Data Protection Impact Assessment for Legislation
for Bill Team use only
This form is for Bill teams that are developing a legislative proposal or statutory guidance that will involve (explicitly or inherently) impacts on personal data.
The form works in conjunction with the Article 36(4) ICO consultation form, in the event your draft legislation meets the requirements for consultation with the ICO.
Your proposal may engage with Article 8 rights to privacy – this could come about in a variety of ways, for example, establishing a new organisation which will require information to be collected or shared, it may involve data sharing provisions explicitly, it may include requirements for an individual or organisation to be present in certain circumstances (e.g. for children or vulnerable people being interviewed) or it may involve powers to deliver services which will inherently require the processing of personal data in order to deliver those services. In such instances, an assessment of proposed provisions and the impact on data subjects must be undertaken.
Please note that the below questions seek to articulate how your proposals will meet the requirements of Article 35 of GDPR, Article 32 GDPR and other elements of both GDPR and Data Protection Act 2018, and seeks to assess the impact to individuals’ personal data.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out and assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
The assessment shall contain at least:
a) systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned.
Article 32 (Security of processing)
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Title of proposal:
Bringing into force Part 5 of the Land Reform (Scotland) Act 2016 - The Right to Buy Land to Further Sustainable Development
Land Reform Policy and Legislation Team.
Data protection support email
Data protection officer
Is your proposal primary legislation, secondary legislation or a statutory measure?
Secondary legislation: a combination of affirmative and negative SSIs. These bring into force Part 5 of the Land Reform (Scotland) Act 2016, the Right to Buy Land to Further Sustainable Development, as follows:
Affirmative Instrument: “The Right to Buy to Further Sustainable Development (Eligible Land, Specified Types of Area and Restrictions on Transfers, Assignations and Dealing) (Scotland) Regulations 2020”
Negative Instrument: The Right to Buy to Further Sustainable Development) (Applications, Written Requests, Ballots and Compensation)) (Scotland) Regulations 2020
In addition there are two other instruments: the Commencement Regulations and the Rules Regarding Lands Tribunal Fees which relate to Part 5.
Associated Schedules: These provide forms for use by various people who may be involved in a Part 5 Right to Buy process.
Name of primary legislation your measure is based on (if applicable)
Part 5 of the Land Reform (Scotland) Act 2016
What stage is your legislation or statutory measure at and what are your timelines?
We held a 12 week public consultation on the proposed regulations which closed on 19 September 2019. There were 20 responses including those from key stakeholders. Regulations are now being laid.
Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?
Yes. The form used is at Annex A, and was sent to the ICO on 9 December 2019.
If the ICO has provided feedback, please include this.
The response from ICO, 10 December, was as follows: “You wrote to the Information Commissioner’s Office on 9 December in relation to proposed data processing to bring Part 5 of the Land Reform (Scotland) Act 2016 into force. In doing so, you fulfilled your obligation under Article 36(4) of the GDPR to consult the Information Commissioner.
Thank you for providing us with the opportunity to comment on the proposals, but, having considered the submission, and with particular reference to the Information Commissioner’s regulatory priorities, we do not wish to provide any further input at this time.”
Have you held a public consultation yet?
Yes. A formal consultation on our proposals for these regulations was carried out between 26 June and 18 Sept 2019.
Please note that Part 5 of the Land Reform (Scotland) Act 2016, which will be brought into force by these regulations, was developed following public consultation.
Following an independent review and report on land reform, the land of Scotland and the common good, we consulted on the future of land reform in Scotland between December 2014 and February 2015 to gather views on proposed legislation. The results informed Part 5 of the 2016 Act.
Were there any comments/feedback from the public consultation about privacy, information or data protection?
|Version||Details of update||Version complete by||Completion Date|
|Final Version Only||20 January 2020|
|Article 35(7)(a) – “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”|
|1||What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet?||The aim of the proposal is to create a new right to buy land for sustainable development by drafting and laying regulations to bring Part 5 of the Land Reform (Scotland) Act 2016 into force.|
|Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” and Article 35(7)(b) “…necessity and proportionality of the processing operations”|
|2||Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.
Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?
(Note: ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation and sensitive personal data means criminal information or history)
Once in force, Part 5 will create a new right to buy to further sustainable development, which can be used by communities and associated third parties in some instances.
This will involve the collection of personal data contained within applications to purchase the land (such as names of office holders in the community organisations who are making the application on behalf of the community body)
in addition to other documents relevant to the applications.
We need to be able to check that the number of ordinary members is correct and that the community body has not counted anyone from outside the defined community. Regarding junior members, the community body is not required to tell us the details, but they have to highlight them as juniors so that we do not count them as ordinary members. The Scottish Government Community Land Team send the documentation to RoS to say that, while we have the full list, it has not been sent to them.
The data collected will include the applicants’ names and postal and email contact addresses as well as those of land owners and others having an interest in the land.
The Register of Applications by Community Bodies to Buy Land (set up in accordance with the requirements set out in section 52 of the Land Reform (Scotland) Act 2016) will contain a copy of the application to exercise the right to buy under Part 5 in addition to notifications and notices given by Scottish Ministers under Part 5 as well as other information relevant to the application.
We do not intend that the personal data collected under the Part 5 application process will be sensitive or special category data or information about criminal convictions or offences.
We have not specified whether the address must be a personal address or a service address, but intend to make clear in the accompanying guidance that either can be provided. The key purpose is that the applicant is contactable at or via that address.
A Part 5 application can only proceed where there is public support, as demonstrated in a secret ballot.
The community body must keep the results of the ballot for two years, in case the ballot is contested within that period.
|Article 35(7)(a) “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” and Article 35(7)(b) “…necessity and proportionality of the processing operations”|
|3||How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so – why is it necessary?
Article 8 ECHR:
Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
|The powers to make these regulations are specified within Part 5 of the Land Reform (Scotland) Act 2016, and without the regulations, Part 5 cannot be brought into force.
Where a Part 5 Right to Buy application is successful, this will result in the compulsory transfer of land, or in some cases a tenant’s interest (so long as not of a dwelling house or crofting land), to the applying community body, at a price set by an independent valuer. This is in line with right to buy legislation that is currently in force.
However, land on which there is a structure that is a person’s home is ineligible, and a community body may not seek to buy such land under Part 5. The exception is where the home is under a tenancy, and in this case the tenant’s position with regard to their tenancy would not be changed by a change of landlord, just the same as if the land were sold privately, from one landlord to another.
In addition, and this applies to all types of land subject to Part 5 processes, it is an absolute requirement, set out in primary legislation, that Scottish Ministers may only consent to a Part 5 transfer of land where it is in the public interest.
|4||Will your proposal require you to regulate:
󠆺 󠆺 behaviour of individuals using technology
󠆺 technology suppliers
󠆺 technology infrastructure
󠆺 information security
(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)
|The register on which application details are kept is maintained by Registers of Scotland, who have in house IT capability. Registers of Scotland will also be the data controllers.|
|4a||Please explain how your proposal will regulate behaviour using technology or the use of technology.
Please consider/address any issues involving:
|The role of RoS is mainly passive for the purposes of Part 5. They retain all details relating to the Part 5 application, and where a transfer is approved, they record the disposition of land or assignment of a tenant’s interest in some cases in the Land Register.
The Register of Applications by Community Bodies to Buy Land is available for public inspection, so that members of the public can view applications and see where land and tenants’ interests have been transferred, but this does not contain any private or intimate personal details. Where any private or personal details would have a bearing on an application, these would be retained by the Community Land Team within the Scottish Government, and not exposed on the register.
At no point in the process is there any conscious or inadvertent surveillance, tracking, profiling taking place.
As mentioned before, the ballot is a secret ballot, and would not reveal how individuals have voted.
|4b||Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?||Yes, it will bring into force the provisions in the Land Reform (Scotland) Act 2016 regarding the Register of Applications by Community Bodies to Buy Land so far as it relates to Part 5 right to buy applications.|
|Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
*Note exemptions from GDPR principles where applicable
|5||Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour)||The proposal does none of these things.
Essentially, both the community body seeking to acquire land under Part 5, and any land owner, can submit evidence as to why they think the land should or shouldn’t be transferred to the community.
However this is not based on any personal characteristics or anything to do with a person’s character or personal history. It is based on four conditions that are stated in the primary legislation, which put simply are:
|Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
|6||Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify)||The proposals for Part 5 implementation do not affect a specific group.
It is possible that a community group, on applying to make use of Part 5, could argue that its proposals would benefit a specific group (e.g. better provisions for disabled access), or that a land owner could argue against the transfer on a similar basis. These are matters that Scottish Ministers might consider when deciding on an application. However, there is no direct correlation between the regulations and the lives of people within specific groups. All applications will be judged on their merit, taking all relevant factors into account, including any other laws, policies, and obligations that may be on Scottish Ministers with regard to protected characteristics.
|7||Will your Bill necessitate the sharing of information to meet the objectives of your proposal?
If so, are the appropriate legal gateways for sharing personal data included?
Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?
(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)
|All data collected will be made available for public inspection via Registers of Scotland, as already happens with existing rights to buy. This is an established practice and deals only with data relevant for the purposes of the right to buy application.
Any private or intimate personal data relayed to the Community Land Team (CLT) would be withheld from the public register and kept within the CLT. It would only be kept for the purposes of dealing with the application, and wouldn’t be shared beyond what is necessary for the job of assessing the application.
Most non-sensitive data relating to a right to buy would be shared between the CLT and RoS, as already happens for existing right to buy applications.
|8||Is there anything potentially controversial or of significant public interest in your policy proposal?
Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public’s personal information have appropriate safeguards – could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.
|The Part 5 Regulations create a form of compulsory purchase that community bodies, and where applicable their third party associates, can use to buy land or a tenant’s interests to further sustainable development, even where the owner of that land is unwilling to sell. A similar compulsory purchase power for communities to seek to acquire land on a compulsory purchase basis already exists for Abandoned, Neglected or Detrimental Land under Part 3A of the Land Reform (Scotland) Act 2003, so in that sense Part 5 is not a completely new innovation.
No unintended consequences should arise in relation to the processing and storage of data collected under the Part 5 Regulations.
|9||Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:
Article 6 right to a fair trial (and rights of the accused)
Article 10 right to freedom of expression
Article 14 rights prohibiting discrimination
Or any other convention or treaty rights?
|10||Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal?
(This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).
|11||Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
|No. Guidance will be drawn up by the Scottish Government on how the Part 5 process will work.|
Summary – Data Protection Impact Assessment
|12||Do you need to specify a Data Controller/s?||Registers of Scotland will be the Data Controller.|
|13||Do you need to include information collection duties or powers (legal basis for processing)?||The regulations include provision to collect data.|
|14||Do you need to include explicit information sharing provisions (as related to duties, legal gateways, express powers):
||All information contained within the Register of Applications by Community Bodies to Buy Land is made available for public inspection so we do not believe that any information sharing provisions are required.|
|15||Have you included any safeguards for personal data/interference with Article 8 rights?||All data will be held securely by Registers of Scotland and made publicly available, apart from any information of a private, intimate or special nature which will be retained by the CLT.|
|16||Have you included any safeguards for personal data/interference with other rights?||This will only involve the collection and making public, via the RoS register, of data that is relevant to the Part 5 process. As discussed above any data of a private nature would be held within the CLT and not made public or shared beyond what is proportionate to help take a decision under the conditions of Part 5.|
|17||Will the collection of personal data affect decisions made about individuals, groups or categories of persons, or might provisions result in the denial of a right or rights?||No.|
|18||Please summarise the key elements to be included for Bill drafters; please highlight risks to personal data, any comments about mitigating those risks, including any costs or options for addressing those risks through legislation.
This should be included in the Bill Instruction.
Once in force, Part 5 will create a new right to buy to further sustainable development, which can be used by communities and in some instances associated third parties. In doing so it will allow Scotland’s place based communities to make use of a new right to buy power that will allow them to seek to buy land and related assets such as buildings, even where the owner is unwilling to sell. It will also allow communities to seek to buy tenancies (excluding tenancies of dwelling houses or croft land) that are on the land they are seeking to buy, also on a compulsory purchase basis.
This right to buy is not without constraints, and the regulations specify a range of sustainable development conditions and procedural requirements which must be met before Ministers can grant consent to Part 5 Right to Buy applications. In addition the regulations specify certain sorts of land that cannot be transferred under Part 5.
In addition there are due processes for appeals, representations, compensation and grants towards compensation.
The ‘Register of Applications by Community Bodies to Buy Land’ will contain a copy of each application to exercise the right to buy under Part 5 in addition to notifications and notices given by Scottish Ministers under Part 5 as well as other information relevant to the application.
The primary risk to personal data is the inclusion of sensitive data within the completed application forms. The Registers of Scotland are well accustomed to safeguarding personal data in line with current best practice, and any personally sensitive data will be kept within the Community Land Team within the Scottish Government, and not passed to RoS.
The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.
Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.
By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals’ right to privacy.
The results of the impact assessment must be published in the eRDM with the phrase “Legislation DPIA” and the name of the project or initiative in the title.
Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.
I confirm that the impact of the affirmative and negative regulations to bring into force Part 5 of the Land Reform (Scotland) Act 2016 have been sufficiently assessed against the needs of the privacy duty:
|Name and job title of a IAO or equivalent
Sustainable Land Use and Rural Policy
|Date each version authorised
Final version, 20 January 2020
Explanatory note re risks
The data protection impact assessment for legislation is an iterative process. There are many ways that risks to privacy and/or data protection can arise in legislative proposals and also many options for addressing those risks through legislation. As with most responses to risks, these will vary in their implications and potential impacts (e.g. cost implications, creation of other risks, consequence scanning etc.).
Some of the risks you will need to consider as work develops on Bill proposals, ancillary documents, analysis of consultations, ICO feedback and other Bill development may include (but will not be limited to):
- There is insufficient justification for interference with Article 8 ECHR rights;
- Appropriate safeguards have not been included/incorporated into provisions;
- Appropriate safeguards have not been included/incorporated into provisions regarding impact to/on children;
- The legal basis for processing is not specified or not specific enough;
- The legal basis for processing is insufficiently expressed for the purposes of Article 9 GDPR or Schedule 1 Data Protection Act 2018 (processing of special category personal data);
- Data controllers are not specified (they are not required to be but, where appropriate, they should be specified);
- Legal gateways for data sharing are not included;
- Legal gateways for data sharing are not specific enough or are too specific (for example, a named organisation is specified which consequently changes it name/structure and there is no generalised provision to allow for continued data sharing, or the provisions are drawn so specifically that an area of data sharing is excluded even though, once implemented, that information is needed etc.);
- Provisions interfere with other ECHR rights (there will be an overlap between data protection (Article 8) and some of the other ECHR rights);
- Unintended consequences of the proposals lead to undesirable outcomes (including non-compliance) e.g. surveillance, impinging other rights, collection of more personal data than originally intended, invasive monitoring of citizens without appropriate safeguards, creation of ‘big data’ sets that allow for identification of individuals and discovery of unintended personal data;
- Data protection principles aren’t incorporated into the legislation itself and/or
- The implementation of the legislation (i.e once the Bill is enacted) is problematic because insufficient provision was included in the legislation (e.g. through express or implied powers, legal gateways, flexibility with regards to manner of implementation/powers to implement etc.);
- Controversial measures;
- Other legislation is not repealed or amended which contains provisions that make new proposed provisions unclear or uncertain;
- Statistics or other exemptions aren’t incorporated/become unclear through the new legislation;
- Failing to identify all of the personal data that will be created, that will need to be shared, the organisations it will need to be shared with, or failing to include sufficiently wide provisions to allow for necessary use, sharing or access to the personal data (or other future proofing issues).