Publication - Publication

Agriculture (Retained EU Law and Data) (Scotland) Bill: DPIA

Published: 7 Nov 2019
Directorate:
Agriculture and Rural Economy Directorate
Part of:
Farming and rural
ISBN:
9781839602757

Data protection impact assessment (DPIA) for the Agriculture (Retained EU Law and Data) (Scotland) Bill, which considers how the bill impacts on personal data and privacy.

15 page PDF

234.2 kB

15 page PDF

234.2 kB

Contents
Agriculture (Retained EU Law and Data) (Scotland) Bill: DPIA
Data Protection Impact Assessment (DPIA) - Agriculture (Retained EU Law and Data)(Scotland) Bill

15 page PDF

234.2 kB

Data Protection Impact Assessment (DPIA) - Agriculture (Retained EU Law and Data)(Scotland) Bill

Title of proposal:

Agriculture (Retained EU Law and Data)(Scotland) Bill

Your department:

Sustainable Land Use and Rural Policy – Rural Support Bill Team

Contact email:

ARE.EUexit@gov.scot

Data protection support email

dpa@gov.scot

Data protection officer

dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or a statutory measure?

Primary Legislation

Name of primary legislation your measure is based on (if applicable)

N/A

What stage is your legislation or statutory measure at and what are your timelines?

This legislation is currently in the pre-introduction, preparatory phase.

Subject to confirmation of the Legislative Programme, it is intended that the Bill will be introduced to the Scottish Parliament in Autumn 2019, with Royal Assent being obtained by summer 2020. This will allow time for regulations to be laid and come into force from 1 January 2021.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Yes, see Annex A.

If the ICO has provided feedback, please include this.

Yes, and they have confirmed that no further consultation is required.

Have you held a public consultation yet?

A public consultation titled “Stability and Simplicity” was held between 20 June and 15 August 2018. It set out policy proposals for the period up until around 2024, with no changes to the current structure of the CAP in 2019-20, then, where possible, making simplifications and improvements (while keeping the overall structure) from 2021 onwards.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

There were no questions in the public consultation that were specific to privacy, information or data protection.

In the course of answering other questions, several respondents indicated that improved data collection and data sharing by the Scottish Government in relation to the agri-food supply chain would both improve evaluation and delivery of CAP schemes, and have the potential to aid businesses to benchmark their performance.

Version Details of update Version complete by Completion Date
April 2020 Consideration of any revision needed following parliamentary scrutiny (Stage 1).
June 2020 Consideration of any revision needed following parliamentary scrutiny (Stage 2).
July 2020 Consideration of any revision needed following parliamentary scrutiny (Stage 3).
Sept/Oct 2020 Consideration of any revision needed prior to the introduction of secondary legislation.

Question Comments
Article 35(7)(a) – “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
1 What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet? The Bill as a whole is intended to give the Scottish Ministers regulation-making powers to modify retained EU law where it relates to the current EU Common Agriculture Policy (CAP). This is required as a result of the UK decision to leave the EU, to enable the Scottish Ministers to implement the policy changes proposed in the 2018 Stability and Simplicity consultation.
The Scottish Government currently collects agricultural data under the Agriculture Act 1947. The current EU CAP regulations require the Scottish Government to provide agricultural data to the EU, but they do not provide any legal basis to collect that data, hence the use of the 1947 Act.
This Bill includes powers to collect data relating to agricultural activities and supply chains. The aim is to make agricultural data collection more transparent and clearly linked to the principals of the GDPR. The powers will enable the Scottish Government to collect data which can then be analysed, or otherwise processed, to support the industry and support the Scottish Ministers’ policy making function. The analysis and processing of the data is not covered in this Bill.
The Scottish Government has consulted with the Information Commissioners Office (ICO). The ICO have stated that no public consultation is required on this power. This is because it does not raise any new powers that are not already in existence either through EU or UK law. While the powers in this Bill will supersede current UK law from the Agricultural Act 1947, the changes to legislation update the existing power, providing more transparency through improved definitions of who the Scottish Government can collect data from and a the legal basis for doing so which is required under GDPR.
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
2 Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.
Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?
(Note: ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation and sensitive personal data means criminal information or history)
Yes. The Bill contains a power which enables the Scottish Ministers to require data from persons in (or closely connected to) the agri-food supply chain and from persons who carry out agricultural activities. The Bill also contains a regulation-making power under which the Scottish Ministers may provide standing requirements for those persons to provide data. In both cases, the data which is collected can only be used for a purpose which is provided in the Bill.
It is expected that this would involve data such as financial accounts from farm business enterprises, machinery and livestock inventories, production, input and output estimates. Because the data could identify the individual farmer, the Scottish Government considers this to be personal data. However, the Scottish Government does not anticipate that all data collected under these powers will be personal data.
While present data collection does not involve special category data, or criminal convictions or offences, it is envisaged that in future certain special category data, including in particular age and disability data (as these categories are most relevant to agriculture), may be collected.
Article 35(7)(a) “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
3 How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so – why is it necessary?
Article 8 ECHR:
Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The Scottish Government considers that the Bill as a whole does not give rise to any human rights concerns and complies with the European Convention on Human Rights (ECHR).
When the UK exits the EU, current EU law will be rolled over into domestic legislation as retained EU law. This includes the CAP regulations and rules, which, as existing EU legislation, is compliant with the ECHR. The Bill itself does not change that legislation, but provides the Scottish Ministers with enabling powers to make changes to that retained EU law in relation to the CAP.
Any policy changes, once decided upon, will be made through secondary legislation under this Bill, and will be subject to further impact assessments and consideration of compliance with ECHR, etc.
The data collection power has been developed with consideration of an individual’s need for private and family life balanced against the need to collect data to aid the economic development of the country, and to monitor and evaluate the impact of the spend of public funds. In addition, the data collection power does not include the ultimate consumers or those who are not carrying out an economic activity for profit. Additionally, when the data which is collected is personal data, the restrictions of the GDPR and the Data Protection Act 2018 will apply to that data, which place limits on its processing and use. Furthermore, the data may only be used for a purpose (as listed on the face of the Bill) for which it was collected.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights an dlegitimate interests of data subjects and other persons concerned”
Note Article 32 GDPR for s.4 also
4 Will your proposal require you to regulate: technology behaviour of individuals using technology technology suppliers technology infrastructure This Bill does not contain any policy implementation or regulatory powers. It enables the Scottish Ministers to continue using the technological structures which are used in the current CAP.
Therefore, at present it is not envisaged that this will be required. However, should this change in the future, the Scottish Government would follow the appropriate assessment and consultation process.
4a Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s? Under this Bill, the structures previously established for the current CAP will continue to be used, and should any changes be required these will be brought forward under subsequent secondary legislation, at which point any relevant DPIAs will be revised as necessary.
It is envisaged that during the 2021 – 2024 period set out in the Stability and Simplicity consultation the current processes will continue at, or close to, their current form. There is likely to be a change in the period beyond this as decisions are made regarding longer term future rural policy, therefore it is likely that revisions to the DPIA will also be required at that stage.
4b Please explain how your proposal will regulate behaviour using technology or the use of technology.
Please consider/address any issues involving:
  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals);
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of ‘online’ or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals
(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people’s information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)
In order to reduce the burden of data collection, publically available data from satellites and remote sensing may be used to assess the level of different land uses in Scotland. This makes use of artificial intelligence to recognise different crop types growing on arable land, as well as non-crop land uses such as grazing or forestry. These estimates would be used for the purpose of producing statistics and for research and it is not envisaged they would be used to make regulatory decisions. Should this change in the future, the Scottish Government would follow the appropriate assessment process.
As with any statistical data, there is a risk that data on land use could be combined with specialist knowledge held by others, and potentially could lead to the linking of personal data elsewhere with data on the use of land. This risk is considered small and is similar to other mapping applications using publically available remote sensing imagery.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
*Note exemptions from GDPR principles where applicable
5 Please provide details of whether your proposal will involve the collection of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour) The Scottish Government will not be collecting such data directly under this Act, but it may be useful to other public authorities in the role of enforcement or criminal investigations to share data with them. This would be dealt with under GDPR and Data Protection Act 2018 powers, and not this Bill.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights an dlegitimate interests of data subjects and other persons concerned”
6 Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify) No. The Bill does not affect specific groups. It will apply to all farmers, crofters and land managers, and anyone else connected to an agri-food supply chain (with the exclusion of ultimate consumers and those who are not carrying out an economic activity in the supply chain).
However, it should be noted that, while the provisions in the Bill are not directed at any specific group, the majority of individuals in receipt of CAP funding tend to be in their later years and disproportionately men, and so by default the majority of responses to requests for data using this power will be from people in these categories.
7 Will your Bill necessitate the sharing of information to meet the objectives of your proposal?
If so, are the appropriate legal gateways included?
Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?
(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)
It is intended that the powers regarding data collection will allow data to be shared in the future with research institutions. The powers in this Bill are limited to data collection. Other legislation, such as GDPR and the Data Protection Act 2018, will form the legal gateway for processing and sharing data.
When the data which is collected under these powers is personal data, the restrictions of the GDPR and the Data Protection Act 2018 will apply to it. In such cases, the Scottish Ministers will still be required to demonstrate a lawful basis to process the data. In other words, these powers are concerned with the collection of data. They are not powers which will allow the Scottish Ministers to use personal data beyond what they are allowed to do with the data under the rules of GDPR and the Data Protection Act.
Any future data sharing will also be carried out in accordance with the current data sharing strategies that the Scottish Government has implemented.
For example, under the current CAP regulations (specifically Article 7 of 1306/2013 and Annex 1 of 907/2014) the Scottish Government is able to delegate tasks to other public bodies, such as Scottish Natural Heritage and Forestry Scotland. The regulations require that the Scottish Government retains responsibility for the legality and regularity of all transactions, including the efficient management of the funds concerned, and in order to ensure compliance a written agreement must be in put in place between the Scottish Government and the delegated body. To comply with these regulations, the Scottish Government has established Service Level Agreements (SLAs) with these delegated bodies. These SLAs are reviewed annually, and include sections on data sharing and how the Scottish Government is meeting its legal obligations under the GDPR and the Data Protection Act 2018. This Bill will make no change to these arrangements, as the Bill itself does not make any changes to the CAP (as outlined earlier in this document). Should any changes to these arrangements be required in future, these will be brought forward under secondary legislation (at which point the relevant DPIAs would be revised), and they would also be covered under the annual review of these SLAs.
8 Is there anything potentially controversial or of significant public interest in your policy proposal?
Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance be an outcome of information collection provisions; will the public’s personal information have appropriate safeguards – could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.
As the Bill, and the policy proposals behind it, is intended to maintain the broad structures of the current EU CAP, we do not anticipate the provisions being viewed as controversial. The power to collect data is also unlikely to be seen as controversial, as it is bringing up to date and making more transparent the powers which are already being used under the Agriculture Act 1947.
The one exception to this may be the provisions relating to enforcement, which grant the Scottish Ministers the power to make regulations to make provision for monetary penalties for non-compliance. While a similar power is included in the Agriculture Act 1947, the penalty was set at £50; this is now deemed to be overbearing if enforced on small and medium sized businesses, but underpowered if enforced on large-scale businesses (particularly where they operate in a sector in which they hold a monopoly, and therefore the ability to compel them to supply data is key to the Scottish Government being able to adequately support the sector).
The relevant provisions in the Bill seek to address this imbalance, and enable changes to be made to make such penalties more proportionate and appropriate. Should regulations be brought forward under these provisions, further stakeholder engagement will be undertaken to ascertain their views on both the principle and the detail of the matter.
In terms of public interest, due to the large number of businesses that currently receive support payments through the CAP, and the proportion of the budget involved (although this is mostly the EU budget at present, changing to the UK budget after the UK leaves the EU), it is likely there will be a high level of public interest in the Bill as a whole from the rural community, and some wider public interest.
9 Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal? No
10 Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:
Article 6 right to a fair trial (and rights of the accused)
Article 10 right to freedom of expression
Article 14 rights prohibiting discrimination
Or any other convention or treaty rights?
No
11 Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
No

Contact

Email: agriculture.scotlandbill@gov.scot