Publication - Impact assessment
Crofting consultation and analysis: data protection impact assessment
A consultation on proposals for legislative reform of crofting law was held between 6 June and 2 September 2024. This data protection impact assessment (DPIA) covers the data protection issues relating to the consultation and the subsequent independent analysis report.
7. UK General Data Protection Regulation (UK GDPR) principles
| Principle | Compliant – Yes/No | Description of how you have complied |
|---|---|---|
| 7.1 Principle 1 – fair and lawful (see 4.1), and transparent | Yes | The lawful basis for processing personal data will be public task. |
| 7.2 Principle 2 – purpose limitation | Yes | The data will be collected for specific purposes and will not be processed in a manner incompatible with those proposes. The purpose is clearly explained to respondents prior to responding. |
| 7.3 Principle 3 – adequacy, relevance and data minimisation | Yes | The consultation will not gather information that is not necessary to achieve the project’s objectives. Participants are able to input as much information as they would like to open questions, and are able to skip open questions. |
| 7.4 Principle 4 – accurate, kept up to date, deletion | Yes | The data from the consultation and analysis does not need to be kept up to date as it represents the participants’ views and circumstances at the point of collection. (See Principle 5 for deletion). The final report will be quality assured by the Contract Manager. |
| 7.5 Principle 5 – kept for no longer than necessary, anonymization | Yes | The data processor will be processing data which is directly identifiable in the dataset. On anonymization measures, see section 5.2. Review measures will be in place to ensure that the data will be deleted by the contractor at the end of the contract, and will be kept for no longer than is necessary by SG. |
| 7.6 UK GDPR Articles 12-22 – data subject rights | Yes | Data subject rights are outlined in the privacy policy linked to from the consultation document. The contractor will be made aware that it must pass data rights requests to SG to handle, as the Data Controller. |
| 7.7 Principle 6 - security | Yes | Data will be protected from loss or unlawful processing using appropriate methods, including storing electronic data on password protected secure severs, providing the contractor with a password to access the secure Citizen Space platform (which will give them access until the project is completed). The Data processor is subject to SG Terms and Conditions which cover data security. |
| 7.8 UK GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area. | Yes | The project is not expected to involve the transfer of data outside the EEA. However, if there is an open competition tendering process to procure the consultation analysis, there is a possibility that the contract could be won by a supplier outside of the EEA, in which case appropriate safeguards will be put in place. |