Scottish Crown Estate Act 2019 : Data Protection Impact Assessment (DPIA)
The purpose of this document is to report on and assess against any potential Privacy Impacts as a result of the project to commence the Scottish Crown Estate Act 2019 (the Act) and the development of the first Strategic Management Plan (the Plan) for the Scottish Crown Estate.
2. Document metadata
2.1 Name of Project: Scottish Crown Estate Act 2019 - Ongoing project on the commencement of
the provisions within the Act and the development of the first Strategic Management Plan for the Scottish Crown Estate.
2.2 Author of report: Ian Packwood
2.3 Date of report: 23 August 2019
2.4 Name of Information Asset Owner (IAO) of relevant business unit: Mike Palmer, Deputy Director, Marine Scotland
2.5 Date for review of DPIA: Subsequent revisions to the timetable will initially follow the commencement of the Act.
|Review date||Details of update||Completion date||Approval Date|
|September 2020||Following Commencement of all provisions of the Scottish Crown Estate Act 2019.|
3. Description of the project
3.1 Description of the work:
The Act includes provisions to reform the powers and duties of a manager of Scottish Crown Estate assets and for changes in the management of Scottish Crown Estate assets - including the duties on management and charging for the assets. A single manager, Crown Estate Scotland (Interim Management), currently manages the portfolio of property, rights and interests as a whole. In the future, the proposed powers in the Act could be used to enable local management of specific assets by local authorities or community organisations, Scottish Harbour Authorities or for another part of the public sector to manage parts of the estate. Instead of one manager of many assets, there is the potential for there to be multiple managers, each with the responsibility of managing one or more of the assets. It is possible that some may only manage one asset or part of one of the asset types e.g. management of the foreshore in a part of Scotland. The Act will provide the mechanism by which management of an asset could be further devolved to a local level and sets out the regulatory framework within which all managers must operate.
There will be a framework at the national level to govern management of the assets, which will ensure common standards of openness, transparency and accountability across the Scottish Crown Estate.
This project is to fully commence the Act and to deliver the Plan, which outlines Scottish Ministers' objectives, priorities and policies for the Scottish Crown Estate.
It is not anticipated that any new or significant changes to the handling of types of personal data will occur as a result of the implementation or use of the Act or in the development of the first Plan.
It is not anticipated that personal data will be collected through the project except where people are responding on a voluntary basis to the Plan's consultation and in such instances the Scottish Government (SG) established corporate methods for personal data provided via consultations will be used.
Scottish Ministers have powers in the Act to require a manager to provide information and advice about the assets under their management. It is not anticipated that personal data will be requested but for completeness this assessment includes consideration of how such data would be handled.
3.2 Personal data to be processed.
In order to inform Scottish Ministers' decision-making, it may be necessary for managers of Scottish Crown Estate assets to provide information and advice about the assets under their management. This could include the characteristics of the asset(s) or the general performance of the functions and is, therefore, different to personal data.
In the event that there was a need to share personal data for a low number of types of information then Data Protection Act requirements and processes would apply. If required, personal information would be redacted.
Requests to manage Scottish Crown Estate Assets
Scottish Crown Estate Act 2019 Sections 37, 38 and 40.
|It is anticipated that some personal data will be received and processed during the Plan's consultation period – established corporate systems are in place to cover this.||Individuals.|
3.3 Describe how this data will be processed:
Any personal data provided by individuals in response to the public consultation on the Plan will be processed in accordance with SG guidance for handling consultation responses.
The Act requires managers of Scottish Crown Estate assets to provide information or advice in respect of the assets, as required by the Scottish Ministers. As stated, the Act and the Plan do not require or state that any routine gathering or storage of personal information is required. There are already well established protocols in place by the manager of the assets covering data storage and disposal and accordingly these matters are not addressed by the Act. The data will be managed by the manager of the relevant Scottish Crown Estate asset(s) and it is not anticipated that the SG will request or process personal data but corporate procedures would be followed where applicable. It is not intended that information be transmitted by Scottish Ministers beyond established systems.
3.4 Explain the legal basis for the sharing with internal or external partners:
The legal basis for the provision of information or advice to the Scottish Ministers is contained within the Act. In reaching a decision about whether it would be lawful to share any data about an individual, managers of Scottish Crown Estate assets and the SG would need to consider alongside the Data Protection Act.
4. Stakeholder analysis and consultation
4.1 List all the groups involved in the project, and state their interest.
|A total of 212 responses were received from the public consultation on a long term framework for management of the Scottish Crown Estate (115 from organisations and 97 from individuals) from a range of individuals, community groups, ports and harbours sector, fisheries/seafood bodies; leisure and tourism bodies, land and estates; enterprise or coastal management bodies; local authorities; natural heritage/conservation bodies and commercial bodies. Parliamentary Committees during the Scottish Crown Estate Bill's progress through the Parliamentary process. The Stakeholder Advisory Group. Crown Estate Tenants.||
4.2 Method used to consult with these groups when making the DPIA.
Stakeholder advice was provided during the Scottish Crown Estate Bill's process through the Stakeholder Advisory Group, Parliamentary Committee Evidence and the public consultation on a long term framework for management of the Scottish Crown Estate. Scottish Ministers are also planning to undertake a public consultation on the Plan.
4.3 Method used to communicate the outcomes of the DPIA .
This DPIA will be published on the Scottish Government website.
5. Questions to identify privacy issues
5.1 Involvement of multiple organisations
Potentially, all 32 local authorities in Scotland could be involved to a greater or lesser degree in providing views on how the assets will be managed or in seeking to take on the management of an asset. Community organisations, Scottish Harbour Authorities and Public Sector Bodies could also be managers of Scottish Crown Estate assets.
5.2 Anonymity and pseudonymity
No. Data may be brought together, i.e. information about an asset, group of assets or total number of assets, but it would not be personal data and nor would it be possible to identify an individual.
For consultation reports, consultation responses will be published in the normal way.
It is not anticipated that there will be any new or additional information technologies.
5.4 Identification methods
5.5 Sensitive/Special Category personal data
5.6 Changes to data handling procedures
None. Existing principles and procedures would apply in accordance with Data Protection legislation.
5.7 Statutory exemptions/protection
5.9 Other risks
6. General Data Protection Regulation (GDPR) Principles
|Principle||Compliant – Yes/No||Description of how you have complied|
|6.1 Principle 1 – fair and lawful, and meeting the conditions for processing||Yes||
Have you identified the purpose of the project?
The purpose of this project is to fully commence the Scottish Crown Estate Act 2019 in stages and to deliver the first Strategic Management Plan for the Scottish Crown Estate.
How will individuals be told about the use of their personal data?
It is not anticipated that personal data will be collected by Scottish Ministers except where individuals provide such information on a voluntary basis in response to a public consultation exercise. In such instances, SG guidance would be followed and the Data Protection Act requirements and processes would apply.
We provide a clear description of consultation respondents' rights regarding how their data will be used in the respondent information form contained within in the consultation document.
Personal data being collected is optional and limited to individual/organisation name and email address. Consultation respondents have the option to have their personal data private and not be published alongside their response.
Do you need to amend your privacy notices?
Have you established which conditions for processing apply?
Existing procedures would apply in accordance with Data Protection legislation for processing any personal data received via the public consultation. It is not anticipated that any other personal data will be collected or processed.
If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?
Existing procedures would apply in accordance with Data Protection legislation if any processing of personal data is required. The consultation paper includes a section on 'handling your response' and there is the ability for respondents to request that their response is treated as confidential.
If your organisation is subject to the Human Rights Act, you also need to consider: Will your actions interfere with the right to privacy under Article 8?
We are content that there are no implications under the Human Rights Act.
|6.2 Principle 2 – purpose limitation||Yes||
Does your project plan cover all of the purposes for processing personal data?
In relation to the Act or the Plan directly, no processing of personal data is envisaged and if any processing is required it will only be processed for Scottish Crown Estate purposes.
Have potential new purposes been identified as the scope of the project expands?
|6.3 Principle 3 – adequacy, relevance and data minimisation||Yes||
Is the information you are using of good enough quality for the purposes it is used for?
Which personal data could you not use, without compromising the needs of the project?
No personal data is needed for the project. Any information provided will be subject to internal quality control.
|6.4 Principle 4 – accurate, kept up to date, deletion||Yes||
If you are procuring new software does it allow you to amend data when necessary?
We are not procuring new software.
How are you ensuring that personal data obtained from individuals or other organizations' is accurate?
Any personal data provided by individuals on a voluntary basis is not essential to the project. No collection of other personal data is envisaged. Information provided will be subject to internal quality control.
|6.5 Principle 5 – kept for no longer than necessary, anonymization||Yes||
What retention periods are suitable for the personal data you will be processing?
If any personal data is received, existing procedures would apply in accordance with Data Protection legislation
Are you procuring software which will allow you to delete information in line with your retention periods?
|6.6 GDPR Articles 12-22 – data subject rights||Yes|| Will the systems you are putting in place allow you to respond to subject access requests more easily? Existing systems to be used. Have you provided a privacy notice? We expect the SG's general privacy notice (https://www2.gov.scot/Topics/marine/PrivacyNotice) to be sufficient for the Plan's consultation. This states for consultations:
Existing corporate procedures will therefore apply.
Are you able to edit and correct any inaccurate data?
N/A – We would expect any inaccuracies to be corrected by the group/persons requesting to take on an asset.
Are you able to provide the person with a copy of the data, if a) the processing is based on consent and is b) automated?
Yes, if any personal data is to be processed but it is not envisaged that there will be any processing of personal data except as normally undertaken for analysis of consultation responses. Existing corporate procedures will therefore apply
If you are using automated decision making, does the person have the right to opt-out?
Do you have a procedure to assess the validity of an objection from the person to the data processing?
Yes – Existing corporate procedures will apply where any processing of personal data is undertaken via analysis of consultation response but it is not envisaged that there will be any processing of other personal data
If the project involves marketing, do you have a procedure for people to opt out of their information being used for that purpose?
|6.7 Principle 6 - security||Yes||
Do any new systems provide protection against the security risks you have identified?
What training and instructions are necessary to ensure that staff know how to operate a new system securely?
All SG staff and other managers are required to complete annual Data Protection Training.
|6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.||Yes||
Will the project require you to transfer data outside of the EEA?
If you will be making transfers, how will you ensure that the data is adequately protected?
The project will not require data to be transferred outside of the EEA.
7. Risks identified and appropriate solutions or mitigation actions proposed
Is the risk eliminated, reduced or accepted?
|Risk||Ref||Solution or mitigation||Result|
|Data may be released inappropriately e.g. personal information relating to respondents to the consultation||Consultation||Robust and secure data management processes in place for all types of data.||Eliminate|
|Loss of confidentiality of commercially sensitive information.||Consultation||No information of this type held by SG. Robust and secure data management processes in place for all types of data||Eliminate|
8. Incorporating Privacy Risks into planning
Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.
|Risk||Ref||How risk will be incorporated into planning||Owner|
|Data may be released inappropriately e.g. personal information relating to respondents to the consultation.||Consultation||If such information is collected this issue will be a core component of guidance on handling of such information to ensure standards are met.||David Mallon, project lead|
|Loss of confidentiality of commercially sensitive information.||Consultation||Should this become an issue this issue will be a core component of guidance on handling of such information to ensure standards are met.||David Mallon, project lead|
9. Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
10. Authorisation and publication
I confirm that the impact of undertaking the project has been sufficiently assessed against the needs of the privacy duty:
Deputy Director, Marine Scotland
Aquaculture, Crown Estate, Recreational Fisheries, EMFF and Europe
Date each version authorised
26 August 2019