Publication - Impact assessment
Police (Ethics, Conduct and Scrutiny) (Scotland) Bill: data protection impact assessment
This impact assessment records how data will be used in relation to the Police (Ethics, Conduct and Scrutiny) (Scotland) Bill and how that use is compliant with data protection legislation.
3. Data Controllers
| Organisation | Chief Constable of the Police Service of Scotland | ||
|---|---|---|---|
| Activities | Police Scotland collects and processes data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The Bill will allow provisions to be made under regulations, to enable secondary legislation to be made for Police Scotland to provide the PIRC with unsupervised and remote access to their Complaints Database to meet statutory responsibilities. The chief constable may also be required to share information with the PIRC as a result of the requirement to audit whistleblowing complaints, the power to call in complaints, and in relation to serious incidents involving officers from outwith Scotland, in relation to civil matters, and information in relation to criminal investigations both of officers from outwith Scotland, and into persons who once, but no longer, serve with the police. | ||
| Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018? | The Chief Constable of the Police Service of Scotland is a public authority. | ||
| Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing | As a competent authority, Police Scotland already hold a lawful basis for the collection and sharing of personal data under UK GDPR due to legal obligation - Article 6(1)(c); It is for the relevant data controllers (in this case Police Scotland) to identify whether the processing falls under the UK GDPR rules, or satisfies the criteria of the law enforcement purposed under Part 3 of the DPA 2018 and ensure compliance with the data protection principles. This includes identifying lawful basis to ensure the processing is fair and lawful (Principle (a): Lawfulness, fairness and transparency | ICO). Any operational DPIAs, data sharing agreements and privacy notices should be produced by the data controller and be clear on their lawful basis for processing the data where appropriate. | Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data Include condition from Schedule 1 or 2 of the Data Protection Act 2018 | As a competent authority, Police Scotland already hold a lawful basis for collection and sharing of special category personal data under UK GDPR (Article 9). The lawful basis for processing is necessary for 'Reasons of substantial public interest', Article 9(2)(g) This shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. It is for the relevant data controllers (in this case Police Scotland) to identify the correct regime and ensure compliance with UK GDPR. |
| Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018 | Functions that the PIRC already carry out in relation to investigation of criminal offences by persons currently serving with the police will be extended to allow them to investigate those who have left the police force. This may involve the chief constable providing information relevant to the investigation to the PIRC. Functions that the PIRC already carries out in relation to investigation of criminal offending of Police constables of Police Scotland will be extended to investigation of Police constables from England, Wales and the Police Service of Northern Ireland, meaning that there will be more "categories" of constable who can be investigated, and information being shared in relation to these constables. This will mean there will be law enforcement processing happening in relation to new categories of constable. In some cases this will involve the Chief constable of Scotland providing information to the PIRC, if the constable was under the direction and control of the Chief constable at the time of the relevant incident. The PIRC might also provide information to the Chief constable in relation to the investigation in respect of which they are seeking information, in order to request that information from the police. | Legal gateway for any sharing of personal data between organisations | Existing legal gateways will continue to apply to allow the sharing of data under which Data Sharing Agreements exist between policing organisations; Police Scotland, SPA and PIRC. It is considered that the legal basis for processing (Police Scotland sharing with the PIRC and vice versa) will be provided for under section 44 and section 46. Section 46 will also allow the PIRC to share information with any English, Welsh or Northern Irish police force. Any co-operation required from forces in England, Wales or Northern Ireland with the PIRC will need to be provided for under new reserved legislation. The Scottish Government is progressing discussions on this with the UK Government. It is considered that the legal condition for any sensitive processing required will be that it is necessary for the exercise of PIRC functions conferred by an enactment or rule of law, and necessary for reasons of substantial public interest, or, alternatively, it is necessary processing for the administration of justice. It should be noted that the processing of this type of data between Police Scotland and the PIRC already takes place in relation to constables of Police Scotland (and those on temporary service in Police Scotland). |
| Organisation | Police Investigations and Review Commissioner (PIRC) | ||
|---|---|---|---|
| Activities | The PIRC is an independent body and its role is to provide independent oversight, investigating incidents involving the police and reviewing the way the police handle complaints from the public. Their aim is to secure public confidence in policing in Scotland. The Bill will allow provisions to:
|
||
| Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018? | PIRC is a public authority. | ||
| Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing | As a competent authority, the PIRC already hold a lawful basis for the collection and sharing of personal data under UK GDPR due to legal obligation - Article 6(1)(c); It is for the relevant data controllers (in this case the PIRC) to identify whether the processing falls under the UK GDPR rules, or satisfies the criteria of the law enforcement purposed under Part 3 of the DPA 2018 and ensure compliance with the data protection principles. This includes identifying lawful basis to ensure the processing is fair and lawful (Principle (a): Lawfulness, fairness and transparency | ICO). Any operational DPIAs, data sharing agreements and privacy notices should be produced by the data controller and be clear on their lawful basis for processing the data where appropriate. | Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data Include condition from Schedule 1 or 2 of the Data Protection Act 2018 | As a competent authority, the PIRC already hold a lawful basis for collection and sharing of personal data under UK GDPR (Article 9). The lawful basis for processing is necessary for 'Reasons of substantial public interest', Article 9(2)(g) This shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. It is for the relevant data controllers (in this case the PIRC) to identify the correct regime and ensure compliance with UK GDPR. |
| Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018 | Functions that the PIRC carries out investigating the alleged offending of Functions that the PIRC already carries out in relation to investigation of criminal offending of Police constables of Police Scotland will be extended to investigation of Police constables from England, Wales and the Police Service of Northern Ireland, meaning that there will be more "categories" of constable who can be investigated, and information being shared in relation to these constables. This will mean there will be law enforcement processing happening in relation to new categories of constable. If there is information relevant to the offence that is in the hands of English, Welsh or Northern Irish forces they might need to share information with the PIRC, who will then use it. The PIRC will also be sharing information with the Chief Constable of the Police Service of Scotland, and the Chief constable with the PIRC , to facilitate investigations of criminal offending. | Legal gateway for any sharing of personal data between organisations | Existing legal gateways will continue to apply to allow the sharing of data under which Data Sharing Agreements exist between policing organisations; Police Scotland, SPA and PIRC. There is existing primary legislation in place to allow the sharing of data to take place, through Section 44 and Section 46 of the 2006 Act between Police Scotland and the PIRC. This legislation should also allow the PIRC to share relevant information with territorial forces, should this be necessary. As noted above, additional legislation will be required to provide the information sharing gateway between territorial forces from England or Wales or the Police Service of Northern Ireland, to require them to share information with the PIRC, should this be necessary for the PIRC to investigate one of their officers. If there is sensitive processing, we consider that the legal condition for any sensitive processing required will be that it is necessary for the exercise of PIRC functions conferred by an enactment or rule of law, and necessary for reasons of substantial public interest, or, alternatively, it is necessary processing for the administration of justice. |
| Organisation | Scottish Police Authority (SPA) | ||
|---|---|---|---|
| Activities | SPA provides oversight in scrutinising policing in Scotland and holding the Chief Constable to account; and its supportive role in maintaining and improving the police service. SPA aims to increase public trust and confidence in the policing of Scotland in the way it carries out its functions and through the quality of its governance arrangements. The Bill requires the SPA to establish and maintain a Scottish Police Barred List and a Police Advisory List, sets out the circumstances in which the SPA must enter a person on each of the lists and gives broad regulation-making powers to Scottish Ministers to make provision for the framework to underpin those lists. Once such lists are established it is envisaged that the SPA will take on the role of data controller of both lists and will manage these. It is envisaged that the section in the Bill (section 7) providing for the SPA to establish and maintain the lists will be commenced at the same time as regulations come into force providing for the framework of the lists. Regulations are subject to affirmative procedure and these will be consulted on with the ICO, and a DPIA will need to be completed prior to the regulations coming into force. | ||
| Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018? | SPA is a public authority. | ||
| Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing | As a competent authority, the SPA already hold a lawful basis for the collection and sharing of personal data under UK GDPR due to legal obligation - Article 6(1)(c); It is for the relevant data controllers (in this case SPA) to identify whether the processing falls under the UK GDPR rules, or satisfies the criteria of the law enforcement purposed under Part 3 of the DPA 2018 and ensure compliance with the data protection principles. This includes identifying lawful basis to ensure the processing is fair and lawful (Principle (a): Lawfulness, fairness and transparency | ICO). Any operational DPIAs, data sharing agreements and privacy notices should be produced by the data controller and be clear on their lawful basis for processing the data where appropriate. | Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data Include condition from Schedule 1 or 2 of the Data Protection Act 2018 | As a competent authority, the SPA already hold a lawful basis for collection and sharing of personal data under UK GDPR (Article 9). The lawful basis for processing is necessary for 'Reasons of substantial public interest', Article 9(2)(g) This shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject. It is for the relevant data controllers (in this case SPA) to identify the correct regime and ensure compliance with UK GDPR. |
| Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018 | No new law enforcement processing is included in this Bill. | Legal gateway for any sharing of personal data between organisations | Data sharing agreements exist between policing organisations; Police Scotland, SPA, PIRC and COPFS. New agreements will be required for those who should be able to access the barred and advisory lists including England and Wales police forces, the college of policing for England and Wales and the IOPC. It will be the responsibility of SPA, as data controllers, to comply with obligations under GDPR and to complete a DPIA and draft the necessary Data Sharing Agreements as appropriate. |
Contact
Email: policeethicsbill@gov.scot
There is a problem
Thanks for your feedback