Scottish Crime and Justice Survey: data protection impact assessment

6. General Data Protection Regulation (GDPR) Principles

Principle: 6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Compliant – Yes/No: Yes

Description of how you have complied:

Processing is undertaken under the public task clause of GDPR (Article 6(1)(e)), with a relevant legal gateway having been identified. Special Category data are processed in accordance with Article 9(2)(j).

The Scottish Government can process data on criminal convictions and offences under article 10 as it has a lawful basis under article 6(1) and as an official authority it can carry out the processing. The SCJS collects limited and non-specific information on whether respondents have ever been convicted of a crime for use as an analytical variable.^[4]

The survey's advance materials and website act to provide necessary information to data subjects, whilst interviewers also provide additional information face to face. Together these elements form the SCJS privacy notice.

Respondents are asked for explicit consent for their names, addresses and contact details to be held for the purposes of follow-up research. Signatures record this consent. Respondents are provided with information of how to later opt-out and this information is also provided on the SCJS website.

Principle: 6.2 Principle 2 – purpose limitation

Compliant – Yes/No: Yes

Description of how you have complied:

SCJS data are only collected and processed for the specified, explicit and legitimate purposes communicated to respondents – i.e. for the purposes of research into crime and justice in Scotland. However, GDPR Article 89(1) also applies here, which provides an exemption to the purpose limitation for '…scientific or historical research purposes or statistical purposes'.

Principle: 6.3 Principle 3 – adequacy, relevance and data minimisation

Compliant – Yes/No: Yes

The survey content is regularly reviewed to ensure that there is a continued need for the data to be collected.

In terms of personal data (such as gender, age etc.) – collection and processing of this data is done using established questions which produce meaningful data for the purposes of research and statistics. Personal information collected is essential for understanding how experiences of crime and perceptions of the justice system in Scotland vary across different groups in order to monitor performance and inform policies.

Principle: 6.4 Principle 4 – accurate, kept up to date, deletion

Compliant – Yes/No: Yes

Description of how you have complied:

Accurate: The information is obtained directly from data subjects. The questionnaire includes a range of built-in logic checks, whilst further quality assurance checks are performed by the contractor.

Up-to-date: The data are accurate at the time of collection. As further processing uses the data and ties it to the point of collection (i.e. looks at results in a particular year), the data is always accurate to and representative of that point in time. A new sample of respondents is drawn for each survey year.

There is currently no mechanism in place for updating the recontact dataset. Therefore, we assume this is correct at the time of collection and (for most people) for a period thereafter. The recontact datasets are supplied to SG at the conclusion of each year of data collection. However, it is important to note this data may no longer be accurate for many people after a period of time (i.e. as people may move address, change contact details and so on). Balancing this consideration against the purpose for collecting the data, and the consent given by data subjects when providing this information, SG holds recontact data for five years and then deletes it. In practice, applications to use the recontact data are considered on a case-by-case basis, including how many years' worth of data are requested and can be appropriately used from the maximum of up to five years' worth of data. Often it is sufficient and therefore more appropriate to only use data from the last two years.

Deletion: As data are processed in accordance with the public task clause, the right to erasure does not apply. However, this does apply to the recontact data where consent is the legal basis for processing. Data subjects are provided with contact details to enable them to withdraw their consent and remove themselves from the recontact database (prior to the broader deletion policy being applied as a whole).

Principle: 6.5 Principle 5 – kept for no longer than necessary, anonymization

Compliant – Yes/No: Yes

Description of how you have complied:

The main SCJS datasets are held indefinitely by the Scottish Government for the purposes of research and statistics. These datasets are pseudonymised as they do not include direct personal identifiers, thus reducing the risk of individuals being identified.

The recontact datasets are held securely and separately from the main survey datasets, and retained for a maximum of five years. Each data subject has a unique identifier in each dataset which allows them to be matched. This processing only takes place to facilitate legitimate further research with a sound legal basis, and following ethical considerations and necessary approval processes being completed.

Principle: 6.6 GDPR Articles 12-22 – data subject rights

Compliant – Yes/No: Yes

Description of how you have complied:

Data subjects have rights defined under GDPR. The survey's advance materials and website explain how data are handled, rights of data subjects and where more information can be found.

Whilst most subject rights under GDPR apply, as the SCJS data are processed under the public task clause Individuals' rights to erasure and data portability do not apply. As the survey is carried out for reasons of public interest (rather than a legal obligation) and appropriate safeguards are in place to minimize the risk to privacy, the right to object is more limited as the processing is necessary for the performance of a task carried out in the public interest – as per Article 21(4). However, participation in the survey is voluntary, so data are only collected from willing participants. The data are not used for direct marketing, and is only processed for legitimate research purposes as specified in the privacy notice.

Principle: 6.7 Principle 6 - security

Compliant – Yes/No: Yes

Description of how you have complied:

Within the Scottish Government, the survey datasets are stored on a section of the government's secure server with access restricted to a small number of analysts working on the project. Only aggregated information is published in reports and tables, whilst disclosure control processes are applied to further limit the potential for individuals to be identified before datasets are submitted to the UK Data Service or shared with research organisations under Data Sharing Agreements. All SG staff complete necessary Data Protection training at least once per year to ensure staff are aware of regulations.

Contractor process: The SCJS data are collected and processed in a secure manner. Access to personal data and survey datasets are restricted to only individuals who require access at different stages of the process. Once the survey datasets are in their final format only the project team in ScotCen and Ipsos have access to the data. A data flow has been produced and is maintained to outline the data processing which takes place and the secure software and processes used.

Principle: 6.8 GDPR Article 24 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

Compliant – Yes/No: Yes

Description of how you have complied:

The survey datasets are generally not shared with any research organisations that operate or sub-contract operations outside of the EEA. Should a data sharing request be received which would involve transferring data outside of the EEA, this would be considered by the Scottish Government's Data Access Panel.