Gender Recognition Reform (Scotland) Bill: consultation

Annex I: Draft Data Protection Impact Assessment (DPIA)

Introduction

The purpose of this impact assessment is to assess and report on any potential data protection impacts as a result of the draft Gender Recognition Reform (Scotland) Bill on which the Scottish Government is consulting.

The Gender Recognition Act 2004 (“the GRA”) is UK wide legislation permitting a trans man or woman person aged at least 18 to make an application for a gender recognition certificate (“GRC”). A successful applicant will receive a full GRC which give legal recognition of their acquired gender in the UK. The gender in which a trans man or woman is living is called their “acquired gender” under the GRA.

The Scottish Government is consulting on the provisions of a draft Gender Recognition Reform (Scotland) Bill to reform the legal gender recognition process in Scotland. In this draft Data Protection Impact Assessment (“DPIA”), applications made under the provisions of the draft Bill are called “Scottish applications” and applicants in Scottish applications are called “Scottish applicants”.

Under the draft Bill, the data controller of data pertaining to Scottish applications would be the Registrar General.

Document metadata

Name of Project: Consultation on the draft Gender Recognition Reform (Scotland) Bill

Author of report: Family Law Unit, Civil Law & Legal System, Justice Directorate, Scottish Government

Date of report: [ To be completed when finalised. ]

Name of Information Asset Owner (IAO) of relevant business unit: Gavin Henderson Deputy Director, Civil Law & Legal System.

Date for review of DPIA:

Review date	Details of update	Completion date	Approval Date
Independent analysis report of consultation responses becomes available - spring 2020	DPIA will be updated in light of consultation responses

Description of the project

The Scottish Government is consulting on the draft Gender Recognition Reform (Scotland) Bill. The draft Bill would, if enacted:

(a) In relation to Scottish applications, remove the current medical requirements and the need for medical evidence when applicants are seeking legal gender recognition.

(b) Remove the need for Scottish applicants to apply to the Gender Recognition Panel (“GRP”), a tribunal. Instead, Scottish applicants would be able to apply to the Registrar General for Scotland (“the Registrar General”). The Registrar General has a number of existing functions under the GRA^[162] in relation to registration.

(c) Require Scottish applicants either (a) to have been born or adopted^[163] in Scotland or (b) to be ordinarily resident in Scotland;

Personal data to be processed:

Variable	Data Source
Applicant’s name	Applicant
Applicant’s address	Applicant
Applicant’s date and place of birth	Applicant
Applicant’s contact information, including telephone number and email address	Applicant
A statutory declaration by the applicant declaring certain statement to be true witness by a notary public or justice of the peace	Applicant and notary public or justice of the peace
Applicant’s sex (as per their birth certificate) and their acquired gender	Applicant
Details of the notary public or justice of the peace, business address etc	Notary public or justice of the peace
Data concerning an applicant’s marital or civil partnership status	Applicant
Where required, a statutory declaration from their spouse or civil partner	Spouse or civil partner
Where available, the name and address of the applicant’s spouse or civil partner	Spouse or civil partner
Where applicable, the details of the notary public or justice of the peace for the statutory declaration made by a spouse or civil partner	Notary public or justice of the peace
Applications for confirmatory GRCs would require applicants to submit evidence of their overseas gender recognition or a statutory declaration	Applicant and in some cases where the applicant must provide a statutory declaration, a notary public or justice of the peace

Describe how this data will be processed:

How data will be gathered and used

The draft Bill would, if enacted, provided a lawful basis for the Registrar General to process information in relation to Scottish applications for gender recognition.

The draft Bill makes provision for Scottish applications for gender recognition to be considered by the Registrar General and for certain specified information to be submitted as part of such an application. The documents presented as part of a Scottish application will be received and examined by the staff of the Registrar General who will extract and make a record of data concerning the application. The information provided will be used for the purposes of reaching a decision on the application, for the purposes of communicating with the applicant, and where a spouse or civil partner has submitted a statutory declaration as to their wish to continue in the marriage or civil partnership, communicating with their spouse or civil partner, all in accordance with provisions of the draft Bill. Where an applicant is married or in a civil partnership, the documents associated with an application might, at the end of the process, consist of a completed application form, a statutory declaration by the applicant, a notice of confirmation of intention from the applicant and a statutory declaration by the applicant’s spouse or civil partner.

Where a successful applicant who is issued with a full GRC by the Registrar General, was born or adopted in Scotland then, as is the case now, the Registrar General will then use the data to create a new record of their birth or adoption showing their new legal sex in the Gender Recognition Register (the GRR) from which a new extract certificate of birth/adoption can be generated and issued to them. The GRR was constituted by the GRA. Information held in the GRR by the Registrar General is not publicly accessible under the 2004 Act and this would remain the case under the draft Bill. Under the draft Bill, if enacted, the GRR would contain information about successful Scottish applicants as well as data pertaining to those individuals who continue to make applications under the existing arrangements as they would continue to apply in England, Wales, and Northern Ireland.

Where a successful Scottish applicant is in a Scottish marriage or civil partnership, an updated extract from the Register of Marriages can also be issued by the Registrar General.

The appropriate content of requisite privacy notices will be considered as part of an operational DPIA.

Who will have access to the data?

Access to the information collected would be restricted to:

(a) staff within the team of the Registrar General’s staff processing applications;

(b) those of the Registrar General’s staff who might deal with a review of a decision not to issue a GRC, or which seek amendment to the type of GRC issued, or a decision of the Registrar General or a court to revoke a GRC.

Under section 22 of the GRA, it is an offence for a person who has acquired information in an official capacity about another person’s application for legal gender recognition or their gender history to disclose that information to a third person. Some types of disclosure are exempt, for example in relation to the prevention or detection of crime. The draft Bill does not make provision to alter these arrangements. The Scottish Government is considering whether further exceptions to section 22 should be made, by way of subordinate legislation under existing powers in the GRA or whether Scottish Government guidance on section 22 should be issued.

As is currently the case, the data submitted as part of a Scottish application will not be publicly available nor will information in the GRR. We anticipate that the numbers of applications, successful and unsuccessful, may be publicised, along with appropriate demographical information. The published information would not be such as would enable any individual applicant to be identified. Statistical information about applications for gender recognition is currently published by HM Courts and Tribunals Service.

How it will be transmitted and how frequently

At present, under the GRA, the GRP has a duty to advise the Registrar General of the issue of a full GRC to a person born or adopted in Scotland or to an applicant who is in a marriage or civil partnership registered in Scotland. In respect of Scottish applications, the draft Bill requires the Registrar General to share information about full GRCs with Registrars General in other parts of the UK where they were born or adopted in another part of the UK, or are in a marriage or civil partnership constituted elsewhere in the UK. Under the GRA, on average 30 full GRCs are issued to those born or adopted in Scotland each year. We estimate that if the draft Bill were enacted and implemented, that the numbers of applicants could rise to around 250 applications per year, who could then update their records.

The current Registrar General, Paul Lowe is the Chief Executive of National Records of Scotland, a non-ministerial department of the Scottish Government. National Records of Scotland (NRS) has a published policy in respect of data protection.^[164] This includes a commitment to ensuring staff understand their responsibilities for data protection.

How will data be stored and disposed of?

Information about applications received and decisions on their handling is likely to be stored in a purpose-built IT system. NRS has well-established processes for the safe storage of data and appropriate disposal of data compliant with data protection legislation. On retention periods, we will give careful consideration to the personal data which requires to be retained after an application has been processed: the draft Bill envisages appeal and revocation processes which may affect the accuracy of information held and provision is made in the draft Bill to keep the information held correct.

Who will own and manage the data?

Data will be owned and managed by the Registrar General.

How will the data be checked for accuracy and kept up to date

A quality assurance process would be used to offer assurance as to the accuracy of the data recorded when compared to the information supplied by an applicant and, where applicable, by their spouse or civil partner. The draft Bill makes provision for processes allowing for the correction of information held in respect of Scottish applications and errors in GRCs or the type of GRC issued by the Registrar General. These reflect existing arrangements under the GRA.

Explain the legal basis for the sharing with internal or external partners:

The GRA currently makes provision for a copy of the GRC issued by the GRP to be sent by the GRP to a Registrar General in the relevant constituent part of the UK where the applicant was born or adopted there or was married or registered a civil partnership there. The draft Bill contains similar provision requiring the Registrar General to send a copy of a full GRC issued to a successful Scottish applicant to a Registrar General in another constituent part of the UK where they were born or adopted in that other constituent part, or where they were married or entered into a civil partnership there.

Stakeholder analysis and consultation

The Scottish Government consulted on a draft Privacy Impact Assessment (“PIA”) as part of the consultation on proposals to reform the Gender Recognition Act 2004 (“the 2018 consultation”).^[165] A further consultation is being conducted on the draft Bill and the consultation will include seeking views on this draft DPIA. Responses to the 2018 consultation were independently analysed.^[166] The analysis highlighted that only a very small number of respondents commented on the partial PIA. Points made included:

(a) that any impacts of the General Data Protection Regulation should be noted (which this draft DPIA addresses);

(b) that reference to exceptions to section 22 of the GRA (which creates an offence in relation to the disclosure of certain information about gender recognition applications) and which is covered in this DPIA; and

(c) concerns that a trans person’s right to privacy may place other people, in particular women, at risk (the draft Bill does not alter existing arrangements for disclosure of data about applications to be a criminal offence subject to exceptions for disclosures required, including for the prevention of crime).

The Scottish Government also consulted with the Information Commissioner’s Office under Article 36(4) of the General Data Protection Regulation. The Scottish Government met with the Scottish Information Commissioner’s Office. We have considered their advice in relation to this draft DPIA. No concerns were raised on the proposals in the draft Bill.

Method used to communicate the outcomes of the DPIA.

The draft DPIA has been published on the Scottish Government website as part of a consultation on the draft Bill. The views of respondents are welcomed on all the draft Impact Assessments in the consultation.

Questions to identify privacy issues

Involvement of multiple organisations

The current arrangements involve both the Gender Recognition Panel and the Registrar General handling data about applications for legal gender recognition, as well as other Registrars General in the other constituent parts of the UK. Under the draft Bill, the Registrar General would replace the GRP for Scottish applications, but where an applicant was born or adopted in another part of the UK or entered into a marriage or civil partnership in another part of the UK, the Registrar General would send a copy of a full GRC to the relevant Registrar General in the relevant part of the UK. The need for security and privacy in relation to such data sharing between the Registrars General would be a consideration in finalising procedures should the draft Bill be enacted.

Anonymity and pseudonymity

The potential use of pseudonymisation of personal data will be considered when an operational DPIA is developed. The Scottish Government recognise the need for the processes and technology deployed to meet the requirements of the GDPR.

Technology

This will be considered when an operational DPIA is developed. The Scottish Government recognise the need for the processes and technology deployed to meet the requirements of the GDPR.

Identification methods

As is now the case, successful Scottish applicants would be issued with a GRC. A unique identifier might be used to ensure that a link between a particular issued GRC to recorded information about the relevant application can be made. However, personal data will not be available to the public and would be restricted to a limited number of the Registrar General’s staff.

Sensitive/Special Category personal data

Under the provisions of the draft Bill, Scottish applicants would not have to submit any medical evidence to the Registrar General. Data concerning health is special category personal data. (Under the GRA, typically applicants must produce two medical reports, which must detail a diagnosis of gender dysphoria and in certain cases, any surgery or treatment that the applicant has undertaken).

Under the provisions of the draft Bill, Scottish applicants must be aged 16 and over. The draft Bill does not extend to people younger than 16. The current minimum age of applicants under the GRA is 18. We note that section 208 of the Data Protection Act 2018 specifies that a person aged 12 and over is presumed to be of sufficient age and maturity to have the understanding to exercise a right conferred by data protection legislation to give consent for the purposes of data protection legislation, unless the contrary is shown. If the draft Bill proceeds, further consideration will be given to suitable guidance and privacy notices to ensure that younger applicants are aware of the processing of personal data involved in the handling of a Scottish application, as well as to ensure all applicants are clear on how their personal data will be processed.

Changes to data handling procedures

The Registrar General would not make the personal data publicly available.

The draft Bill, if enacted, would not involve:

• new or changed data collection policies or practices that are unclear or intrusive; or
• changes to data quality assurance, processes and standards that may be unclear or unsatisfactory; or
• new or changed data security access or disclosure arrangements that may be unclear or extensive; or
• new or changed data retention arrangements that may be unclear or extensive; or
• a change in the medium for disclosure of publicly available information such that the data becomes more readily accessible than before.

Statutory exemptions/protection

None of the arrangements would require statutory exemptions/protections in data protection legislation. The GRA has a number of exceptions permitting the disclosure of data about gender recognition applications by a person who holds the information in an official capacity, including for the prevention of crime, where disclosure is in accordance with an order of a court or tribunal or where it is made to the Registrar General for England and Wales, the Registrar General for Scotland or the Registrar General for Northern Ireland.

Justification

This does not apply in relation to the draft Bill.

5.9 Other risks

No other risks have been identified.

General Data Protection Regulation (GDPR) Principles

Principle	Compliant – Yes/No	Description of how you have complied
6.1 Principle 1 – fair and lawful, and meeting the conditions for processing	Yes	The draft Bill, if enacted, would provide the lawful basis for processing data pertaining to Scottish gender recognition applications. The draft Bill does not require the collection of any new personal information distinct from what is already collected by the GRP for the purposes of recognition under the GRA now. Collection of special category data is removed for Scottish applications.
Principle	Compliant – Yes/No	Description of how you have complied
6.2 Principle 2 – purpose limitation	Yes	Data would be collected for the same purposes ad under the existing arrangements in the GRA. The purpose of data processing has not altered as a result of the draft Bill, if it was enacted.
Principle	Compliant – Yes/No	Description of how you have complied
6.3 Principle 3 – adequacy, relevance and data minimisation	Yes	The data to be collected will be kept to the minimum necessary. The draft Bill would remove for Scottish applicants any requirement to submit medical evidence (special category data) with their application. The draft Bill does not require the collection of any new personal information distinct from what is already collected by the GRP for the purposes of recognition under the GRA now.
Principle	Compliant – Yes/No	Description of how you have complied
6.4 Principle 4 – accurate, kept up to date, deletion	Yes	The draft Bill incorporates processes supporting accuracy of the data, allowing for corrections of inaccurate data. The draft Bill would not alter existing internal quality control arrangements in NRS.
Principle	Compliant – Yes/No	Description of how you have complied
6.5 Principle 5 – kept for no longer than necessary, anonymization	Yes	Retention arrangements will be considered in the light of final decisions on a Bill that the Scottish Government take forward following the consultation on this draft Bill. There may be a need to retain some items of personal data in relation to the possibility of a court action challenging a decision to issue a GRC.
Principle	Compliant – Yes/No	Description of how you have complied
6.6 GDPR Articles 12-22 – data subject rights	Yes	The draft Bill does not contain provisions affecting these rights, the form and content of a privacy notice in relation to data to be provided by applicants will be considered following enactment if a Bill proceeds. There are arrangements for review and appeal of decisions made in relation to Scottish applications as well as for correction of data held in relation to applications.
Principle	Compliant – Yes/No	Description of how you have complied
6.7 Principle 6 - security	Yes	The draft Bill does not affect the existing security arrangements around the data being collected for the purposes of gender recognition. The personal data required for processing a Scottish application is limited under the draft Bill in that no medical evidence is required. A limited group of staff in NRS would have access to the personal data collected as is the case now and there are criminal penalties for the disclosure of data about applications, which are not affected under the draft Bill.
Principle	Compliant – Yes/No	Description of how you have complied
6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.	-	This will be considered in an operational DPIA, following consultation on the draft Bill. The Scottish Government recognise the need to meet the requirements of the GDPR.

Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk	Ref	Solution or mitigation	Result
Depending on decisions made concerning implementation if a Bill proceeds in the Scottish Parliament, data may be stored on an IT system provided by a third party IT provider.		Any contract with an IT provider would set out steps to minimise risk of inappropriate access to and use of personal data.	Reduced risk
Personal data concerning applications for gender recognition might be released due to insecure IT system.		Work with IT provider to ensure sufficient built in safeguards to reduce risks of unauthorised access to data. Consideration will be given in a future operational DPIA to the need for data sharing agreements - the draft Bill, if enacted, would require the Registrar General to send a copy of a full GRC issued to an individual born or adopted in another part of the UK to the relevant Registrar General for that part.	Reduced risk
Personal data might be released through processing of applications		The draft Bill retains the existing legal protection against unauthorised disclosure of such information pertaining to an application for gender recognition. Privacy and data handling should continue to form an important part of training for NRS staff involved in processing applications.	Reduced risk

Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

This section will be considered and completed in the future on review of the DPIA.

Risk	Ref	How risk will be incorporated into planning	Owner

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO	Action

Authorisation and publication

The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division.

Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust, has addressed all the relevant issues and that appropriate actions have been taken.

By signing the DPIA report, the IAO is confirming that the impact of applying the policy has been sufficiently assessed against the individuals’ right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase “DPIA report” and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of the Gender Recognition Reform (Scotland) Bill has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a IAO or equivalent Gavin Henderson Deputy Director Civil Law & Legal System.

Date each version authorised To Be Completed When Final Version of DPIA Is Prepared For When The Bill Is Introduced Into Parliament

The Scottish Government
December 2019