Charities (Regulation and Administration) (Scotland) Bill: data protection impact assessment

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones? No

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

Charities are already required to submit accounts and the proposals in the Bill will not change this. What will change is OSCR's ability to publish the accounts submitted. The format and content of charity accounts is prescribed in the Charities Accounts (Scotland) Regulations 2006 (as amended). OSCR has published extensive guidance including videos, example accounts and template documents on its website. They also regularly include material on annual accounts and reports at its Meet the Regulator and other engagement events. Accounts staff offer guidance or will signpost to other sources of advice.

Implementation of the Bill proposals will include an extensive awareness-raising campaign to alert charities to the fact that all accounts will be published in an unredacted form. Accounts are public documents that charities must already make available to any person making a reasonable request. The onus will be upon charities to send OSCR accounts in a form that is ready for publication. However, in the short term OSCR will implement a programme of sample pre-publication checks to ensure that its messaging is proving effective.

The former OSCR Online system was accessed by a username (the charity number) and a password. It is known, anecdotally, that username was often shared among individuals which presented a risk in terms of data security. The new system allows for three possible users for each charity who can access a charity's records. This allows for a charity's accountant or other professional adviser or senior employee to have access in addition to charity trustees. Each user has their own login connected to their email address and may be a user for more than one charity. New users must be invited by an existing user for security purposes. They must accept the invitation with a verification link sent to their email. The information available to users is limited but they can access the charity's submission and accounts history. Requests to OSCR staff to add or remove users will be retained as emails or other forms of verification in their records before making the changes. OSCR are satisfied that this is a significantly improved system in terms of data security.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

The Bill introduces a requirement for OSCR to publish statements of account for all charities in the Scottish Charity Register. Many charities already make their accounts publicly available; however, this proposal will mean that accounts for all charities will be published.

This Bill also stipulates a new requirement for OSCR to add charity trustee names to entries in the Scottish Charity Register, and the creation and maintenance of an internal database of charity trustees as well as a publicly searchable record of removed charity trustees.

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g., in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The data processed as a result of this proposal will enable OSCR to better support effective regulation of charities and their trustees, through improved compliance, investigation, and engagement work.

The new internal trustee database may be used for investigative purposes regarding fraud or potential criminal activity to ensure the safety of charity assets.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

As explored in the EQIA for this Bill no group or individual with protected characteristics will be impacted disproportionately as a result of this Bill.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Sensitivities may be present for some trustees should their details become public, therefore a dispensation system, like that already employed by OSCR which allows for individuals to apply for dispensation from having certain information included in the Scottish Charity Register^[9] will have to be introduced. It has been highlighted by the Church of Scotland, in their response to the 2019 consultation,^[10] and reiterated in 2021^[11], that particularly with regard to religious charities any publication of names of trustees would allow the public to infer an individual's religion or belief and could therefore put them at risk of discrimination. This could also be true of certain charities where in order to be a trustee a person must have lived experience of certain criteria (i.e., addiction recovery, domestic abuse, disability).

The option to apply for dispensation under particular circumstances is available. Provision to withhold principal address details and charity trustee/contact details where the inclusion of that information is "likely to jeopardise the safety or security of any person or premises" is already contained in section 3(4) of the Charities and Trustee Investment (Scotland) Act 2005^[12] and would continue to remain in effect.

5.7 Are there consequential changes in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Powers for Scottish Ministers to make subordinate legislation will be present in the Bill but will not impact on the processing of personal data required to achieve the aims of the Bill.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

OSCR will provide guidance to charities. There will be no statutory code of conduct related to this Bill

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing. There are some aspects of this Bill that may impact on individuals who fall within these categories. These are mitigated, in some part, by data protection legislation and the option to apply for a waiver or dispensation under particular circumstances. Provision to withhold principal address details and charity trustee/contact details where the inclusion of that information is "likely to jeopardise the safety or security of any person or premises" is already contained in section 3(4) of the Charities and Trustee Investment (Scotland) Act 2005^[13] and would continue to remain in effect.

Aside from the first two proposals, the majority of the Bill proposals are of a technical nature. They will not require all charities to take new or additional steps and some proposals will only impact upon those charities directly affected.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups, or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.

Although an individual's special category data will not be shared or published as a result of these proposals, it could be indirectly captured and inferred. In some instances, identifying those associated with certain organisations could lead to the revealing of information that could indirectly disadvantage people based on protected characteristics or sensitive information being inferred from that published in accounts or the trustee register. One example of this could be the location of a women's shelter might be revealed through the identity of the recorded person or their associates, which would put the women who use the shelter at risk. In this scenario, the publication of these details would indirectly have a negative impact on women both as trustees and as beneficiaries of a charity. To mitigate risks such as this, recorded persons or associates can apply for a dispensation if they feel that the disclosure of their details could result in violence, abuse, intimidation or threat of violence or abuse against themselves, or others connected to them as per section 3 (4) of the 2005 Act.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data? No

5.12 Will the proposal require the transfer of personal data to a 'third country'? (Under UK GDPR this is defined as country outside the UK.) No