Sex and gender in data guidance: data protection impact assessment

Data protection impact assessment (DPIA) for guidance for public bodies on the collection of data related to sex and gender.


Data Protection Impact Assessment (DPIA)

1. Introduction

The work on sex and gender has identified a lack of standard approaches to collection of data on sex and gender, and that this data is not consistently analysed or published. As such, it has developed some guidance to help public bodies to address these issues.

2. Document metadata

2.1 Name of Project: Guidance on the collection and use of data on sex and gender

2.2 Author of report: Poppy Wilson

2.3 Date of report: 16 April 2021

2.4 Name of Information Asset Owner (IAO) of relevant business unit: Roger Halliday

2.5 Date for review of DPIA: September 2023

Review date Details of update Completion date Approval Date
15 September 2021 Aligning with Sep 21 guidance 15 September 2021 15 September 2021

3. Description of the project

3.1 Description of the work:

The aim of producing guidance is to improve the collection of data about sex and gender by public bodies in Scotland, to encourage the disaggregation of data, to support bodies to analyse and present disaggregated data more effectively, and for this data to be used.

The aim of the work isn’t simply guidance for its own sake, but to create the conditions where data on sex and gender is routinely collected and used by Scottish public bodies to design, plan, monitor and evaluate services that are sensitive to the needs of all of Scotland. This includes helping organisations to understand not just the issues on sex and gender, but on the intersectionality between this and other socio-demographic characteristics (including the protected characteristics in the Equality Act 2010). This should most importantly enable them to develop better policy and services which deliver better and more equal outcomes.

3.2 Personal data to be processed.

Variable: Sex

Data Source: Public bodies will collect this from service users if they have a legitimate need to know

Variable: Trans status

Data Source: Public bodies will collect this from service users if they have a legitimate need to know (only from those aged 16 years and over)

3.3 Describe how this data will be processed:

It Is likely that this data if collected by a Scottish public body will be analysed, and disaggregated in an intersectional way, to design, plan, monitor and evaluate services.

3.4 Explain the legal basis for the sharing with internal or external partners:

Legal Obligation – most public bodies will be obliged to collect and publish data on equality characteristics as per the Public Sector Equality Duty.

Public Task – public bodies are likely to collect and process this personal data in the course of their official functions in the public interest.

Consent – some public bodies may ask for a person’s consent to process the personal data collected to carry out their public function.

4. Stakeholder analysis and consultation

4.1 List all the groups involved in the project, and state their interest.

Group: Scottish Public Bodies

Interest: Guidance being developed for their use

Group: Sex and Gender in Data Working Group

Interest: Led by the Chief Statistician and tasked with developing the guidance

Group: SG Data Protection and Information Assets Team

Interest: Reviewed and provided feedback on earlier version of draft guidance.

Group: Scottish Ministers

Interest: Have asked the Chief Statistician to develop this guidance

Group: Stakeholders

Interest: Have views on how data on men and women should be collected in official sources. Includes public events and consultation.

4.2 Method used to consult with these groups when making the DPIA.

A draft copy of guidance was shared and these groups have had an opportunity to provide feedback and comments on the current draft proposals. This includes review by ICO policy officers (and their feedback) as well as the Scottish Government data protection team. Feedback is being taken into account as the guidance is developed.

4.3 Method used to communicate the outcomes of the DPIA .

The DPIA will be referenced in the guidance. The intention to carry out impact assessments has been mentioned in a blog post by the Chief Statistician.

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

The guidance will be applicable to multiple organisations, but the guidance will not impact on whether personal data will be shared or processed across multiple organisations.

5.2 Anonymity and pseudonymity

The guidance will set out recommended questions for public bodies to use if they need to collect data on sex, gender identity and/or trans status, and will instruct bodies to only release and publish analysis of high level data (i.e. anonymised) if it meets Statistical Disclosure Control standards.

5.3 Technology

The guidance does not cover the technological side of collecting, disaggregating and reporting data on sex and gender.

5.4 Identification methods

n/a

5.5 Sensitive/Special Category personal data

n/a

5.6 Changes to data handling procedures

n/a

5.7 Statutory exemptions/protection

n/a

5.8 Justification

The aim of producing guidance is to improve the collection of data about sex and gender by public bodies in Scotland, to encourage the disaggregation of data , to support bodies to analyse and present disaggregated data more effectively, and for this data to be used.

5.9 Other risks

None identified.

6. General Data Protection Regulation (GDPR) Principles

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Compliant: Yes

Description of how you have complied: The guidance does not change the arrangements around the basis for data collection or processing.

6.2 Principle 2 – purpose limitation

Compliant: Yes

Description of how you have complied: The guidance advises organisations to start with an understanding of the need for the collection of data.

6.3 Principle 3 – adequacy, relevance and data minimisation

Compliant: Yes

Description of how you have complied: There was strong evidence from the review of a need for data about sex and gender. There are currently a range of approaches to collecting data about sex and gender. The guidance proposes standardizing those approaches and as such the introduction of the guidance to ensure relevance and that the data is collected when needed.

6.4 Principle 4 – accurate, kept up to date, deletion

Compliant: Yes

Description of how you have complied: As for 6.3, the standardization in the guidance should support improvements to data quality.

6.5 Principle 5 – kept for no longer than necessary, anonymization

Compliant: Yes

Description of how you have complied: The guidance describes arrangements for publishing aggregate data and statistics in ways that do not compromise the identity of individuals. It does not change the arrangements around data retention

6.6 GDPR Articles 12-22 – data subject rights

Compliant: N/A

Description of how you have complied: The guidance does not comment on or change the arrangements around data subject rights

6.7 Principle 6 - security

Compliant: Yes

Description of how you have complied: The guidance describes arrangements for publishing aggregate data and statistics in ways that do not compromise the identity of individuals

6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

Compliant: N/A

Description of how you have complied: The guidance does not comment on or change the arrangements for movement of data across nation boundaries

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk: Data is collected in many different ways using interchangeable terms

Solution or mitigation: Introduce guidance to standardise approach. This will not be mandatory, so there remains a risk that not all orgs will adopt. A separate letter will set expectations of adopting the guidance

Result: reduce

Risk: Data is not consistently analysed or published

Solution or mitigation: Provide guidance to standardise questions and support publication. Set expectation to public bodies for the publication of aggregate data

Result: reduce

8. Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk: Data is collected in many different ways using interchangeable terms

How risk will be incorporated into planning: To consult and work with data users, data owners and other stakeholders to understand challenges this causes, and potential solutions.

Owner: Roger Halliday

Risk: Data is not consistently analysed or published

How risk will be incorporated into planning: To consult to understand factors behind this problem and (as a result) develop potential solutions

Owner: Roger Halliday

9. Authorisation and publication

I confirm that the impact of applying the guidance has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a IAO or equivalent

Roger Halliday, Chief Statistician, Scottish Government

Date each version authorised

21 September 2021

Contact

Email: lee.bunce@gov.scot

Back to top