Publication - Impact assessment
Animal welfare bill: data protection impact assessment
Animals and Wildlife (Penalties, Protections and Powers) (Scotland) Bill DPIA.
Animals And Wildlife (Penalties Protections And Powers) (Scotland) Bill
Title of proposal:
Animals And Wildlife (Penalties Protections And Powers) (Scotland) Bill
Your department:
SG Animal Welfare Team
Contact email:
Animal Health & Welfare (Scotland) Act - Amendment Bill welfareconsultation2019@gov.scot
Data protection support email
Data protection officer
dataprotectionofficer@gov.scot
Is your proposal primary legislation, secondary legislation or a statutory measure?
Primary legislation
Name of primary legislation your measure is based on (if applicable)
What stage is your legislation or statutory measure at and what are your timelines?
30th September - introduction to Parliament
October 2020 – in force
Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?
Sent Enquiry form to ICO on 3 July 2019 in line with Article 36(4) of the GDPR (copy of the draft is included in this DPIA in Annex A)
If the ICO has provided feedback, please include this.
Annex B
Have you held a public consultation yet?
Yes
Were there any comments/feedback from the public consultation about privacy, information or data protection?
No
| Version | Details of update | Version complete by | Completion Date |
|---|---|---|---|
| 1.0 | To mitigate or reduce risk | Jonathan MacLure | 1.7.2019 |
| 1.1 | To comply with GDPR and Data Protection Law | Ellie Robertson | 8.7.2019 |
| 1.2 | Redraft / clarification | Jonathan MacLure | 9.7.2019 |
| Question | Comments | ||
|---|---|---|---|
| Article 35(7)(a) – “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” | |||
| 1 | What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet? | Simplify and improve the enforcement of existing legislation to further protect animals in Scotland. | |
| Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” and Article 35(7)(b) “…necessity and proportionality of the processing operations” | |||
| 2 | Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve. Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences? (Note: ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation and sensitive personal data means criminal information or history) |
A. The conferral of a power on the Scottish Minsters to, by regulations, enable enforcement authorities to serve fixed penalty notices (FPNs) in relation to animal welfare and animal health offences The Bill will give the Scottish Ministers powers to make regulations providing for fixed penalty notices to be issued in respect of certain animal welfare and animal health offences (as an alternative to initiating proceedings for the criminal offence(s) concerned). No data processing will be required until regulations are made under those powers, after the Bill is passed. No processing of personal data will be required to exercise the power to make the regulations. Processing will only be required to give effect to any future FPN regime(s) created in future regulations. A data protection impact assessment will be carried out if and when such future regulations are made. B. Powers for enforcement authorities to make arrangements for animals previously taken into care on welfare grounds Exercise of the powers over animals to be inserted into the 2006 Act by section 11 of the Bill will involve the service of notices on the owner of the animal in question. The person who is exercising the power may not be the person that took the animal from its owner. The exercise of any one of the powers over animals may therefore require the collection, storage, use and sharing of personal data in relation to the identity and address of the owner of the animal in question. The new powers are to be made available to inspectors, constables and other persons authorised by the Scottish Ministers. In order to decide, after the taking of any of the steps mentioned in the new section 32A (2) of the 2006 Act, whether to pay compensation to the owner of the animal immediately or to defer payment of such compensation, the person who has exercised the power may seek to acquire information regarding the status of any criminal prosecution against the owner of the animal. This is because deferral of payment of the compensation amount may only take place when the owner of the animal is being prosecuted or is considered to be at risk of prosecution for certain animal welfare offences. |
|
| Article 35(7)(a) “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” and Article 35(7)(b) “…necessity and proportionality of the processing operations” | |||
| 3 | How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so – why is it necessary? Article 8 ECHR: Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. |
Since data may be processed as a result of the Bill’s provisions, article 8 may be engaged. The provisions of the Bill regarding fixed penalty notices (section A above) will not involve the processing of personal data. The data protection implications of any future regulations made under the provisions will be assessed at the time of making the regulations. In the case of the powers over animals (section B above), the processing is necessary in furtherance of the overall purpose of enhancing the welfare of animals. Any processing carried out will be carried out in accordance with the law. The powers to make arrangements for animals taken into possession (and the consequential need to process data in pursuance of those powers) will only be carried out when the specific requirements set out on the face of the Bill are met. In addition, the data concerned will be processed in accordance with the requirements of the GDPR and the Data Protection Act 2018. There is a lawful basis for the processing – that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – and the data protection principles will be adhered to. |
|
| Article 35(7)(b) “…necessity and proportionality of the processing operations” Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned” Note Article 32 GDPR for s.4 also |
|||
| 4 | Will your proposal require you to regulate: technology behaviour of individuals using technology technology suppliers technology infrastructure information security (Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.) |
Scottish Government will not be directly involved in sharing any data relating to the Bill provisions. Existing arrangements between authorities will remain the same, and will involve the use of technology to record information. | |
| 4a | Please explain how your proposal will regulate behaviour using technology or the use of technology. Please consider/address any issues involving:
|
No proposals to “regulate behaviour using technology.” All Existing processes for reporting and investigating animal health & welfare and wildlife crime complaints, will involve Police Scotland, Local authorities and the Scottish Society for the Prevention of Cruelty to Animals (Scottish SPCA). | |
| 4b | Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s? | No | |
| Article 35(7)(b) “…necessity and proportionality of the processing operations” Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” *Note exemptions from GDPR principles where applicable |
|||
| 5 | Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour) | Yes. The investigation of animal health & welfare and wildlife crime complaints will continue as it currently does; with the addition of the new penalties, FPN & disposal regimes detailed in 2 above. | |
| Article 35(7)(b) “…necessity and proportionality of the processing operations” Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned” |
|||
| 6 | Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify) | No | |
| 7 | Will your Bill necessitate the sharing of information to meet the objectives of your proposal? If so, are the appropriate legal gateways for sharing personal data included? Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data? (Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.) |
As described in section 2 above, the new powers over animals may involve the sharing of information between the authorised person and other persons (such as inspectors, constables and the prosecutors). Such sharing is considered to be processing for the exercise of a function conferred on a person by an enactment or rule of law and therefore capable of being carried out under the GDPR. No new data sharing arrangements should be required, as the authorities have undertaken animal welfare investigations in a similar way throughout the existence of the 2006 Act. It is not the intention to create new obligations for managing personal data, assuming that this is done correctly at present by the relevant authorities. |
|
| 8 | Is there anything potentially controversial or of significant public interest in your policy proposal? Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public’s personal information have appropriate safeguards – could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data. |
No. The data sharing currently relates to the investigation of an animal health & welfare or wildlife complaint, which may or may not result in a criminal conviction. It is not expected that the new powers in the Bill will affect the detection or investigation of these issues. |
|
| 9 | Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.: Article 6 right to a fair trial (and rights of the accused) Article 10 right to freedom of expression Article 14 rights prohibiting discrimination Or any other convention or treaty rights? |
No | |
| 10 | Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal? (This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.). |
No. Existing powers in legislation will continue to be in force, in along with the new Bill provisions | |
| 11 | Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)? |
No. Existing codes of conduct / data sharing arrangements will remain in place. | |
Summary – Data Protection Impact Assessment
| 12 | Do you need to specify a Data Controller/s? | No. Scottish Government will not be directly involved with data sharing. |
|---|---|---|
| 13 | Do you need to include information collection duties or powers (legal basis for processing)? | No. |
| 14 | Do you need to include explicit information sharing provisions (as related to duties, legal gateways, express powers):
|
No |
| 15 | Have you included any safeguards for personal data/interference with Article 8 rights? | No |
| 16 | Have you included any safeguards for personal data/interference with other rights? | No |
| 17 | Will the collection of personal data affect decisions made about individuals, groups or categories of persons, or might provisions result in the denial of a right or rights? | Yes. May result in criminal conviction. |
Authorisation
The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.
Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.
By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals’ right to privacy.
The results of the impact assessment must be published in the eRDM with the phrase “Legislation DPIA” and the name of the project or initiative in the title.
Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.
I confirm that the impact of the Bill provisions has been sufficiently assessed against the needs of the privacy duty:
Name and job title of a IAO or equivalent
Sheila Voas,
Chief Veterinary Officer (Scotland) and Deputy Director of the Animal Health & Welfare Division, Scottish Government
Date each version authorised
V1.2 – 26th September 2019
Contact
Email: jonathan.maclure@gov.scot
There is a problem
Thanks for your feedback