Information

Digital Government (Scottish Bodies) Regulations 2022: data protection impact assessment

Data Protection Impact Assessment (DPIA) to consider the impact of the Digital Government (Scottish Bodies) Regulations 2022.


The Digital Government (Scottish Bodies) Regulations 2022: Data Protection Impact Assessment

Introductory information

Summary of proposal:

The Digital Government (Scottish Bodies) Regulations 2022 add certain Scottish public authorities with devolved functions ("Scottish Bodies") to schedules 7 (debt) and 8 (fraud) of the Digital Economy Act 2017[1] ("the Act") so providing a new legal gateway for Scottish Bodies to use to enter into information sharing agreements with other listed bodies. The UK and Welsh Governments have already added UK, English and Welsh bodies to the schedules.

Part 5 of the Act introduces new information sharing powers to reduce debt owed to, or fraud against, the public sector. To be able to use the information sharing powers, public authorities (and bodies which provide services to public authorities) must be listed in schedule 7 of the Act for the debt powers and schedule 8 for the fraud powers. A listed public authority can only share data under these powers with other persons who are also listed in the relevant schedule. The Act regulates what data can be shared and for what purposes. The Act does not compel public authorities to share data. The information sharing powers in the Act are permissive. It is for the public authorities listed to decide to make use of the powers and to seek to enter into information sharing agreements with other listed bodies.

The Scottish Bodies listed in the Regulations are in the Annex.

Your department: Digital Directorate

Contact email: DigitalEconomyActConsultation@gov.scot

Data protection support email: dpa@gov.scot

Data protection officer: dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or other form of statutory measure?

Secondary legislation

What stage is the legislative process at?

The Scottish Statutory Instrument is due to be laid in the Scottish Parliament on 2 February 2022 under the affirmative procedure.

Have you consulted with the ICO using the Article 36(4) form

The ICO is a statutory consultee. Therefore, Data Protection Officer advice is that there is no need to use the form.

If the ICO has provided feedback, please include this.

Consultation 1

The ICO[2] had no comment on the bodies identified for inclusion in the schedules. In the response, the ICO reminded those involved in the logistics of information sharing that even though there will be a statutory gateway to share personal information, it must still be carried out in compliance with the data protection principles and welcomed the requirement to carry out a data protection impact assessment where bodies propose to undertake a pilot project.

Consultation 2

The ICO[3] said it had no objection to the inclusion of the proposed public authorities.

Do you need to hold a public consultation and if so has this taken place

There have been two public consultations seeking views on Scottish Bodies to be included in the schedules of the Act:

There was broad support for adding the Scottish Bodies listed, to the schedules of the Act.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

Two individuals who answered "No - none of the Scottish Bodies listed should be added" offered comments:

  • One expressed concerns about the requirement to comply with section 22 of the Gender Recognition Act 2004. These arrangements are not affected by the proposals in the consultation.
  • Views were expressed against the Digital Economy Act 2017.
Version Details of update Version complete by Completion Date
1 N/A Alison Dewar 2 February 2022

Article 35(7)(a) "purposes of the processing, including, where applicable, the legitimate interest pursued by the controller"

1 Question: What issue/public need is the proposal seeking to address? What policy objective is the legislation trying to meet?

Comments: The Digital Government (Scottish Bodies) Regulations 2022 add Scottish public authorities with devolved functions ("Scottish Bodies") to schedules 7 (debt) and 8 (fraud) of the Digital Economy Act 2017 ("the Act") so providing a new legal gateway.

The Regulations provide the legal means for Scottish Bodies to enter into information sharing agreements with other listed bodies with a view to improving their ability to:

  • Identify, manage and recover debts
  • Identify and reduce the risk of fraud and recover public sector funds.

The UK and Welsh Governments have already added UK, English and Welsh bodies to the schedules.

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects" and Article 35(7)(b) "necessity and proportionality of the processing operations"

2 Question: Does your proposal relate to the processing of personal data? If so, please provide a brief explanation of the intended processing and what kind of personal data it might involve. Who might be affected by the proposed processing?

Is the processing considered necessary to meet a policy aim? Is there a less invasive way to meet the objective (for example, anonymising data, processing less data)?

Please also specify if this personal data will be sensitive or special category data or relate to criminal convictions or offences

(Note: 'special categories' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person's sex life or sexual orientation and sensitive personal data means criminal information or history)

Comments: No data will be processed or shared as a direct result of the Regulations.

The Regulations add Scottish Bodies to the schedules 7 and 8 of the Act so providing a new legal gateway for information sharing in connection with debt owed to or fraud against the public sector.

Public authorities listed in schedules 7 and 9 of the Act must have regard to the Code of Practice[4] for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017) (the Code). The Code provides details on how the debt and fraud information sharing powers should operate. It provides that in the first instance, all information sharing under the debt and fraud powers is run as a pilot. The data to be shared will become apparent at this stage.

The Code sets out the guidance on the process which bodies will need to follow to establish a new pilot. The purpose of such pilots is to allow for the benefit of the data share to be explored and to identify any potential impacts and ethical issues. Pilots will determine whether and how there is value in sharing personal information for the purposes of taking action in connection with debt owed to, or fraud against the public sector.

Public bodies wishing to establish a pilot submit a business case, information sharing agreement, data protection impact assessment and security plan to the secretariat of a review board. The UK Government has established a review board[5] to oversee reserved and England-only data sharing under the fraud and debt powers. The board assesses and makes recommendations to UK Ministers on each pilot proposal. The Scottish Government will similarly establish its own structures for the oversight of data sharing arrangements for Scotland.

The Code is required to be consistent with the Information Commissioner's data sharing code of practice. The Digital Economy Act 2017 requires all persons who are involved in disclosing information under the debt and fraud powers to have regard to codes issued by the Information Commissioner, in so far as they are relevant.

Failure to have regard to the Code may result in a public authority or organisation losing the ability to disclose, receive and use data under the powers in the Digital Economy Act 2017.

The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data using the debt and fraud powers.

Part of your consideration in relation to Article 35(7)(a) and (b) should be in respect of ECHR. "

3 Question: Will your proposal engage any rights under ECHR, in particular Article 8 ECHR? How will the proposal ensure a balance with Article 8 rights? If the proposal interferes with Article 8 rights, what is your justification for doing so - why is it necessary?

Article 8 ECHR: Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

You may also wish to consider

Article 6 right to a fair trial (and rights of the accused)

Article 10 right to freedom of expression

Article 14 rights prohibiting discrimination

Or any other convention or treaty rights?

Comments: Public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998 and they must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

Article 35(7)(b) "necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"

Note Article 32 GDPR for s.4 also

4 Question: Will the proposal require regulation of :

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)

Comments: The Digital Economy Act 2017 sections 48(10) and 56(11) require the Scottish Ministers to have had regard to the systems and procedures for the secure handling of information by persons who are added to schedules 7 and 8. This has been done for these Regulations. The Scottish Bodies included in them provided the necessary information.

Public authorities must ensure information is retained securely and deleted once it has been used for the purpose for which it was provided.

In the first instance, all information sharing under the debt and fraud powers is run as a pilot. Pilot proposals are to include a security plan (see section 2).

4a Question: Please explain if the proposal will have an impact on the use of technology and what that impact will be.

Please consider/address any issues involving:

  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals, such as email addresses or postcodes );
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of 'online' or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals

(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people's information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)

Comments: The Regulations will not have an impact on the use of technology.

4b Question: Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

Comments: The Code of Practice sets out that, unless there are particular national security of other sensitives which would outweigh the public interest in disclosure, "information about information sharing agreements should be published in a searchable electronic public register".

The Scottish Government will establish a register for fully devolved debt and fraud data shares.

The UK government has established a register[6] for reserved or England-only data shares.

Article 35(7)(b) "necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

*Note exemptions from GDPR principles where applicable

5 Question: Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, , victim information or other monitoring of online behaviour)

Comments: For information to be disclosed lawfully under the debt and fraud powers, public authorities must operate according to the Digital Economy Act 2017 and comply with relevant legal requirements including

Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016 (and, until that Act comes fully into force, Part 1 of the Regulation of Investigatory Powers Act 2000).

See para 1.3 of the Code of Practice

Adding Scottish Bodies to schedule 7 will enable them to take action in connection with debt owed to a public authority or the Crown. Section 48(3) makes clear that this will include taking action to identify, collect as well as bringing civil proceedings and taking administrative action as a result of debt

Adding Scottish Bodies to schedule 8 will enable them to disclose information for the purposes of taking action in connection with fraud against a public authority. Section 56(4) makes clear that this will include taking action to prevent, detect, investigate or prosecute fraud as well as bringing civil proceedings and taking administrative action as a result of fraud.

Article 35(7)(b) "necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"

6 Question: Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

Comments: The impact of Scottish Bodies using the debt and fraud powers will not be apparent until proposals to pilot the use of the powers are in development as described in section 2. Piloting proposals allows for the benefit of the data share to be explored and to identify any potential impacts and ethical issues.

Bodies have to comply with the Digital Economy Act 2017, inequalities, data protection and Human Rights legislation and some the Fairer Scotland Duty.

Bodies sharing information under these powers are also required to have regard to the Code of Practice. The Code includes Fairness Principles which provide a set of best practice guidelines to help ensure a common approach to fairness is considered when sharing information under the debt power. Where a vulnerable customer is identified, the Fairness Principles provide that they should be given appropriate support and advice.

7 Question: Will the Regulations necessitate the sharing of personal data to meet the policy objectives? For example

  • From one public sector organisation to another public sector organisation;
  • From a public sector organisation to a private sector organisation, charity, etc.;
  • Between public sector organisations;
  • Between individuals (e.g. practitioners/ service users/sole traders etc.);
  • Upon request from a nominated (or specified) organisation?

If so, do the Regulations make appropriate provision to establish a legal gateway to allow for sharing personal data? Please briefly explain what the gateway will be and how this then helps meet one of the legal basis under Article 6 of the GDPR.

(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s. State what is the purpose of the sharing and why it is considered to be necessary to achieve the policy aims.)

The Digital Government (Scottish Bodies) Regulations 2022 add Scottish Bodies to the schedules of the Digital Economy Act 2017 so providing a new legal gateway.

Scottish Bodies will be able to use the new legal gateway to enter into information sharing agreements, with other listed bodies, in connection with debt owed to or fraud against the public sector.

The lawful basis for processing is Article 6(e) public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

8 Question: Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments: There have been two public consultations seeking views on Scottish Bodies to be included in the schedules of the Digital Economy Act 2017:

Scottish public authorities sharing data: consultation https://consult.gov.scot/digital-directorate/public-authorities-sharing-data/

Scottish public authorities sharing data: further consultation https://consult.gov.scot/digital-directorate/public-authorities-sharing-data-2/

There was broad support for adding the Scottish Bodies listed, to the schedules of the Act. There was no significant public interest in the proposals.

There are safeguards in place for the sharing of information under the powers. The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data using the debt and fraud powers. The Digital Economy Act creates criminal offences for unauthorised disclosure of personal information received under the debt and fraud powers. Additionally, public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998 and they must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

Public authorities listed in schedules 7 and 8 must have regard to the Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017 (the Code). The Code is required to be consistent with the Information Commissioner's data sharing code of practice. The Act requires all persons who are involved in disclosing information under the debt and fraud powers to have regard to codes issued by the Information Commissioner, in so far as they are relevant, when they disclose information under the Act.

The process for using the debt and fraud powers is outlined in the Code. It provides that all bodies using the debt and fraud powers are required to apply a set of data sharing principles when they do so. These include that data protection impact assessments are carried out before any data sharing takes place, reviewed at critical milestones and made available to the public in line with the Information Commissioner's guidance. They must also ensure that suitably worded privacy notices are published and made available to the public in line with the fairness and transparency principles in the Information Commissioner's Privacy notices, transparency and control code of practice and the Information Commissioner's data sharing code. The information sharing arrangements are recorded in a public register.

Information sharing proposals are piloted to explore the benefit of the data share and to identify any potential impacts and ethical issues. Pilots will determine whether and how there is value in sharing personal information for the purposes of taking action in connection with debt owed to, or fraud against the public sector.

The UK Government has established a review board to oversee reserved and England-only data sharing under the fraud and debt powers. The board assesses and makes recommendations to UK Ministers on each pilot proposal. The Information Commissioner's Office is represented on the Board. The Scottish Government will similarly establish its own structures for the oversight of data sharing arrangements for Scotland.

9 Question: Are there consequential changes to other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

(This might include, for example, regulation or order making powers; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).

Comments: No

10 Question: Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

A Code of Practice was issued by the Secretary of State under section 43 of the Digital Economy Act 2017 and by the Minister for the Cabinet Office under sections 52 and 60 of that Act. It was developed in consultation with the Information Commissioner's Office, the Commissioners for Her Majesty's Revenue and Customs, the devolved administrations, and other interested persons. It has been laid before the UK Parliament and the devolved legislatures in Scotland and Wales, in accordance with the Digital Economy Act 2017.

This Code will be reviewed periodically. Any changes resulting from the review are to be made in consultation with the parties named above, and revised copies laid before Parliament and the devolved legislatures in Scotland, Wales and Northern Ireland in accordance with sections 43, 52 and 60 of the Digital Economy Act 2016.

The Code does not itself impose additional legal obligations on parties seeking to make use of the powers, nor is it an authoritative statement of the law. It sets out principles and good practice to follow when exercising the powers set out in the Digital Economy Act 2017. Anyone sharing information under the relevant parts of the Digital Economy Act 2017 is required to have regard to the Code when doing so.

The Code notes that Government departments will expect public authorities and other participants in an information sharing arrangement to agree to have regard to the Code before any information is shared and that failure to have regard to the Code may result in a public authority losing the ability to disclose, receive and use information under the powers.

Summary - Data Protection Impact Assessment

11 Question: Do you need to specify a Data Controller/s?

Comments: No

12 Question: Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments: The Digital Economy Act 2017 sections 48(10) and 56(11) require the Scottish Ministers to have had regard to the systems and procedures for the secure handling of information by persons who are added to schedules 7 and 8. This has been done for these Regulations. The Scottish Bodies included in them provided the necessary information.

Public authorities must ensure information is retained securely and deleted once it has been used for the purpose for which it was provided. Pilot proposals are to include a security plan (see section 2). The Code of Practice also provides that bodies have regard to specific security standards outlined in the Code.

13 Question: Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.

Comments: No

14 Question: If the proposal involves processing, do you or stakeholders have any relevant comments about mitigating any risks identified in the DPIA including any costs or options, such as alternative measures?

Comments: The Code provides that all bodies using the debt and fraud powers are required to apply a set of data sharing principles when they do so. These include that data protection impact assessments are carried out before any data sharing takes place, reviewed at critical milestones and made available to the public in line with the Information Commissioner's guidance. They should also ensure that suitably worded privacy notices are published and made available to the public in line with the fairness and transparency principles in the Information Commissioner's Privacy notices, transparency and control code of practice and the Information Commissioner's data sharing code. The information sharing arrangements are recorded in a public register.

Authorisation

I confirm that the impact of the Digital Government (Scottish Bodies) Regulations 2022 has been sufficiently assessed in compliance with the requirements of the UKGDPR

Albert King, Chief Data Officer

2 February 2022

Contact

Email: DigitalEconomyActConsultation@gov.scot

Back to top