Scottish Crown Estate Bill: privacy impact assessment

Privacy impact assessment for the Scottish Crown Estate Bill.


Scottish Crown Estate Bill - Privacy Impact Assessment ( PIA)

1. Introduction

The purpose of this document is to report on and assess against any potential Privacy Impacts as a result of the implementation of the Scottish Crown Estate Bill.

2. Document metadata

2.1 Name of Project: Scottish Crown Estate Bill

2.2 Date of report: December 2017

2.3 Author of report: Nikki Milne, Marine Scotland

2.4 Information Asset Owner ( IAO) of relevant business unit: Mike Palmer, Deputy Director, Marine Scotland

2.5 Date for review of Privacy Impact Assessment ( PIA): Subsequent revisions to the timetable will initially follow the passage of the Bill through the Parliamentary process. Indicative timelines are:

  • Bill progression –
    • Stage 2 expected completion – October 2018
    • Stage 3 expected completion – December 2018
    • Commencement of Bill expected – April 2019
  • Amendment to PIA

3. Description of the project

3.1 Detailed description of the work you are about to undertake. Include information on ownership and governance, the benefits of the project, and the planning and reporting mechanisms, with particular attention to risk management and reporting.

The Bill includes provisions to reform the powers and duties of a manager of Scottish Crown Estate assets and for changes in the management of Scottish Crown Estate assets - including the duties on management and charging for the assets. At present, the portfolio of property, rights and interests are managed as a whole by a single manager, Crown Estate Scotland (Interim Management). In the future, the proposed powers in the Bill could be used to enable local management of specific assets by local authorities or community organisations or for another part of the public sector to manage parts of the estate. Instead of one manager of many assets, there is the potential for there to be multiple managers, each with the responsibility of managing one or more of the assets. It is possible that some may only manage one asset or part of one of the asset types e.g. management of the foreshore in a part of Scotland. This Bill provides the mechanism by which management of an asset can be further devolved and sets out the regulatory framework within which all managers must operate.

There will be a framework at the national level to govern management of the assets which will ensure common standards of openness, transparency and accountability across the Scottish Crown Estate.

3.2 Describe the personal data to be processed.

No personal data will be routinely gathered or recorded.

In order to inform Scottish Ministers’ decision-making, it may be necessary for managers of Scottish Crown Estate assets to provide information and advice about the assets under their management. This could include the characteristics of the asset(s) or the general performance of the functions and, therefore, different to personal data.

In the event that there was a need to share personal data for a low number of types of information then Data Protection Act requirements and processes would apply. If required, personal information would be redacted.

3.3 Describe how this data will be processed:

  • How will it be gathered?

The Bill requires managers of Scottish Crown Estate assets to provide information or advice in respect of the assets, as required by the Scottish Ministers.

  • Who will have access?

Relevant Scottish Government Directorate and managers of individual Scottish Crown Estate assets. All Scottish Government staff are required to undertake mandatory training on data protection annually.

  • How will it be transmitted?

It is not intended that information be transmitted beyond established systems.

  • How will it be stored, and disposed of when no longer needed?

As stated, the Bill does not require any routine gathering or storage of personal information. There are already well established protocols in place covering data storage and disposal and accordingly these matters are not addressed by the Bill.

  • Who will own and manage the data?

The data will be managed by the manager of the relevant Scottish Crown Estate asset(s).

  • How will the data be checked for accuracy and kept up to date?

No routine personal data to be gathered.

3.4 If this data is to be shared with internal or external partners, explain the legal basis for the sharing.

The legal basis for the provision of information or advice to the Scottish Ministers will be contained within the Bill. In reaching a decision about whether it would be lawful to share any data about an individual, managers of Scottish Crown Estate assets would need to consider alongside the Data Protection Act.

4. Stakeholder analysis and consultation

4.1 List all the groups involved in the project, and state their interest.

The Scottish Government’s consultation on the Long Term Management of the Crown Estate in Scotland [1] was published on 4 January 2017 with views invited by 29 March 2017. The consultation set out the vision and key principles for the Scottish Crown Estate. The consultation was in three main parts, covering:

  • the overall aims for the estate;
  • who should manage the transferred functions in the future, including further devolution to the local level and the establishment of a national governance framework for management; and
  • how the revenue should be used in future.

A total of 212 responses were received (115 from organisations and 97 from individuals) from a range of individuals, community groups, ports and harbour sector, fisheries/seafood bodies; leisure and tourism bodies, land and estates; enterprise or coastal management bodies; local authorities; natural heritage/conservation bodies and commercial bodies. The independent analysis of the responses, by The Research Shop, will be published on 25 January 2018.

Very few respondents identified any potential impacts upon the privacy of individuals that may arise as a result of the proposals in the consultation. See section 8 for further information,

4.2 Detail the method used to consult with these groups when making the PIA.

It is not anticipated that any new or significant changes to the handling of types of personal data will occur as a result of the implementation or use of the Scottish Crown Estate Bill.

4.3 Discuss the means used to communicate the outcomes of the PIA with the stakeholder groups.

This PIA will be published on the Scottish Government website.

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

  • Will the initiative involve multiple organisations, whether they are public service partners, voluntary sector organisations or private sector companies?

Potentially, all 32 local authorities in Scotland could be involved to a greater or lesser degree. Community organisations could also be managers of Scottish Crown Estate assets. Each would be a manager acting independently rather than in collaboration so there would be no need for them to share personal data.

5.2 Anonymity and pseudonymity

  • If the project requires the matching of data sources together, would it become possible to identify an individual?

No. Data may be brought together, i.e. information about an asset, group of assets or total number of assets, but it would not be possible to identify an individual.

5.3 Technology

  • Will there be new or additional information technologies that have substantial potential for privacy intrusion?

It is not anticipated that there will be any new or additional information technologies.

5.4 Identification methods

  • Will there be the creation of new identifiers or re-using of existing identifiers?

No.

  • Will there be new or substantially changed identity authentication requirements that may be intrusive or onerous?

No.

  • What type of unique identifiers will be used in the project? These might have the effect of enabling identification of persons who were previously anonymous.

None.

5.5 Personal data

  • Will there be new or significant changes to the handling of types of personal data that may be of particular concern to individuals? This could include information about racial and ethnic origin, political opinions, health, sexual life, offences and court proceedings, finances and information that could enable identity theft.

No. Existing principles and procedures would apply in accordance with Data Protection legislation.

  • Will the personal details about each individual in an existing database be subject to new or changed handling?

Yes, potentially there may be new managers handling the existing data for particular Scottish Crown Estate assets(s). Managers will be required to comply with Data Protection legislation.

  • Will there be new or significant changes to the handling of personal data about a large number of individuals?

No. Existing procedures would apply in accordance with Data Protection legislation.

  • Will there be new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?

No.

  • Will the project involve the linkage of personal data with data in other collections, or any significant change to existing data links or holdings?

There will be no linkage of personal data with data in other collections, or any significant change to existing data links or holdings.

5.6 Changes to data handling procedures

  • Will there be new or changed data collection policies or practices that may be unclear or intrusive?

No.

  • Will there be changes to data quality assurance or processes and standards that may be unclear or unsatisfactory?

No.

  • Will there be new or changed data security access or disclosure arrangements that may be unclear or extensive?

No.

  • Will there be new or changed data retention arrangements that may be unclear or extensive?

No.

  • Will there be changes to the medium of disclosure for publicly available information in such a way that the data becomes more readily accessible than before?

No.

5.7 Statutory exemptions/protection

  • Will the data processing be exempt in any way from the Data Protection Act or other legislative privacy protections? This might apply in areas such as law enforcement or public security.

No.

  • Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

No.

5.8 Justification

  • Does the project’s justification include significant contributions to public security measures?

No.

  • Is there to be public consultation?

In November 2014, the Smith Commission published a number of recommendations to provide the Scottish Parliament with the powers to tackle a range of issues including some related to the Crown Estate in Scotland.

A public consultation was undertaken during 2017 to inform the content of the new Scottish Crown Estate Bill.

  • Is the justification for the new data handling unclear or unpublished?

No new data handling proposed.

5.9 Other risks

  • Are there any risks to privacy not covered by the above questions?

No.

6. The Data Protection Act Principles

Principle 1
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met, and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

6.1.1 Have you identified the purpose of the project?

The purpose of the Bill is to enable reform of the management of the Scottish Crown Estate to move beyond a purely commercial focus, and to enable local management of assets while permitting assets to be managed at the national level, where appropriate.

6.1.2 How will individuals be told about the use of their personal data?

Data Protection Act requirements and processes should apply and, if needed, personal information should be redacted.

6.1.3 Do you need to amend your privacy notices?

Existing procedures would apply in accordance with Data Protection legislation.

6.1.4 Have you established which conditions for processing apply?

Existing procedures would apply in accordance with Data Protection legislation.

6.1.5 If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?

Existing procedures would apply in accordance with Data Protection legislation.

6.1.6 If your organisation is subject to the Human Rights Act, you also need to consider:

  • Will your actions interfere with the right to privacy under Article 8?
  • Have you identified the social need and aims of the project?
  • Are your actions a proportionate response to the social need?

We are content that there are no implications under the Human Rights Act.

Principle 2
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

6.2.1 Does your project plan cover all of the purposes for processing personal data?

In relation to the Scottish Crown Estate Bill, personal data will only be processed for Crown Estate purposes.

6.2.3 Have potential new purposes been identified as the scope of the project expands?

No.

Principle 3
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

6.3.1 Is the information you are using of good enough quality for the purposes it is used for?

6.3.2 Which personal data could you not use, without compromising the needs of the project?

Any information provided will be subject to internal quality control.

Principle 4
Personal data shall be accurate and, where necessary, kept up to date.

6.4.1 If you are procuring new software does it allow you to amend data when necessary?

We are not procuring new software.

6.4.2 How are you ensuring that personal data obtained from individuals or other organisations is accurate?

Information provided will be subject to internal quality control.

Principle 5
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.

6.5.1 What retention periods are suitable for the personal data you will be processing?

The Bill does not require the processing of personal data.

6.5.2 Are you procuring software which will allow you to delete information in line with your retention periods?

No.

Principle 6
Personal data shall be processed in accordance with the rights of data subjects under this Act.

6.6.1 Will the systems you are putting in place allow you to respond to subject access requests more easily?

Not applicable.

6.6.2 If the project involves marketing, do you have a procedure for individuals to opt out of their information being used for that purpose?

Not applicable.

Principle 7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

6.7.1 Do any new systems provide protection against the security risks you have identified?

Not applicable.

6.7.2 What training and instructions are necessary to ensure that staff know how to operate a new system securely?

All Scottish Government staff are required to complete annual Data Protection Training.

Principle 8
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

6.8.1 Will the project require you to transfer data outside of the EEA?

6.8.2 If you will be making transfers, how will you ensure that the data is adequately protected?

The project will not require data to be transferred outside of the EEA.

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Ref Solution or mitigation Result
Data may be released inappropriately e.g. information relating to tenants rents. Consultation Robust and secure data management processes in place. Eliminate.
Potential privacy issues for those whose residences are next to the foreshore arising from greater access to the foreshore. Consultation Do not anticipate that personal data will be involved and, therefore, not compromised. Eliminate.
Loss of confidentiality of commercially sensitive information. Consultation Robust and secure data management processes in place. Eliminate.

8. Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk Ref How risk will be incorporated into planning Owner
Data may be released inappropriately e.g. information relating to tenants rents. Consultation This issue will be a core component of guidance on information sharing. David Mallon, project lead
Potential privacy issues for those whose residences are next to the foreshore arising from greater access to the foreshore. Consultation This issue will be a core component of guidance on information sharing. David Mallon, project lead
Loss of confidentiality of commercially sensitive information. Consultation This issue will be a core component of guidance on information sharing. David Mallon, project lead

9. Authorisation and publication

I confirm that the impact of the Scottish Crown Estate Bill has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a Deputy Director or equivalent

Mike Palmer, Deputy Director, Marine Scotland

Date each version authorised

17 January 2018

Contact

Back to top