Charities (Regulation and Administration) (Scotland) Bill: data protection impact assessment

Data protection impact assessment for the Charities (Regulation and Administration) (Scotland) Bill


6. Risk Assessment

6.1 Risk to individual rights

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Solution or mitigation

Advice and training for charities in how to ensure that personal data provided in charitable accounts and reports is minimised to that which is necessary.

With regard to the register of removed trustees, the right to be forgotten[14] does not apply where the data controller (in this case OSCR) has a legal obligation to process the information.

The option to apply for a waiver or dispensation under particular circumstances is available. Provision to withhold principal address details and charity trustee/contact details where the inclusion of that information is "likely to jeopardise the safety or security of any person or premises" is already contained in section 3(4) of the Charities and Trustee Investment (Scotland) Act 2005[15] and would continue to remain in effect.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.2 Privacy risks

Purpose limitation

Solution or mitigation

The purposes for processing are confined to OSCR's statutory functions as a Regulator as specified in the 2005 Act.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.3 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation

OSCR will ensure that fair processing information is provided and guidance for charities is updated to inform data subjects of the purposes and lawful basis for processing charity trustee personal data.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.4 Privacy risks

Minimisation and necessity

Solution or mitigation

Charities enjoy a special status in our society which enables access to certain benefits not available to other entities, including other third sector and voluntary organisations. These benefits can include some tax and rates reliefs, opening up specific sources of funding only available to registered charities, public donations.

Charity trustees are the people who have general control and management of the charity, they are trusted to look after the charity's assets and are legally responsible for making sure that the charity fulfils its charitable purpose(s).

OSCR's surveys on public trust and confidence in charities consistently show that the public have high expectations of the charity sector. Key drivers of public trust in charities are:

  • knowing that money goes to the cause;
  • seeing evidence of achievements; and
  • knowing it is well run.

OSCR will only collect data that is required for regulatory purposes.

OSCR publishes its privacy statement on their website under Privacy, GDPR and Data Protection[16], clearly stating the law, the rights of individuals and organisations and OSCRs data controller information and ICO registration number.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.5 Privacy risks

Accuracy of personal data

Solution or mitigation

Personal data will be provided direct by the charities to OSCR. Charities will have the facility to update contact details via OSCR's 'OSCR Online' system. In addition, OSCR will seek to ensure the accuracy of the personal data through its existing annual monitoring regime, where charities will check the accuracy of the personal data held by OSCR in relation to their trustees.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Accepted

6.6 Security risks

Keeping data securely

Retention

Solution or mitigation

The Data Protection Act 2018[17] requires public authorities to ensure information is retained securely and deleted once it has been used for the purpose for which it was provided. The ICO's Code of Practice[18] provides that bodies have regard to specific security standards outlined in the Code. The Code provides that bodies must have a security plan for sharing data.

OSCR has processes in place to ensure they are compliant with these legal requirements.

In terms of retention, as far as possible OSCR aim for processes to be automated, so the database will delete records after defined period but with an option for manual override where risks are identified. OSCR propose to retain records for each data subject for 24 months after they cease to be active. This allows for a 12-month accounting year, a further 9 months within which accounts must be filed and 3 months for us to risk assess any concerns arising from monitoring of accounts, from section 46 reports or concerns identified by the public. After 24 months has elapsed, data will be deleted automatically unless it is manually overridden and migrated to an inquiry file. Earlier manual deletion should also be possible, for example where there is evidence that a trustee is deceased.

The new OSCR online system allows for three possible users for each charity who can access a charity's records. This allows for a charity's accountant or other professional adviser or senior employee to have access in addition to charity trustees. Each user has their own login connected to their email address and may be a user for more than one charity. New users must be invited by an existing user for security purposes. They must accept the invitation with a verification link sent to their email. The information available to users is limited but they can access the charity's submission and accounts history. Requests to OSCR staff to add or remove users will be retained as emails or other forms of verification in their records before making the changes.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.7 Security risks

Transfer – data may be lost in transit

Solution or mitigation

OSCR has taken steps to ensure that they are in compliance with the Digital Economy Act 2017 section 35(6)[19], which requires the appropriate national authority (for example, UK Government or the Scottish Ministers) to have had regard to the systems and procedures for the secure handling of information by persons whom they add to schedule 4.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.8 Security risks

Solution or mitigation

OSCR complies with the Digital Economy Act 2017[20].

Everyone who is involved in information sharing arrangements under powers in the Digital Economy Act 2017 is required to have regard to specific security standards. The Code sets out three specific requirements:

1. Public authorities and receiving parties should consider the standards and protocols that apply to their organisation when providing or receiving information before agreeing appropriate standards and protocols; all parties should be satisfied that they provide a level of security that is both appropriate and meets or exceeds their own standards and protocols.

2. Each party involved in the data share must make sure effective measures are in place to manage potential or actual incidents relating to the potential loss of information; and

3. Public authorities and data processors, together with any third parties must be fully engaged in the resolution of a potential or actual data incident.

As part of any formal data sharing agreement, security plans will need to be evidenced and documented to include; secure storage arrangements, protective marking; assurance around process for restricted access by individuals; notification protocol in the event of a breach; procedures to investigate cause of any breach.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

6.9 Other risks

will this impact on children?

No impact on children. There is no minimum age for charity trustees stated in the 2005 Act; however, OSCR would expect charity trustees to be over the age of 16. If any charity trustees are under the age of 16, it would be best to get professional advice to determine if this is suitable and if there are any legal implications.

Likelihood (Low/Med/High)

- Low

Severity (Red/Amber/Green)

- Green

Result

- Mitigated

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

Action

I confirm that Charities (Regulation and Administration) (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UK GDPR and Data Protection Act 2018

Name and job title of an IAO or equivalent

Jane O'Donnell, Deputy Director - Community Empowerment, Reform and Governance Division.

Date each version authorised

8 November 2022

Contact

Email: caroline.monk@gov.scot

Back to top