Children (Care and Justice) (Scotland) Bill: data protection impact assessment

2. Introductory information

2.1 Summary of proposal

The Bill is a multi-topic piece of legislation, helping to improve outcomes for children who come into contact with care and justice services in Scotland. The vast majority of the provisions in the Bill amend existing Acts. The Bill creates no new statutory bodies. Therefore data considerations concern existing organisations already subject to GDPR requirements which processes and arrangements in place for processing, handling and sharing personal data, to discharge their existing public duties.

• Part 1 relates to the children’s hearings system. The main change is to the meaning of “child” in the Children’s Hearings (Scotland) Act 2011, which means that all under 18s will be considered children for the purposes of the children’s hearings system (without any distinction made between children over 16 who are subject to compulsory supervision orders (CSO) and those who are not). The Bill takes forward measures to enhance the ability for protective and preventative measures to be made available through this system, and places a duty on the Principal Reporter to inform people, who have a right to request information about the disposal of a child’s case by the children’s hearings system, that they have that right and provides for supervision and guidance for children after they turn 18 up to age 19.
• Part 2 relates to children who are dealt with by the criminal justice system when suspected or accused of offences or as involved as witnesses or victims. This part of the Bill maintains the current link between the meaning of “child” in the Criminal Procedure (Scotland) Act 1995 and the definition in the 2011 Act so that, for almost all purposes, under 18s will be regarded as children. Many of the other provisions in this Part are consequential on this age change and amend provision for the treatment of children from the point of being arrested by the police through to detention after pleading, or being found, guilty. This includes introducing restrictions on the reporting of criminal investigations involving children and making changes to the current restrictions on the reporting of court proceedings. This Part also provides that under 18s will no longer be detained in young offenders institutions. Where children are detained in secure accommodation, there is provision for how local authority duties in relation to “looked after” children will apply.
• Part 3 has links back to both Part 1 and Part 2 as it is mainly aimed at reforming the legislative landscape around the provision of secure accommodation and the approval and regulation of those who provide it. That also includes changes around cross-border placements into accommodation in Scotland from other parts of the UK, as well as changes that will facilitate the recognition in Scotland of orders made in other UK jurisdictions.
• Part 4 makes two changes. It changes the meaning of “child” in the Antisocial Behaviour etc. (Scotland) Act 2004 so that it covers under 18s (except in the case of parenting orders, where it will remain as under 16s). And it repeals Parts 4 and 5 of the Children and Young People (Scotland) Act 2014. The Bill amends a number of existing enactments, some of which do, and some of which do not, apply to the Crown. The Bill makes no change to the application of those enactments to the Crown.
• Part 5 makes some necessary measures in relation to issues such as ancillary provisions, interpretation and commencement. This DPIA relates to changes introduced by the provisions of the Bill and the policies which support it. It does not provide in full for the operational delivery of the provisions. At the implementation stage following commencement of any future Act of Parliament, operational DPIAs will be the responsibility of the organisations identified as data controllers. These organisations are already dealing with personal data, are independent of Scottish Government and as public authorities or bodies, they have legal obligations to ensure that their processes are in accordance with the full requirements of the UK GDPR.

2.2 Description of the personal data involved

Please also specify if this personal data will be special category data, or relate to criminal convictions or offences

Overview

In terms of data protection, as the Bill proposes adaptations to existing measures and processes, the implications which arise are assessed as minor and build on procedures which currently take place.

Impact on personal data

The Bill does not make provision to collect any additional personal data. Personal data is already collected when a child comes into contact with children’s care or justice systems. For example, this could be at the point of a child’s first interaction with Police or social work. The personal data typically collected and processed may include name, date of birth, address, postcode, proof of identification. This is not affected by the Bill.

The impact of the Bill on processing or sharing of personal data is minimal. The following areas are impacted:

• By amending the definition of “child” to include 16 and 17-year-olds, children in this age bracket may follow different pathways through the care and justice systems. For example, extending eligibility of referral to the Principal Reporter to all under 18s may result in more children’s data being shared with Scottish Children’s Reporter Administration (SCRA) rather than only with the Procurator Fiscal and the courts. This is an already established data sharing practice.
• The Bill amends section 179A(5) of the Children’s Hearings (Scotland) 2011 Act^[1] to place a duty on the Principal Reporter to inform the persons entitled to request information of their right to do so, where reasonably practicable, subject to certain exceptions. This reframes the existing provisions which give the Principal Reporter the discretion to advise a person entitled to information of that right. Therefore this process already takes place.
• The Bill seeks to extend provisions for information sharing when a child under 18 is in Police custody. A police constable must notify a local authority if any under 18 is in police custody. Currently, a police constable must notify a local authority if any child under 16 and 16/17s who are subject to a CSO are in police custody. This provision extends information sharing in this specific circumstance, however an information sharing agreement already exists between Police Scotland and local government social work departments.
• Where children are prosecuted in the criminal justice system, the Bill extends the ability of courts to hold a child’s case in a closed court. If these provisions results in an increase in the use of closed courts, this should lead to enhanced privacy for more children.
• The Bill introduces an extended framework for remittal between the courts and the children’s hearings system. Yet this process already takes place, with the Bill building upon it. The impact of this may be an increased volume of data sharing between Crown Office and Procurator Fiscal Service (COPFS) and SCRA or Children’s Hearings Scotland (CHS), however this is an already established data flow.
• The personal data of children who might otherwise have been detained in a Young Offenders Institution (YOI) – a practice the Bill will end – will have their data shared with secure accommodation services, rather than (for certain children at present) the Scottish Prison Service (SPS). Information sharing already takes place with secure accommodation service providers meaning that the provisions extend use of existing data processing relationships, rather than create new processes.
• Movement restriction conditions (MRC) may be imposed on a child currently as part of a compulsory supervision order (CSO), although in practice this is rare. The Bill clarifies and extends the specific matters and devices which may be prescribed regarding restrictions or monitoring arrangements as part of a movement restriction condition. Furthermore, the Bill positively impacts the ability of the Scottish Ministers to prescribe certain matters to make sure that specified monitoring devices are used appropriately and proportionately. This includes prescribing how or when information obtained through the monitoring of a child through such devices may, or may not, be gathered, retained, used or shared for the purpose of monitoring a movement restriction condition. This is to expressly cover the additional data-collecting involved in using GPS technology should this be used as a method of monitoring a child’s movements or whereabouts in the future, thus future-proofing legislation around MRCs. However, currently electronic monitoring exclusively uses radio frequency and the provider and data processor G4S is considered a competent authority under Schedule 7, Data Protection Act 2018. This will not be changed by the Bill.
• The Bill has no impact on data protection or information sharing as it relates to cross-border secure accommodation. The current processes for sharing information will continue to be used and comply with UK GDPR. However, regulations resulting from the provisions in this Bill may lead to improved communication of a young person’s needs in relation to their care in a cross border placement and may alter the point at which services are notified of a young person’s placement. Any regulations drafted will undergo their own DPIA process.

Impact on special category data

The Bill does not introduce provision for the collection of any special category data. The Bill will not result in the routine processing or sharing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data about a person’s sex life or sexual orientation.

Genetic and biometric data

By raising the age of referral to the Principal Reporter the exceptions that apply to the normal rules governing retention of DNA and other data in relation to certain cases dealt with by the children’s hearing system will be extended to referrals of a child under 18.

The Bill has been discussed with the Scottish Biometrics Commissioner and no issues were raised.

Criminal conviction or offence data

No new criminal conviction or offence data will be collected or processed. The relevant sections of Disclosure Act 2020^[2] will continue to apply to any criminal conviction or offence data which continues to be processed, as it is at present.

Furthermore, the special provision with respect to certain disposals by children’s hearings made in the Rehabilitation of Offenders Act 1974^[3] will continue to apply regarding disclosure.

A positive impact on privacy relating to criminal offence data is anticipated due to the supplementation of reporting restrictions. The Bill introduces extensions to restrictions on the reporting of suspected criminal offences involving children, and of criminal proceedings involving children, including an amendment to the threshold of whether the information is likely to lead to identification of the child rather than having to be calculated to lead to that.

In regards to a victim’s or witness’s data, the Bill builds on existing reporting restrictions, applying to a victim or witness aged under 18, both in relation to suspected offences and during court proceedings. The restrictions apply until the date on which the victim or witness reaches the age of 18 or until the date of completion of the proceedings, whichever is later. The new data impact of this is expected to be limited: reporting restrictions apply at present to witnesses under 18, except where an accused is over 18 years old. In that case, the court has to issue a direction specifying that the restrictions are to apply: the Scottish Government understands that such directions are typical. The court and Scottish Ministers will retain their current ability to lift reporting restrictions in certain limited circumstances.

Additionally, as the children’s hearings system is a welfare-based system, there is no prosecution or sentencing regardless of the grounds for referral. The potential increased use of children’s hearings as an alternative to courts may lead to a change in the type and form of data held. This may be reflected in criminal justice proceedings statistics.

Information Sharing Agreements (ISAs) and protocols

The Bill does not introduce any exchanges of information outside of existing sharing arrangements. There will be no additional ISAs resulting from this Bill, and the Bill does not require establishment of new data controllers or processors. The existing systems and processes used by data controllers will continue to be compliant with UK GDPR.

There are several information sharing agreements in place between certain bodies. The following list is not exhaustive, but indicates some of these arrangements:

• SCRA, Police Scotland and COPFS have an information sharing protocol in place^[4].
• SCRA has a data processing contract with CHS.
• SCRA has a memorandum of understanding with Police Scotland, currently applicable to cases of children aged 16 or 17 who have a CSO or an open referral to the Children’s Reporter^[5].
• There is a Memorandum of Understanding for information sharing between SG and SPS for cases where a young person transitions to YOI.
• Information sharing between SG and secure accommodation providers is covered by the terms of the Excel secure care services contract.
• ‘[Scottish Courts and Tribunals Service] SCTS currently participates in several secure data sharing arrangements principally with Justice partners including Crown Office and Procurator Fiscal Service (COPFS), Police Scotland, Scottish Children’s Reporter Administration (SCRA) and Scottish Prison Service (SPS)’^[6]
• There is a memorandum of understanding between SG and other UK Administrations around cross border placements.

Each of the data controllers have their own individual responsibilities to comply with GDPR as operationally independent bodies or agencies.

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights, or use of social profiling to inform policy making.

The Bill aims to ensure that decisions about children are age appropriate, trauma-informed and made in the best interest of the child. The decisions made are not directly as a consequence of personal data being processed, rather the data processing is necessary to support decisions being made. These decisions are made on a case-by-case basis and always by a human. The Bill does not introduce automated decision-making or profiling.

2.4 Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

What policy objective is the legislation trying to meet?

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Legislating for the advancement of the rights of children who come into contact with the care and justice systems is a well-considered, necessary and proportionate measure. The Bill is being introduced in line with the Scottish Government’s commitment to Keep the Promise, made as a result of the Independent Care Review. The commitment includes the presumption against children in the criminal justice system. Where children come into contact with the care and justice systems, or in conflict with the law, Scotland is committed to ensuring children’s experiences are age-appropriate and trauma-informed and that systems and settings reflect this.

All data relating to the Bill is already subject to processing and appropriate safeguards are in place. The Bill proposes to shift the age bracket that currently determines a child’s experience in the care and justice systems, including when in conflict with the law, thus amending the way data is processed while remaining within existing parameters.

There is no expectation that new or different data will be collected, processed or shared outside of existing arrangements as a result of the introduction of the Bill. No new data controllers or processors are being introduced. Therefore the safeguards that are already in place will continue to be utilised, albeit for a larger cohort of children.

Considerations

The objective of the Bill is to further uphold children’s rights and ensure that decisions being made reflect the best interest of the child and their wellbeing. This includes Article 40 of UNCRC^[7], the child’s right to protection of privacy where the child is in conflict with the law, and this has been considered when drafting the provisions of the Bill. The information processed by data controllers is limited to that which is necessary and proportionate for the purpose of making decisions which aim to support the child’s needs. It would not be practicable to reduce the level of personal data without detriment to the provision of support to the child.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

If the latter, what will be the status of the Code of Conduct? (statutory or voluntary?

The data controllers are established bodies with robust and trusted policies and procedures in place for data protection. They already have extensive responsibilities and understand the sensitivities and legal requirements for handling this type of data, therefore it would not be necessary for SG to introduce new guidance. Further, as the data controllers are operationally independent from SG, it would not be appropriate for SG to prescribe a Code of Conduct.

The Bill will result in a potential alteration in the volume of children experiencing certain already established routes within the care and justice systems, for example the potential additional referrals of 16 and 17-year-olds to children’s hearings. As these data processes already exist, it should be possible for data controllers and processors to incorporate this additional volume of information.

However, where organisations would welcome further guidance on data sharing and management as a result of the Bill to supplement their established practices, this will be considered and further explored.