Continuity Bill: Data Protection Impact Assessment

Data Protection Impact Assessment for the UK Withdrawal from the European Union (Continuity) (Scotland) Bill


UK Withdrawal from the European Union (Continuity) (Scotland) Bill: Data Protection Impact Assessment

Title of proposal: The purpose of this document is to report on and assess against any potential privacy impacts as a result of the UK Withdrawal from the European Union (Continuity) (Scotland) Bill.

Your department: Constitution and Cabinet Directorate

Contact email: alex.mowat@gov.scot

Data protection support email: dpa@gov.scot

Data protection officer: dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or a statutory measure?

Primary Legislation

Name of primary legislation your measure is based on (if applicable)

UK Withdrawal from the European Union (Continuity) (Scotland) Bill

What stage is your legislation or statutory measure at and what are your timelines?

Bill due to be introduced on 18 June 2020.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Yes.

If the ICO has provided feedback, please include this.

N/A.

Have you held a public consultation yet?

Provisions similar to the 'keeping pace provision' contained within the Bill previously completed three stages of parliamentary scrutiny as part of the UK Withdrawal from the European Union (Legal Continuity) (Scotland) Bill 2018. For that reason, it was not considered necessary to conduct any formal consultation with the regard to the keeping pace provision in this Bill.

A consultation took place on the environmental provisions in the Bill. The environmental provisions in the Bill were influenced by the analysis of responses to the public consultation.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

No.

Introductory information

Version

Details of update

Version complete by

Completion Date

1

Alex Mowat

02/06/2020

Article 35(7)(a) - "purposes of the processing, including, where applicable, the legitimate interest pursued by the controller"

Question 1

What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet?

Comments

The Scottish Government is committed to there being no regression in standards or protections once the UK exits the transition period under section 126 of the Withdrawal Agreement agreed between the UK and the EU in October 2019. It is therefore crucial to ensure that provision is made for the replacement of regulatory powers which will be lost in consequence of EU exit.

The Scottish Government considers that there will be fields where its policy will be to voluntarily maintain regulatory alignment with EU rules. Therefore, the purpose of introducing the Bill is to allow Scots law to 'keep pace' with EU law in devolved areas, where appropriate, and ensure that we maintain the role of environmental principles of EU law as well as effective and proportionate governance in Scots law.

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects" and Article 35(7)(b) "…necessity and proportionality of the processing operations"

Question 2

Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.

Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?

(Note: 'special categories' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person's sex life or sexual orientation and sensitive personal data means criminal information or history)

Comments

The Bill proposes the introduction of a discretionary power for the Scottish Ministers to make legislative provision corresponding to EU law after the end of the implementation period. The power itself has no data protection impact, although future regulations introduced under the power may have data protection impacts. Any data impacts would be assessed in the preparation of individual sets of regulations under the power.

With regard to the environmental provisions in the Bill, there are no powers to collect data from individuals or individual firms. The Bill establishes, Environmental Standards Scotland (ESS), and provides for public authorities to make appropriate disclosures of information to the body, including the power for ESS to require information. The Bill ensures that the provision of such information to ESS does not contravene current data protection legislation, including the Data Protection Act 2018 (Section 35 (3-4)).

Article 35(7)(a) "purposes of the processing, including, where applicable, the legitimate interest pursued by the controller" and Article 35(7)(b) "…necessity and proportionality of the processing operations"

Question 3

How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so - why is it necessary?

Article 8 ECHR:

Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Comments

ESS will receive information relating to matters of concern with respect to public authorities from individual members of the public and campaigning groups. They will record this information, include the name and contact details of the person and organisation raising the issue.

Article 35(7)(b) "…necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"

Note Article 32 GDPR for s.4 also

Question 4

Will your proposal require you to regulate:

  • technology
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)

Comments

N/A

Question 4a

Please explain how your proposal will regulate behaviour using technology or the use of technology.

Please consider/address any issues involving:

  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals);
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of 'online' or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals

(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people's information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)

Comments

It will be for ESS to design appropriate systems to manage information on individual matters that are brought to its attention, and ESS will be bound by data protection legislation in designing these systems.

The Scottish Government will follow best practice in public appointments processes, including with respect to data protection.

Question 4b

Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

Comments

N/A

Article 35(7)(b) "…necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

*Note exemptions from GDPR principles where applicable

Question 5

Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour)

Comments

N/A

Article 35(7)(b) "…necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"

Question 6

Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify)

Comments

N/A

Question 7

Will your Bill necessitate the sharing of information to meet the objectives of your proposal?

If so, are the appropriate legal gateways for sharing personal data included?

Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?

(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)

Comments

It will be for ESS to design appropriate systems to manage information on individual matters that are brought to its attention, and ESS will be bound by data protection legislation in designing these systems.

The Bill does not make provision for existing processes for data collection, retention and sharing to be altered.

Question 8

Is there anything potentially controversial or of significant public interest in your policy proposal?

Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public's personal information have appropriate safeguards - could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.

Comments

N/A

Question 9

Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:

Article 6 right to a fair trial (and rights of the accused)

Article 10 right to freedom of expression

Article 14 rights prohibiting discrimination

Or any other convention or treaty rights?

Comments

N/A

Question 10

Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal?

(This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).

Comments

N/A

Question 11

Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

Comments

It will be for ESS to design appropriate systems to manage information on individual matters that are brought to its attention, and ESS will be bound by data protection legislation in designing these systems.

Summary - Data Protection Impact Assessment

Question 12

Do you need to specify a Data Controller/s?

Comments

It will be for ESS to design appropriate systems to manage information on individual matters that are brought to its attention, and ESS will be bound by data protection legislation in designing these systems.

Question 13

Do you need to include information collection duties or powers (legal basis for processing)?

Comments

N/A

Question 14

Do you need to include explicit information sharing provisions (as related to duties, legal gateways, express powers):

  • From one public sector organisation to another public sector organisation;
  • From a public sector organisation to a private sector organisation, charity, etc.;
  • Between public sector organisations;
  • Between individuals (e.g. practitioners/ service users/sole traders etc.);
  • Upon request from a nominated (or specified) organisation?

Comments

N/A

Question 15

Have you included any safeguards for personal data/interference with Article 8 rights?

Comments

It will be for ESS to design appropriate systems to manage information on individual matters that are brought to its attention, and ESS will be bound by data protection legislation in designing these systems.

Question 16

Have you included any safeguards for personal data/interference with other rights?

Comments

It will be for ESS to design appropriate systems to manage information on individual matters that are brought to its attention, and ESS will be bound by data protection legislation in designing these systems.

Question 17

Will the collection of personal data affect decisions made about individuals, groups or categories of persons, or might provisions result in the denial of a right or rights?

Comments

N/A

Question 18 / Comments

Please summarise the key elements to be included for Bill drafters; please highlight risks to personal data, any comments about mitigating those risks, including any costs or options for addressing those risks through legislation.

This should be included in the Bill Instruction.

The Bill covers a range of issues which are as follows:

  • Provision for power to make provision in Scots law corresponding to EU law after the end of the implementation period.
  • Provision for the duration and extension of that power and its scrutiny.
  • Provision for explanatory statements on a range of topics to accompany any regulations made under that power.
  • The insertion into domestic law of the guiding principles of EU law.
  • The duty of Scottish Ministers and other bodies to have regard to the principles.
  • The requirement for Scottish Ministers to publish guidance on the principles and their related duties.
  • The formation of Environmental Standards Scotland, including the appointment of members and staff and the organisation's structure.
  • The powers and functions of Environmental Standards Scotland.

The Bill proposes the introduction of a power to enable Scottish Ministers to continue to keep devolved law in line with EU law so far as appropriate following the end of the implementation period. The power itself has no data protection impact, although future regulations introduced under the power may have data protection impacts. Any data impacts would be assessed in the preparation of individual sets of regulations under the power.

With regard to the environmental provisions in the Bill, there are no powers to collect data from individuals or individual firms. The Bill establishes, Environmental Standards Scotland (ESS), and provides for public authorities to make appropriate disclosures of information to the body, including the power for ESS to require information. The Bill ensures that the provision of such information to ESS does not contravene current data protection legislation, including the Data Protection Act 2018 (Section 35 (3-4)).

Authorisation

The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.

Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.

By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals' right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase "Legislation DPIA" and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of the UK Withdrawal from the European Union (Continuity) (Scotland) Bill has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a IAO or equivalent: Donald Cameron

Date each version authorised: 02 June 2020

Explanatory note re risks

The data protection impact assessment for legislation is an iterative process. There are many ways that risks to privacy and/or data protection can arise in legislative proposals and also many options for addressing those risks through legislation. As with most responses to risks, these will vary in their implications and potential impacts (e.g. cost implications, creation of other risks, consequence scanning etc.).

Some of the risks you will need to consider as work develops on Bill proposals, ancillary documents, analysis of consultations, ICO feedback and other Bill development may include (but will not be limited to):

  • There is insufficient justification for interference with Article 8 ECHR rights;
  • Appropriate safeguards have not been included/incorporated into provisions;
  • Appropriate safeguards have not been included/incorporated into provisions regarding impact to/on children;
  • The legal basis for processing is not specified or not specific enough;
  • The legal basis for processing is insufficiently expressed for the purposes of Article 9 GDPR or Schedule 1 Data Protection Act 2018 (processing of special category personal data);
  • Data controllers are not specified (they are not required to be but, where appropriate, they should be specified);
  • Legal gateways for data sharing are not included;
  • Legal gateways for data sharing are not specific enough or are too specific (for example, a named organisation is specified which consequently changes it name/structure and there is no generalised provision to allow for continued data sharing, or the provisions are drawn so specifically that an area of data sharing is excluded even though, once implemented, that information is needed etc.);
  • Provisions interfere with other ECHR rights (there will be an overlap between data protection (Article 8) and some of the other ECHR rights);
  • Unintended consequences of the proposals lead to undesirable outcomes (including non-compliance) e.g. surveillance, impinging other rights, collection of more personal data than originally intended, invasive monitoring of citizens without appropriate safeguards, creation of 'big data' sets that allow for identification of individuals and discovery of unintended personal data;
  • Data protection principles aren't incorporated into the legislation itself and/or
  • The implementation of the legislation (i.e once the Bill is enacted) is problematic because insufficient provision was included in the legislation (e.g. through express or implied powers, legal gateways, flexibility with regards to manner of implementation/powers to implement etc.);
  • Controversial measures;
  • Other legislation is not repealed or amended which contains provisions that make new proposed provisions unclear or uncertain;
  • Statistics or other exemptions aren't incorporated/become unclear through the new legislation;
  • Failing to identify all of the personal data that will be created, that will need to be shared, the organisations it will need to be shared with, or failing to include sufficiently wide provisions to allow for necessary use, sharing or access to the personal data (or other future proofing issues).

Contact

Email: alex.mowat@gov.scot

Back to top