We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Charities (Regulation and Administration) (Scotland) Bill: data protection impact assessment

Published
16 November 2022
From
Director of Covid Recovery and Public Service Reform
Directorate
Public Service Reform Directorate
Part of
Communities and third sector
ISBN
9781805252306

Data protection impact assessment for the Charities (Regulation and Administration) (Scotland) Bill

View supporting documents Supporting documents

2. Introductory information

There are 11 proposals that make up this Bill. Each proposal requiring relevant DPIA analysis has been analysed individually below. The full list of proposals can be found at Annex A.

2.1 Summary of proposal: A requirement on OSCR to publish the statements of account for all charities in the Scottish Charity Register

All charities in Scotland are under a legal duty to prepare a statement of accounts, which they then submit to OSCR annually. There is currently no legal requirement for accounts to be published on the Scottish Charity Register (the Register), although charities are required to supply a copy to anyone who requests it. Publishing statements of account for every charity on the Register would enhance transparency and accountability in the sector.

2.2 Description of the personal data involved:

(Charity Trustee) first name

(Charity Trustee) last name

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups, or categories of persons? - None

2.4 Necessity, proportionality, and justification

The proposal will enable OSCR to publish statement of accounts for all charities in Scotland, in full as a default. This increases transparency and accountability in the sector and is consistent with legislation elsewhere in the UK and the powers given to other charity regulators and registrars of corporate bodies.

OSCR are already publishing accounts for charities with an income of £25k+ and Scottish Charitable Incorporated Organisations (SCIOs) and encouraging all charities to provide a link to their accounts on their website. Charities with an income of under £25k currently make up over half of the total number of charities on the Scottish Charity Register[2].

Under Section 23 of the 2005 Act[3], a charity must supply its latest statement of accounts to any person who reasonably requests it. There is a desire to publish accounts of charities with an income of under £25k to avoid section 23 compliance cases, whereby a charity refuses or neglects to provide information and accounts to a person asking for them. These cases often relate to smaller charities. By publishing all accounts there is a comprehensive, transparent regime across the sector.

Publishing charity accounts in full will make it quicker and easier for funders and donors to see how public money is being spent, enabling banks and funders to do due diligence, improving transparency and trust. It will also free up resources within OSCR, allowing it to target its limited resources more effectively.

Charities will have the right to apply for dispensation from certain information (e.g., the names of any of the charity trustees) being included on the Register where the publication of that information is likely to jeopardise the safety or security of a person or property. This dispensation will carry over to statements of account with charities not being required to include any information in the statements of account any information which they have a dispensation for in relation to the Register.

There would be no need for OSCR or the charity to redact information prior to publication, nor a danger of different versions of the same accounts being available. This is the approach taken in England and Wales where, through provisions in 40(4) of the Charities (Accounts and Reports) Regulations 2008[4], the dispensation applies to the production of the annual reports etc.

The Bill will create the legal basis for publication. The legal basis for including trustee names in the accounts is already found in the Charities Accounts (Scotland) Regulations 2006 for receipts and payments accounts and the Charity Statement of Recommended Practice (SORP) for fully accrued accounts. To process this data OSCR and the submitting charity will need to be able to identify and rely on an Article 9 (GDPR) condition.

*See Annex B which highlights the existing legal requirements for different legal forms of charity publishing their accounts or making them available to the public.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct? - OSCR will provide guidance to charities. There will be no statutory code of conduct related to this Bill.

2.1 Summary of proposal: Requirements on OSCR to include charity trustee names in the Scottish Charity Register, to keep an internal schedule of charity trustees' details and to keep a publicly searchable record of removed charity trustees

OSCR currently holds limited information on the estimated 180,000+ charity trustees involved in over 25,000 charities in Scotland. The law currently requires the Scottish Charity Register to set out the principal office of the charity or the name and address of one of its trustees if there is no principal office. The option proposed is for OSCR to establish a new internal database with contact details and further identifying information such as dates of birth, to publish trustee names on the public Register and to maintain a separate, publicly searchable record of individuals that have been removed from being concerned in the management or control of any body by the Court of Session (and are therefore permanently disqualified from acting as a charity trustee, unless OSCR grants them a waiver). This would provide valuable and relevant information to better support effective regulation of charities and their trustees, through improved compliance, investigation, and engagement work.

The powers provided by this proposal will require processing of data for the purposes of three distinct element:

  • An internal database of charity trustees
  • An external list of trustee names against the relevant charity(s)
  • A list of people disqualified from being charity trustees by the Court of Session under the 2005 Act or the preceding Law Reform (Miscellaneous Provisions) (Scotland) Act 1990 (1990 Act).

2.2 Description of the personal data involved

Data included on both the internal and publicly available register

(Charity Trustee) first name

(Charity Trustee) last name

Data held on the internal register only

(Charity Trustee) date of birth for identification purposes

(Charity Trustee) Personal Address, Town, Postcode

(Charity Trustee) Personal Telephone number

(Charity Trustee) email address

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups, or categories of persons?

There will be a publicly searchable list of names of persons disqualified from acting as a trustee in Scotland. This information will allow charities to conduct due diligence in a targeted manner, whilst minimising the amount of information that is publicly available (i.e., without searching) about individuals.

2.4 Necessity, proportionality, and justification

The obligations imposed by this proposal will require processing of data for the purposes of three distinct elements:

  • An internal database of charity trustees
  • An external list of trustee names against the relevant charity(s)
  • A list of people removed from being charity trustees by the Court of Session under the 2005 Act or the predecessor legislation.
  • An internal database of charity trustees

and

  • An external list of trustee names against the relevant charity

OSCR estimate there are over 180,000 trustees in Scotland and they hold limited or no information on around 150,000 of those. OSCR have a power of inquiry over trustees but no easy way of knowing who they are or how to contact them. They collect information on trustees when organisations apply for charitable status, however once checked for disqualified trustees, it is destroyed after a period of 5 years.

This power will introduce efficiencies for compliance, investigation, and engagement work, and make it easier to identify who is in control and management of charities. It will enable OSCR to act more quickly and decisively where vulnerable beneficiaries or charitable assets may be at risk.

Additionally, this information will make it easier to establish if a person is a trustee of more than one charity, making it easier for OSCR to act more swiftly to protect assets or vulnerable beneficiaries of other connected charities where there is concern over conduct.

As there is currently no provision in the 2005 Act that requires OSCR to publish the names of charity trustees, data protection law makes it difficult for them to store, keep up to date and optimise information on trustees. There is currently no provision in the 2005 Act requiring OSCR to publish the names of charity trustees, and OSCR also has limited powers to collect information about trustees. This can make it difficult for OSCR to carry out its functions the provisions sought in the Bill will improve OSCR's ability to carry out its statutory duties.

The proposal will allow OSCR to collect and process limited personal data on all current charity trustees to establish a new internal database of trustees and to publish names of trustees on the Register.

  • A list of people removed from being charity trustees by the Court of Session under the 2005 Act or the predecessor legislation.

There will be a separate publicly searchable record of individuals that have been removed from being concerned in the management or control of any body by the Court of Session (and are therefore permanently disqualified from acting as a charity trustee, unless OSCR grants them a waiver). This record of removed trustees would not be a full list of all the individuals, instead OSCR will be required to provide a search facility that allows a user to enter a person's name to check if they are on the list of individuals that have been removed by the Court of Session. This allows charities to conduct due diligence whilst minimising the amount of information that is publicly available about individuals. If, because of the search there is a match, the website would display the person's name, date of the order, name of the body the person was removed from, and details of any partial waivers granted. Where a user is unclear as to whether a search match is the same person, they will have the option to contact OSCR for further clarification. This replicates the system currently used by the Charity Commission for England and Wales that allows for searches of people removed as trustees in England and Wales.

The Bill will create the legal basis for publication.

In some instances, special category data may be inferred with a reasonable degree of certainty based on the nature of the charity. OSCR and the supplying charity will need to be able to identify and rely upon a relevant Article 9 condition for processing this data.

Consideration has been given to the 'right to be forgotten' regarding the names of removed or disqualified trustees being published as part of this proposal. It was concluded that once a trustee has been removed (by OSCR/Courts) the disqualification is permanent, unless or until a disqualification is waived by OSCR – the right to be forgotten does not apply where the data controller has a legal obligation to process the information or for the performance of a task carried out in the public interest or in the exercise of official authority.[5]

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

OSCR will provide guidance to charities. There will be no statutory code of conduct related to this Bill.

2.1 Summary of proposal: A power for OSCR to conduct inquiries into former charities and their charity trustees etc.

At present, OSCR is not able to make inquiries into a body which is no longer a charity, a body which is no longer controlled by a charity or a charity which has ceased to exist. But the Court of Session has the power to permanently disqualify the following individuals from being charity trustees, on application from OSCR:

  • former charity trustees of a body which is no longer a charity
  • former trustees of a charity which has ceased to exist, and
  • individuals who were in management or control of a body which is no longer controlled by a charity.

This means that if OSCR is not aware of potential misconduct before a charity ceases to exist or ceases to be a charity, or before a body ceases to be controlled by a charity, OSCR cannot open an inquiry if information subsequently becomes known. If OSCR cannot open an inquiry, it cannot gather the necessary evidence to allow it to make an application to the Court of Session to permanently disqualify individuals from being charity trustees. This poses a risk that trustees who are guilty of serious misconduct could go on to be trustees of other charities if the misconduct in cases where the misconduct was only discovered after the charity in question ceased to exist or ceased to be a charity.

This proposal gives OSCR a power to make inquiries into a body which is no longer a charity, a body which is no longer controlled by a charity or a charity which has ceased to. This will allow OSCR to gather the necessary evidence to make an application for permanent disqualification to the Court of Session, should this be necessary.

2.2 Description of the personal data involved:

(Former charity trustee) first name

(Former charity trustee) last name

(Former charity trustee) date of birth for identification purposes

(Former charity trustee) Personal

Address, Town, Postcode

(Former charity trustee) Personal

Telephone number

(Former charity trustee) email address

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups, or categories of persons?

None

2.4 Necessity, proportionality, and justification

There are potential implications for named/published trustees/officials/managers – e.g., in cases where a charity they were involved with is under investigation yet who may not themselves be party to any wrongdoing. This is mitigated by the fact that OSCR will usually only publish information about an inquiry where it is required to do so or where it is in the public interest – this happens at the end unless a direction has been served. Individuals are not normally named in inquiry reports.

OSCR would only investigate former charity trustees or individuals concerned in the management or control of a charity or body where there was suspicion of wrongdoing, and it was in the public interest to do so. This would be on a case-by-case basis, OSCR would not routinely investigate former trustees or charities that have simply ceased operating where there was no suspicion of wrongdoing.

Processing is necessary to ensure that trustees who are guilty of misconduct can be permanently disqualified and therefore not able go on to be trustees of another charity in cases where the misconduct is only discovered after the charity had ceased to exist/ceased to be a charity etc. The result of this is that charities, charitable assets, and beneficiaries would be better protected.

The Bill will form the legal basis by expanding OSCR's powers at section 28 of the 2005 Act to include a body which is no longer a charity, a body which is no longer controlled by a charity or a charity which has ceased to exist.

In terms of section 1(9) of the 2005 Act[6], OSCR is required to act proportionately and for its regulatory activities to be targeted only at cases in which action is needed. So, in investigating former charity trustees, while there is a possibility that former trustees' names might be published as part of a report into an inquiry, OSCR is duty-bound only to take action of that nature in the cases that really need it and where doing so would be in the public interest.

This would extend the range of bodies that may be subject to inquiries, enabling OSCR to make inquiries into individuals who acted for or on behalf of those bodies (including former charity trustees), to allow OSCR to gather the necessary information about such individuals to support an application to the Court of Session for their permanent disqualification.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct? - OSCR will provide guidance to charities. There will be no statutory code of conduct related to this Bill.

2.1 Summary of proposal-Clarification of existing provision, to improve the speed and efficiency regarding OSCR's powers to gather information for inquiries

There are 2 issues in this proposal:

A) inquiries into former charities and those misrepresenting themselves as charities

B) timescales for requesting information

2.2 Description of the personal data involved: As this relates to investigative powers there may be personal data involved, i.e., trustee details.

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups, or categories of persons?

No

2.4 Necessity, proportionality, and justification

OSCR can require any person to provide information which it considers necessary for its inquiries. If OSCR requests such information about a charity from a third party, it must also give notice to the charity in question that it is the subject of the request and provide the charity with the right to review. However, the 2005 Act does not take account of situations where the body in respect of which information is sought is not a charity (e.g., a body that is misrepresenting itself as a charity or a charity that has ceased to exist). The effect of this is that OSCR cannot require a third party to provide information as it cannot serve the required notice on a 'charity.' This potentially hinders OSCR inquiries as it cannot access all the information it may require.

Where OSCR decides to request information from a third party about a charity to help with its inquiries, OSCR must notify the charity of its decision prior to doing so. This must be done within specified time limits and the charity has a right of review against OSCR's decision. There is some doubt as to how these various notice periods and time limits are intended to interact and the Bill will clarify the position, thereby making the process more efficient.

There will be no new processing powers granted to OSCR as a result of this proposal. The changes relate to gathering information for investigative purposes. This information may include personal data which would be processed by OSCR in accordance with the GDPR, and in a manner consistent with its duties under the 2005 Act.

At present OSCR can only investigate charities, not former or de-registered charities. This proposal aims to improve efficiencies and ensure that all appropriate entities can be covered by OSCRs investigative and enquiry powers. It provides clarification of existing provision, to improve speed and efficiency regarding OSCR's powers to gather information for inquiries

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

OSCR will provide guidance to charities. There will be no statutory code of conduct related to this Bill

2.1 Summary of proposal: Providing OSCR with a power to appoint interim trustees, together with a list of minor amendments to the Charities and Trustee Investment (Scotland) 2005 Act

A list of technical changes and amendments to the Charities and Trustee Investment (Scotland) Act 2005. Those technical changes which involve the processing of personal data are highlighted below.

Change to charity contact details: Currently charities are required to notify OSCR of a change of principal office or trustee contact for the charity but there is no explicit requirement to provide a new contact. Providing a new contact will ensure that the information on the register can be kept up to date and the public still have a contact address for the charity.

2.2 Description of the personal data involved

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups, or categories of persons?

None

2.4 Necessity, proportionality, and justification

These provisions in the Bill give OSCR the power to ensure that relevant contact details for charities are kept up to date by stipulation in the legislature.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

OSCR will provide guidance to charities. There will be no statutory code of conduct related to this Bill.

Research into the following proposals in the Bill have identified no impacts on personal data;

Updating the criteria for the automatic disqualification of charity trustees and extending it to individuals with senior management positions in charities

No impacts on personal data identified

Providing OSCR with a new power to issue positive directions to charities

No impacts on personal data identified

Removal from the Scottish Charity Register of unresponsive charities that fail to submit statements of account

No impacts on personal data identified

A requirement for all charities in the Scottish Charity Register to have and retain a connection to Scotland

No impacts on personal data identified

The creation of a Record of Charity Mergers providing for the transfer of legacies

No impacts on personal data identified

A requirement for de-registered charities' assets to continue to be used to provide public benefit

No impacts on personal data identified

Contact

Email: caroline.monk@gov.scot

Back to top