Children (Care and Justice) (Scotland) Bill: data protection impact assessment

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

No new identifiers are being introduced.

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

No new technology is being introduced. Current technology involved in the data affected by the Bill includes:

• Electronic Monitoring as part of Movement Restriction Conditions, supplied by G4S (as a data processor). The Bill does not impact on regulation of this technology, however it is expected that any future use will continue to be compliant with UK GDPR.
• Collection of biometrics is not impacted by the Bill. It is expected that any future use of technology relating to collection of biometrics will continue to comply with UK GDPR.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

No change required.

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The Bill does not make new provision for this.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

The Bill aims to improve the experiences and outcomes for children in Scotland who interact with the children’s hearings system and criminal justice system, as well as care settings and those who are placed across borders in exceptional circumstances. Measures will ensure that children who come into contact with the care and justice systems are treated with trauma-informed and age-appropriate support. It will help advance the rights of all children and people who have been harmed.

Children may have additional protected characteristics and the impact associated with these is recognised in the Children’s Rights and Wellbeing Impact Assessment and the Equality Impact Assessment for the Bill.

Victims are impacted by this Bill as vulnerable individuals. However, victims’ personal data is not subject to additional processing or sharing as a consequence of the introduction of this Bill. Moreover, the Bill makes provision to further protect victims’ information.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

There is broad public interest in the Bill, which largely falls into three categories of stakeholders: a) children and children’s rights supporters, b) victim’s rights supporters, and c) criminal justice system interests. The Bill seeks to balance the rights of victims and persons harmed with the need to further advance the rights of children to support incorporation of UNCRC.

Given processing will continue to be within established practices and utilising existing safeguards, it is not considered the Bill introduces new duties which are intrusive or onerous.

5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

The Bill provides regulation making powers. Regulations made under those powers will be subject to impact assessments when they are made.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

It is not considered that the Bill necessitates an associated code of conduct to be produced by the Scottish Government. The data controllers operate independently of the Scottish Government, and therefore are best placed to create any further guidance if needed, to ensure their staff comply with their obligations under the UK GDPR e.g. principles of necessity and proportionality of the processing operations, storage limitation and the undertaking of regular reviews to ensure compliance with the statutory duties of the data controller. It would not be appropriate for the Scottish Government to determine how these operationally independent bodies approach their data protection requirements.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

The data controllers already have policies and procedures in place for the handling of e.g. criminal offence data, and are well versed in the sensitivities and legal requirements for processing the personal data engaged by the measures in the Bill. As now, they will continue to ensure they comply with their statutory duties and have appropriate safeguards in place.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

See section 2.3

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

No.

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

No.