Publication - Impact assessment
Police (Ethics, Conduct and Scrutiny) (Scotland) Bill: data protection impact assessment
This impact assessment records how data will be used in relation to the Police (Ethics, Conduct and Scrutiny) (Scotland) Bill and how that use is compliant with data protection legislation.
6. Risk Assessment
| Risk | Solution or mitigation | Likelihood (Low/ Med/ High) | Severity (Red/ Amber/ Green) | Result |
|---|---|---|---|---|
6.1.1 Risk to individual rights
|
The majority of provisions within the Bill do not create new impacts on individual's rights. Provisions that relate to the publishing of the Barred List, sharing of the Advisory List. Provisions allowing the PIRC to call in complaints would allow the PIRC in theory to call in a complaint even if the complainer did not want them to. However, this would only happen if it was in the public interest for it to. Provisions relating to the investigation of criminal conduct do not change the position on whether the criminal conduct would be investigated, only around who would investigate it, and so there is no impact on these rights. There is potential that those whose whistleblowing complaints were audited may not have sought to involve the PIRC, but the aim of these provisions is to improve the position for whistleblowers more generally and therefore there is a public interest in progressing this. There may be constables from England, Wales or Northern Ireland who would not wish to take part in an investigation into a serious incident, however, again there is a strong public interest in investigating why a person was seriously injured or died following contact with the police, or to ensure that weapons are only discharged or utilised when necessary by investigating when they are used. However, on balance these changes are required to strengthen public confidence in policing. Necessary mitigations will be considered in regulations to minimise risk, such as redactions where necessary and appropriate. Data controllers must ensure they apply suitable consideration to individual rights within privacy statements and give due consideration to these when conducting DPIA's and setting up Data Sharing Agreements. | Med | Green | Accepted |
| 6.2.1 Privacy risks Purpose limitation | The purpose of holding data is not changed by the Bill. Data will continue to be collected and processed by data controllers for the same purposes as it currently is. | Low | Green | No new impact |
| 6.2.2 Privacy risks Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights | The Bill does not impact on the way data subjects are informed about the purpose and lawful basis for the processing, and their rights. | Low | Green | No new impact |
| 6.2.3 Privacy risks Minimisation and necessity | There will be no change to the way in which data is collected and processed as a result of the Bill by operational partners. The Centurion changes will come into force as a result of regulations made in the future. Data collection and Processing will continue to be proportionate and in line with pre-existing purposes. | Low | Green | No new impact |
| 6.2.4 Privacy risks Accuracy of personal data | The Bill does not impact the accuracy of personal data. Data controllers will continue to be responsible for ensuring that the information they hold about a subject is accurate and up-to-date. | Low | Green | No new impact |
| 6.3.1 Security risks Keeping data securely Retention | The Bill will not impact the way in which data controllers store or retain data. Operational partners are responsible for ensuring the necessary safeguards are in place to manage data securely and to ensure appropriate data sharing agreements are in place to comply with UK GDPR. | Low | Green | No new impact |
| 6.3.2 Security risks Transfer – data may be lost in transit | The Bill will not impact the way in which data controllers transfer data (any change as a result of the Centurion proposals will come in regulations). It is not envisaged that access to the system when it is provided for will provide opportunities for information to be lost in transit. Operational partners are responsible for ensuring the necessary safeguards are in place to manage data securely and to ensure appropriate processes are in place for safe and secure transfer of data to comply with UK GDPR. | Low | Green | No new impact |
| 6.3.3 Security risks | The Bill will not bring in provisions that will impact data security or create security risks. Operational partners who are Data Controllers hold the responsibility for ensuring the necessary safeguards are in place to manage data security and to carry out risk assessments. | Low | Low | No new impact |
| 6.4.1 Other risks | N/A | N/A | N/A | N/A |
Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
| Advice from DPO | Action |
|---|---|
| Advice was given from DPO in SG (as well as engagement with ICO). Advice from DPO was around terminology, where responsibility sits and on engaging with ICO. | Comments from DPO were taken on board. |
I confirm that the Police (Ethics, Conduct and Scrutiny) (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018
| Name and job title of a IAO or equivalent | Date each version authorised |
|---|---|
| John Somers, Deputy Director for Police Division, Scottish Government. | 11 May 2023 |
Contact
Email: policeethicsbill@gov.scot
There is a problem
Thanks for your feedback