More than 400,000 Scots have been placed on a police database aimed at protecting "vulnerable" people, BBC Scotland has discovered.
Officers attending incidents or crimes add people to the list if they consider them at risk of future harm.
The Information Commissioner said the database breached the Data Protection Act because it lacked an information removal policy.
Police Scotland said it was working to bring it into compliance with the act.
Many people were not told that they had been put on the system.
The force said that the database allowed officers to collate information about vulnerable adults and children - which offered "real opportunities" to prevent future crime.
The rationale behind the database is partly to prevent cases like the "entirely avoidable" death of 11-week-old Caleb Ness, who was killed by his father in 2001 after public authorities failed to communicate key information about his wellbeing.
Figures obtained by the BBC show that there are currently 412,000 adults and children on the Vulnerable Person Database (VPD), about one person in every 13 in Scotland.
This is an increase of more than a third since February last year when there were 302,346 on the system.
'Working through issues'
Set up with the creation of Police Scotland in 2013, the system aims to provide a "holistic" approach to child and adult protection.
It involves collating disparate pieces of information about a particular vulnerable individual into a single file - allowing officers to build a narrative about that person.
At a supervisor's discretion, the file can be shared with other government bodies - for example health, social work or education - so that the person receives support.
The National Police Chiefs' Council said that there was no equivalent national database used in England, Wales or Northern Ireland.
Legal expert Prof Jim Murdoch said UK police forces have a "duty" to retain information on those at risk of harm, so long as its relevant and proportionate.
But Police Scotland has no policy for removing or weeding data from the VPD when it is no longer applicable - which the Information Commissioner's Office (ICO) said breached the Data Protection Act.
Det Ch Insp Conway said this was because the VPD was set up as an interim resource, which is now being used beyond its intended lifespan.
He said the force was in touch with the ICO about the "issues" it was working through relating to "weeding" information from the database.
"Self-awareness is an important thing, we know that we need to weed this information and it's a top priority for us to do it," he added.
How does it work?
- Police officer files digital "concern report"
- Supervisors check information is relevant, proportionate and justified before it can be retained on the database
- Supervisors also decide whether they need to share the report with external care bodies
- Information can be added to an existing concern
- All staff with access to the database attend a specialist training course
The force said it did not always tell people how it was recording, managing and sharing their information - meaning that many people will not know if they are on the list.
But Police Scotland said there was an "expectation" officers would inform those added to the database that there was concern about their wellbeing.
Prof Murdoch warned that the system could also breach human rights laws if "safeguards" were not used consistently.
He said: "The question ultimately from the European perspective or the domestic courts implementing the human rights act would be the extent to which the safeguards are effective in practice.
"That would really mean two things. Firstly, what gets on. Secondly, who decides when it comes off."
'I don't see myself to be a vulnerable person'
Teacher John Naples-Campbell was leaving his home in Partick in 2015 when three strangers began shouting homophobic abuse at him.
After the strangers left, John reported what happened to Police Scotland - who he said he "could not fault" because they arrived immediately and offered assistance.
But Mr Naples-Campbell said he was "shocked" the officers did not tell him that - as a victim of hate crime - he would automatically be added to the VPD.
"I don't see myself to be a vulnerable person," he said.
"If I was to hold my partner's hand in Aberdeen city centre walking down the street and someone hurled gay abuse at me, I would see myself in the wrong situation at the wrong time.
"If they were going to add that [to the database] along with a previous attack against me in a different city then I don't feel that's right."
Prof Murdoch stressed that the existence of the database itself was a "very positive sign" because public authorities have a duty to protect the vulnerable.
It was set up to comply with the Child and Young Persons Scotland Act, which Scottish government ministers hoped would include a "named person" scheme.
That has been delayed after Supreme Court judges ruled against certain aspects of the proposals in 2016.
Det Ch Insp Conway added that Police Scotland had done "a lot of work" following the Supreme Court judgement in July last year.
He said: "We believe were still acting within our legal basis in terms of our core purpose and improving safety and wellbeing.
"I am fairly comfortable that the standards we have started to embed in terms of our concern hub practice would be compliant across the board.
"We're still working through it. It's a programme of continuous improvement."
In the past year, police have shared 31,805 concern reports with education, 91,727 with social work and 146,758 with "other partners".
In a statement, the ICO said: "Data protection law protects the public by setting out rules that personal data must not be kept for longer than necessary. We have spoken to Police Scotland and advised how they can bring the interim vulnerable persons database into compliance with the Data Protection Act."
Det Ch Insp Conway said information on 60,000 people had been deleted from the VPD since 2013.
He added: "We are now working on a stringent weeding policy that will see more people removed from the database at certain time intervals."