to keep a record of the soft credit check they carry out for 12 months.

Read more about Experian's searches and credit checks.

  1. Who your data will be shared with

If you are interacting with a Scottish public body some information will be provided to them.

  • SCOTAccount - this is your GUID (unique identifier).
  • Register - this is your certificate number.

If they have requested an identification check this includes:

  • the result of your identification check
  • the name, address and date of birth that were verified

They will not have access to any other data.

The Scottish Government has employed a number of third party organisations who may have access to your data. In each case they have only been provided with the minimum amount of personal data in order to operate the ScotAccount service.

These organisations are:

  • Experian
  • Mitek
  • Cifas
  • Amazon Web Services (AWS)
  • GOV.UK Notify
  • Scott Logic

  1. Experian

Experian is a credit reference agency appointed as a data processor by the Scottish Government, in order to provide the identity verification service for ScotAccount. Experian holds data from sources such as the electoral register and will ensure that the data you've provided matches their sources.

Experian will use their databases to carry out a soft credit check on your personal data.

The checks carried out by Experian will not impact your credit score.

The Scottish Government will not be able to see the data Experian checks. Experian only provides the Scottish Government with the result of the check.

Read about Experian's use of your data

Read about Experian's use of your data

  1. Mitek

Experian sub-contracts to Mitek as part of the identity verification process. Mitek uses the images you take during the identity verification process to compare the image of your face to the image of your official document: passport.

Both Experian and Mitek are subject to legally binding contracts tying the use of your data to the purposes outlined in this privacy notice, and do not have access to data in your ScotAccount.

  1. Cifas

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at https://www.cifas.org.uk/fpn.

  1. Your rights

Data protection legislation provides a number of rights in relation to your personal data. These are the right:

  • to be informed about the use of your personal data - this is done through this privacy notice
  • of access - this allows you to access copies of the personal data we hold about you
  • of rectification - this allows you to ask us to correct any personal data we hold about you that is verifiably wrong

If you make a rights request to the Scottish Government, we must respond within one calendar month, unless an extension can reasonably be applied. These rights are not absolute, and may be subject to exemptions. Any exemptions applied to these rights will be made clear to you in the response to your request.

You can find more information about these rights on the website of the Information Commissioner's Office, the regulatory body for data protection in the UK.

  1. Further contacts

If you have any questions about the handling of your personal data, including about accessing, erasing or correcting any personal data held about you by ScotAccount, you should contact: [email protected].

If you are unhappy with the handling of your personal data and wish to raise a formal complaint, you can do so by contacting the Scottish Government's Data Protection Officer:

  1. Address

Data Protection Officer Victoria Quay Commercial Street Edinburgh EH6 6QQ

  1. Email:

[email protected]

If, having followed our internal complaints process, you are still unhappy about the handling of your personal data, you have the right to make a further complaint to the Information Commissioner's Office.