Information

Bail and Release from Custody (Scotland) Bill: data protection impact assessment

This data protection impact assessment (DPIA) is undertaken in compliance with UK General Data Protection Regulation (UKGDPR) Article 35(10). This is an iterative impact assessment, which we expect to amend as the Bill makes its way through Parliament.


6. Risk Assessment

Risk

6.1.1 Risk to individual rights

There is a risk that members of the public attempting to assert their data subject rights may not know what controller organisation to contact leading to a breach of the transparency principle and inability to assert rights.

Solution or mitigation

Clear and consistent Privacy Notices across the relevant organisations.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Amber

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Mitigated

Risk

6.1.2 Risk to individual rights

Risks might arise as a result of the use of personal information (recording of reasons for bail decisions) to undertake analysis to provide a statistical understanding of the reasons for refusal of bail.

Solution or mitigation

No personal data would be released during any statistical analysis.

Data controllers will ensure as they do at the moment that personal data is processed in a manner that is compliant with DPA and GDPR obligations.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Amber

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Mitigated

Risk

6.2.1 Privacy risks

Purpose limitation – Information provided to VSOs

Solution or mitigation

The type of information which can be provided is limited to the information currently shared with victims and the legislation will set out the limited purposes for which it can be used.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Amber

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Mitigated

Risk

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation

Clear and consistent Privacy Notices across the relevant organisations.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Green

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Mitigated

Risk

6.2.3 Privacy risks

Minimisation and necessity

Solution or mitigation

N/A

Risk

6.2.4 Privacy risks

There is risk that the personal information which is shared for the purposes of pre-release planning may not be accurate. This is due to the information disclosed by the data subject themselves.

Solution or mitigation

Data subject will be encouraged to provide accurate information with supported by clear and consistent Privacy Notices across the relevant organisations.

Likelihood (Low/Med/High)

Med

Severity if unmitigated (Red/Amber Green)

Green

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Accepted

Risk

6.3.1 Security risks

There is a risk that lack of maturity of some DP controls in VSOs may lead to personal information being mishandled.

Solution or mitigation

Early engagement with VSOs will ensure appropriate documentation and processes are in place. If necessary guidance will be developed, supported by links to ICO guidance.

VSOs will be encouraged to undertake an audit of their current technical and organisation measures to ensure they remain sufficient.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Red

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Reduced

Risk

6.3.2 Security risks

There is a risk that lack of maturity of some DP controls in VSOs may lead to personal information being mishandled.

Solution or mitigation

Early engagement with VSOs will ensure appropriate documentation and processes are in place. If necessary guidance will be developed, supported by links to ICO guidance.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Red

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Reduced

Risk

VSO risks

There may be a perceived risk that a VSO may access information about a prisoner where it is not appropriate for them to do so.

Solution or mitigation

The Bill makes provision so that a VSO is only entitled to information where it is providing support to a victim. That requirement for an existing relationship between the VSO and the victim means that it is unlikely that VSO will be provided with information other than where it is required to support a victim.

Furthermore, the Bill makes provisions requiring a VSO to be specified in secondary legislation in order to be capable of receiving information. In order to be so prescribed, a VSO will need to demonstrate that it fits the criteria in the Bill, thus providing a further safeguard against the passing of information to an organisation which should not rightly have it.

Likelihood (Low/Med/High)

Low

Severity if unmitigated (Red/Amber Green)

Red

Mitigated Result [Accepted Reduced Mitigated Eliminated]

Reduced

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

Action

Advice has been sought from DPO throughout the drafting of this assessment

All advice and comments have been incorporated where possible.

I confirm that the Bail and Release from Custody (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent

Date each version authorised

Cat Dalrymple

31/05/22

Contact

Email: futureofcustody@gov.scot

Back to top