Police (Ethics, Conduct and Scrutiny) (Scotland) Bill: data protection impact assessment

Specific Provisions With Data Processing Implications

As outlined above, the Bill includes amendments to the two main pieces of legislation in the area of Scottish policing law (the Police, Public Order and Criminal Justice (Scotland) Act 2006 and the Police and Fire Reform (Scotland) Act 2012) and regulations made under the 2012 Act. Many of the provisions will amend duties that specific policing bodies already hold to process data in compliance with UK GDPR, and the provisions will not change the purpose for gathering data, how the data is processed or what type of information is gathered.

This DPIA is concerned with those specific provisions within the Bill that are likely to amend powers that are relevant to the processing and management of personal information as follows:

Police Barred and Advisory Lists:

The Bill provides that the SPA must establish and maintain a Scottish Police Barred List and a Police Advisory List (similar to existing lists for English and Welsh forces held by the College of Policing). The Bill sets out the circumstances in which a person is to be entered on each of the lists and gives broad secondary legislation making powers to Scottish Ministers to make detailed provision in regards to the framework around these lists. It is envisaged that the section in the Bill (section 7) providing for the SPA to establish and maintain the lists will be commenced at the same time as regulations come into force providing for the framework of the lists. Regulations are subject to affirmative procedure and these will be consulted on with the ICO, and a DPIA will need to be completed prior to the regulations coming into force. It is envisaged that the SPA will take on the role of data controller of both lists and will be required to ensure compliance with UK GDPR when managing the lists.

Cross-Jurisdictional Investigations:

Provision is made to expand PIRC's role to enable them to investigate officers from other jurisdictions operating in Scotland in the same way they can with officers from Police Scotland, in relation to potential criminal offending of these officers, or investigations into a serious incident.

A serious incident investigation here is one requested by the chief officer or chief constable of the individual's home force, involving a member of that force, who, whilst engaged in duties in Scotland:

• had contact (directly or indirectly), at or before the time of their death or serious injury, with a person who died or was seriously injured; and where there is an indication that the contact may have caused or contributed to (directly or indirectly), the death or serious injury;
• where serious injuries were sustained by a person detained or kept in custody by a member of a force from England, Wales or the Police Service of Northern Ireland;
• where certain weapons or firearms were discharged by a person from a police force from England or Wales, or the Police Service of Northern Ireland.

This is a new power for the PIRC to investigate and inevitably data sharing will take place between policing partners in order to carry out that investigation. Where the information is being shared for the investigation of criminal proceedings, this is classed as law enforcement processing and is therefore governed by Part 3 of the Data Protection Act 1998. The PIRC are a competent authority in line with Part 3 of the Data Protection Act 2018 and have compliant processes in place for sharing information in relation to Scottish constables for such investigations and will be able to adopt these in relation to investigations that will require the holding of information pertaining to English, Welsh or Northern Irish constables.

Where the information is being shared for the investigation of serious incidents, again the PIRC already have UK GDPR compliant processes in place in relation to Scottish constables that can be adopted in relation to information pertaining to English, Welsh, or Northern Irish constables. Again, the proposal here is seeking to share the same type of information that is already shared between Police Scotland and the PIRC, but between the PIRC and wider policing bodies within other UK jurisdictions.

In some cases here, a new duty will not be needed to share data as there is existing primary legislation in place. In other cases powers or duties to share information relevant to these investigations will need to be put in place.

The position is as follows:

Where Police Scotland is the body sharing the relevant information, the obligation to share information in relation to PIRC's functions in section 44 will continue to apply. Police Scotland will already be sharing information about criminal investigations as and when required with the PIRC, and the PIRC with the Crown Office and Procurator Fiscal Service.

In relation to any sharing of information from the PIRC to Chief officers or constables of English, Welsh or Northern Irish forces, section 46 of the 2006 Act will allow the Commissioner to share data with territorial forces from outside Scotland.

For information sharing from the territorial forces to the PIRC, plans are in place to ask the UK Government to make an order via section 104 of the Scotland Act 1998 to make provision requiring police forces in England and Wales or the Police Service of Northern Ireland to share information required for the PIRC to carry out these new functions. We cannot make provision for this in the Bill as it would be out with the legislative competence of the Scottish Parliament. We do not consider that existing provision in section 46(4) would necessarily be considered to apply to forces in England, Wales and Northern Ireland, as they are situated outside of Scotland and for the most part, the Scottish Parliament does not have the legislative competence to make provision that has legal effect outside of Scotland.

Where the information is being shared for the investigation of criminal proceedings, this is law enforcement processing, and so is governed by Part 3 of the Data Protection Act 1998, and there will already be in place compliant plans and processes for such sharing in relation to Scottish constables that will be able to be adopted in relation to information pertaining to English, Welsh or Northern Irish constables.

Where the information is being shared for the investigation of serious incidents, there will already be in place UK GDPR compliant processes for such sharing in relation to Scottish constables that will be able to be adopted in relation to information pertaining to English, Welsh, or Northern Irish constables. Again, the proposal here is seeking to share a type of information that is already shared between Police Scotland and the PIRC, but between the PIRC and a wider group of Police forces.

There is to be an order which will be made under section 104 of the Scotland Act 1998, which will oblige the chief officer of police forces in England and Wales, or the chief constable of the Police Service of Northern Ireland, to provide information to the PIRC that is necessary to carry out these new functions. The chief constable's (or, if relevant, the Scottish Police Authority's) existing obligations to provide information to the PIRC under section 44 of the 2006 Act will apply to this new function.

PIRC Access to Police Scotland's Complaints Database:

Another relevant provision in the Bill will add to current powers the Scottish Ministers have to make regulations around information sharing. The provision amends section 44 of the 2006 Act and sets out that regulations may be made requiring the Scottish Police Authority or the chief constable to provide information and documents to the PIRC by giving the PIRC access to an electronic system on which they are stored. This will allow secondary legislation to be made requiring Police Scotland to provide the PIRC with remote access to the Police Scotland Complaints Database from a PIRC office or place of work. This, in turn, will allow PIRC to meet their statutory responsibilities and carry out reviews of complaints made against Police Scotland or its Constables, as well as contemporaneous audit of how complaints are being dealt with more widely (the latter in terms of their duties under section 40A of the Police, Public Order and Criminal Justice (Scotland) Act 2006).

The PIRC already has access to information held on this system when necessary for carrying out their functions (under section 44 of the Police, Public Order and Criminal Justice (Scotland) Act 2006 (the 2006 Act), under which they can request information under a notification procedure), but where the PIRC accesses the Centurion System for information, this is under supervision in Police Scotland premises, to deliver their statutory responsibilities. The Bill suggests a change in how this access is provided – notably suggesting this is made available remotely and without Police Scotland supervision. These access arrangements are in place for two reasons:

• because the current system provides information about complaints and conduct, and the PIRC functions should only relate to complaints (their current functions in relation to misconduct investigations being quite limited, albeit there are plans to expand these to implement recommendations of the Dame Elish Angiolini Review). We understand that this position is to be resolved shortly, with the complaints information being separated from the conduct information. However, if the necessary changes have not been made before the Bill comes into force, the Scottish Ministers can await making any regulations making substantive provision until the changes are made;
• there is uncertainty around whether the existing legislative gateway for information sharing (section 44) goes as far as permitting the PIRC direct access to the Centurion System.

Police Scotland will remain as the data controller for personal information held on this system, including special category personal information, and therefore continue to hold responsibility for ensuring appropriate management of the data.

It would therefore be the responsibility of Police Scotland, as data controller, and PIRC, who will also be a data controller when fulfilling their functions, to ensure the protection of this existing data and to comply with their obligations under the UK GDPR. As Police Scotland and PIRC are processing the same data but for different purposes it has been established their relationship will be Controller-Controller. As Controllers it is their responsibility to comply with data protection regulations, this includes drafting of DPIAs, and ensuring the necessary Data Sharing Agreement is in place and adhered to.

PIRC Power to Audit Whistleblowing Complaints:

The Bill includes an obligation on the PIRC to keep under review all arrangements maintained by the SPA and the Chief Constable for the investigation of information provided in a whistleblowing complaint. The PIRC will also have to secure that these arrangements are (i) efficient and effective; contain and manifest an appropriate degree of independence; and are adhered to. There is also provided a power for the PIRC to make recommendations or give advice to the SPA or the Chief Constable on the arrangements for the handling of whistleblowing complaints. The PIRC will have to write a report of any individual whistleblowing complaint they investigate (the PIRC can do this under the already existing sections 33A(d) and 41C of the 2006 Act), and also to report to the Scottish Ministers on more general audits of whistleblowing complaints. The PIRC can make recommendations about the arrangements for investigation of whistleblowing complaints, either in a report, or via more informal avenues. If the information is in a report, then the Police Service of Scotland or the SPA must respond in writing. Reports can be published, as can responses, however, when published, they should not reveal any information that would allow any individual (other than the chief constable) to be identified. The PIRC will also be given the option to publish a report on the audit if they consider it to be appropriate, and to disclose the findings to the appropriate prescribed body.

Under the current policies and legislative framework, constables and staff within Police Scotland and the SPA can disclose relevant concerns internally, or to external organisations, provided they are named on the list of prescribed persons (or bodies to Whistleblow to) and handle matters relevant to the issue being disclosed, for example to the Information Commissioner's Office (ICO) in relation to data breaches, and they will be protected from detriment in their employment or office under the Employment Rights Act 1996. As indicated above, it is already considered that the PIRC could investigate the underlying issue raised in a whistleblowing case, under the PIRC's power to investigate matters in the public interest. There are plans to continue discussions with the UK Government to investigate the possibility of adding the PIRC to the list of prescribed persons, via secondary legislation in the UK Parliament. If these were to happen, any constables or staff who did chose to whistleblow direct to the PIRC would be legally protected from suffering detriment in their employment or office.

No new power for the PIRC to seek information or obligation for the chief constable or SPA to share information is required here, as section 44 of the 2006 Act provides that information must be shared with the PIRC when the IRC notifies that such information is required for the purposes of carrying out the PIRC's functions (see section 44(2)).

Under this new power allowing PIRC power to carry out an audit of whistleblowing complaints, PIRC have responsibility to comply with data protection regulations, this includes drafting of DPIAs, and ensuring the necessary Data Sharing Agreement is in place and adhered to.

PIRC to Call-in Relevant Complaints:

The PIRC can currently review the way in which Police Scotland (or the SPA) have handled non-criminal complaints made about them by members of the public through a complaint handling review (CHR). In practice, a CHR will only be undertaken once the complaint has been dealt with through the complaints handling process of the policing body, and a final response has been issued from them to the complainer.

In reviewing the complaint, the PIRC will look at the evidence used by the police to assess the complaint and form a view on whether they handled the complaint to a reasonable standard. In doing so, the PIRC can make recommendations for improvements, issue learning points and, through a statutory power, issue a reconsideration direction which requires the policing body to look at the complaint again in full. A reconsideration direction would require the policing body to appoint a person with no prior involvement to reconsider the complaint. The direction may also be subject to supervision of the PIRC, depending on the seriousness of the case and public interest considerations. Ultimately, the decision on whether a complaint is upheld lies with the policing body.

The Bill provides the PIRC with a power to take over consideration of (or call in) complaints being dealt with by the Chief Constable or the SPA under the following circumstances:

• where the PIRC determines, following a CHR that the complaint is to be considered by the PIRC;
• when requested to do so by the authority to which the complaint was made; or
• of the PIRC's own volition, and following consultation with the authority, if the Commissioner has reasonable grounds to believe that the complaint has not been, or is not being, considered properly by the appropriate authority and the Commissioner is satisfied it is in the public interest for the Commissioner to consider the complaint.

The Bill clarifies that PIRC can call in a complaint at any stage in the CHR, or reconsideration, and provides the Commissioner with the ability to review the complaint handling following a request from the complainer before deciding whether to call it in. This aims to address any concerns from the complainer around a lack of progress in the handling of their complaint and ultimately improve the efficiency of the process.

Placing all of the above in statute will strengthen the role of the PIRC and enable greater scrutiny of the way Police Scotland handles complaints.

No new power for the PIRC to seek information or obligation for the chief constable or SPA to share information is required here, as section 44 of the 2006 Act provides that information must be shared with the PIRC when the IRC notifies that such information is required for the purposes of carrying out the PIRC's functions (see section 44(2)).

Definition of person serving with the police in section 33A(b) of the 2006 Act

The PIRC, where directed by the appropriate prosecutor to do so, can currently investigate alleged criminal offending by a person serving with the police (a constable of the Police Service of Scotland, or a member of staff of the Police Service of Scotland or the Scottish Police Authority). This has been interpreted as ambiguous as to whether it is only relating to person who is currently a person serving with the police, due to the wording of the section. Anyone who is currently a police constable, or who has been a police constable, or who is a member of staff, will have contacts in the Police Service. In some circumstances, it might be deemed better if a body that is independent of the Police Service can investigate such persons. The amendment makes it clear that the PIRC can be directed by the appropriate prosecutor to investigate the circumstances of any alleged offence involving someone who has been or is a constable/member of staff.

The amendments to 33A(b) also clarify that the PIRC can be directed to investigate a sudden death or fatal accident by the appropriate prosecutor, where the death involved a person serving with the police, regardless of whether the person serving with the police was on duty/working at the time of the circumstances concerned.

This will result in the same type of information being shared in relation to such persons, between the Police Service, the PIRC and the prosecution service, that already was shared in relation to those currently serving with the police, in investigations concerning those who were persons serving with the police but no longer are. The PIRC therefore already has systems and processes in place for processing this information.

Provision not dealt with in this DPIA:

Other provisions in the Bill may result in data being shared, but do not require it is shared, but they have not been included below as they do not in fact change the position on data sharing.

Duty of Candour

The duty of candour provisions do the following:

• Introduce an explicit duty of candour to: the standards of professional behaviour against which a constable's professional conduct is measured; the constable's declaration; and the policing principles to which due regard must be had in the policing of Scotland. This includes an expectation that constables will attend interviews and participate in proceedings (including investigations against constables) openly, promptly and professionally, in line with the expectations of a police constable.
• Add to the policing principles a requirement that the Police Service will be candid and co-operative in proceedings, including investigations against constables.

Whilst no such explicit requirements as the above are currently contained in legislation, it is considered that they were already implicit requirements to be candid and to assist with investigations, that could be taken from the Standards of Behaviour that sit in the conduct regulations, which require, amongst other things, that constables are "honest, act with integrity" and require them not to "compromise or abuse their position."

The provisions do not require constables to carry out any particular action, or to give any particular information, in order to meet the duty. The is no legal effect of the provisions, nor any criminal enforcement for failure to adhere to them. If the Standard of Behaviour is breached, it might, but would not necessarily, lead to a finding of misconduct by the constable. For these reasons, these provisions have not been referred to below.