Disclosure (Scotland) Bill: data protection impact assessment

3. Description of the project

3.1 Description of the work:

Disclosure Scotland is an Executive Agency of the Scottish Government. It exercises the functions of the Scottish Ministers under the Police Act 1997 (“the Police Act”) and the Protection of Vulnerable Groups (Scotland) Act 2007 (“the PVG Act”) to issue criminal record checks to support recruitment. Disclosure Scotland operates the PVG Scheme (established in February 2011) and holds the lists of individuals barred from doing regulated work with children and/or protected adults.

The intention of the Bill is to modernise and improve proportionality in the disclosure system in Scotland. This will simplify the system and aim to strike the right balance between strengthened safeguarding of the public and helping people with convictions get back to work. The Bill has been developed following a detailed public consultation, extensive engagement with stakeholders and from intelligence gathered during the eight years the PVG Scheme has been in operation.

It will:

• introduce a mandatory PVG Scheme for people working with vulnerable groups;
• overseas work which would be a regulated role, f done in Scotland, will be a specified regulated role so that such work benefits from the same level of safeguarding as regulated roles done in Scotland;
• introduce an internal process which will enable applicants to apply directly to Disclosure Scotland for the removal of spent convictions from a disclosure;
• expand the role of the Independent Reviewer, as appointed under the Age of Criminal Responsibility (Scotland) Bill, to review the disclosure of relevant police information, convictions for offences accrued under the age of 18 years, and removable convictions for offences List A and List B;
• strengthen referral powers for police and local authorities in relation to people carrying out regulated roles;
• safely end the requirement of courts to refer relevant offences to Disclosure Scotland;
• ensure organisations requesting disclosures are formally accredited and their processing and storage of personal data regulated;
• provide Disclosure Scotland with powers to impose standard conditions on scheme members who are under consideration for listing where considered necessary;
• provide Disclosure Scotland with powers to send notifications to personal employers, detailing the scheme member’s consideration for listing / barred status and details of any conditions imposed on membership pending the outcome of any consideration for listing;
• allow bodies to register to make disclosure applications and to have access to vetting information for the sole purposes of offering a service to personal employers to help them consider suitability of prospective self-employed workers
• coincide with the development of an IT system that will increase the extent to which applicants may interact digitally with Disclosure Scotland and with prospective employers in the context of disclosure, and give applicant’s greater control over the sharing of their information with third parties (effectively creating a right of veto for the individual).

3.2 Personal data to be processed.

Variable	Data Source
Personal information relating to specific applications – this will include name(s), addresses over last five years and contact details	Paper or electronic application, bulk data transfer from accredited bodies
Payment details relating to applying for disclosure records – this may include individuals or a group of individuals’ credit card details, cheque, postal order, invoice	Application - paper or electronic. Invoices to organisations for bulk transfers
Identity verification	Application - paper or electronic. Organisations conduct identity verification for bulk applications
Matching individuals to criminal convictions	Protecting Vulnerable Groups System (PVG) Protecting and Safeguarding Scotland (PASS) System Criminal History Service (CHS) Police National Computer (PNC) Criminal Record Viewer (CRV) Police cross checking (PLX) Safeguarding Vulnerable Groups (SVG) Disclosure Internal Admin List (DIAL) Barred List
Relevant police Information (formerly “ORI”)	UK police forces, individual
Childhood information - relating to convictions accrued between the ages of 12- 17 years.	Chief Constable, the Principal Reporter, the Scottish Courts and Tribunal Service, the individual and any other person Ministers (as Disclosure Scotland) considers appropriate.
Internal application for the removal of convictions	Chief Constable, the individual, the Principal Reporter, the Scottish Courts and Tribunals Service, any other person the Scottish Ministers (as Disclosure Scotland) considers appropriate.
Production of disclosure record	Disclosure Scotland
Independent Review relevant police information childhood information removal of spent convictions	Chief constable, the Scottish Courts and Tribunal Service, Disclosure Scotland, the individual and any other person the independent reviewer considers appropriate.
Imposing standard conditions on people under consideration for listing and notifying persons other than an organisation or personnel supplier of considerations for listing and standard conditions	Disclosure Scotland

3.3 Describe how this data will be processed:

Disclosure Scotland is an Agency of the Scottish Government and the use of Disclosure Scotland services is specified in legislation, namely the Police Act and the PVG Act. There will also be provisions about the processing of personal data set out in the Bill which will repeal and restate the Police Act and amend the PVG Act.

Disclosure Scotland has a 'Data Protection and Privacy Statement' which explains data subjects rights, as a Disclosure Scotland customer, under the Data Protection Act 2018 (“DPA”). This applies whether information is held on paper or in an electronic format. Disclosure Scotland retains personal information in line with the DPA. This involves only retaining the personal information we need for business, regulatory or legal reasons. Once personal information is no longer needed, it is securely destroyed. All data is disposed of in accordance with the aforementioned Acts and in line with current HMG secure disposal guidance.

Disclosure Scotland is fully committed to compliance with the DPA. All operations and processes are in accordance with the Act. We are compliant with the EU General Data Protection Regulation (“GDPR”). We require information from data subjects, police forces and police records to protect the vulnerable. At present it is only disclosed to legitimate organisations who are legally entitled to have access to this information under Part 5 of the Police Act or the PVG Act. However, Disclosure Scotland may share information with the police where it believes a crime may have been committed as a result of the statutory offences contained in the Police Act and the PVG Act pertaining to falsification of disclosures, unlawful sharing of disclosures, barred individuals doing regulated work and failure to make referrals. These provisions are restated in the Bill.

Mandatory scheme

The handling of information will not change as a result of the introduction of a mandatory scheme. Anyone doing work with vulnerable groups will be required to be a member of the PVG Scheme and it will become an offence to work in such a role without first joining the PVG Scheme. It will also be an offence to offer any type of regulated role without first confirming their membership of the PVG Scheme.

Those who are no longer undertaking regulated roles, and have no intention to do so in the near future, will be able to remove themselves from the scheme and no longer be subject to ongoing monitoring. Disclosure Scotland will also notify individuals who are no longer in regulated roles that they can end their scheme membership. This will help to ensure the PVG Scheme will only interfere with the privacy of those who are actually doing or seeking to do regulated roles with children or adults. As part of implementation of the new legislation, Disclosure Scotland will engage with users of the Scheme to make them aware of their right to terminate membership at any point, where they are no longer doing a regulated role.

Disclosure Products

The Bill will offer two main levels of Disclosure, comprising of four products. Level 1 will replace the current basic disclosure under the Police Act and within Level 2 there will be 3 variants, the extent of disclosure increasing with the nature / sensitivity of the role. As part of the policy development of the Bill, there has been detailed consideration of the information to be included on each level of disclosure, to ensure that what is being disclosed for specific purposes is adequate and relevant. However, the new system has been designed to work within the existing self-disclosure framework, that being the Rehabilitation of Offenders Act 1974
(“the 1974 Act”) and orders made under that Act which dis-apply the protections of the 1974 Act against
the disclosure of spent convictions, to set out the circumstances and purposes for which individuals must
self-disclose spent convictions. It is vital that the state and self-disclosure regimes continue to be aligned.

The requirement to be a member of the Scheme will be placed on those who exercise power or influence over children and vulnerable adults. The design principle is that customers should only need to know the role that they intend to do and the online system should take care of guiding them to the appropriate disclosure. This will be done by working with our customers to design a digital system that allows information input about the job or role to lead to a clear outcome for the customer. There will be alternative provisions for those with no access to digital or who face other challenges using it.

Digital delivery

The Disclosure Bill supports increasing the extent to which applicants may interact electronically with Disclosure Scotland and with employers in the context of disclosure. The details of how the Bill’s proposals
will be implemented digitally will be designed in close consultation \ engagement with customers and stakeholders including the ICO. The implementation of increased electronic services will modernise and simplify the disclosure system, and enhance the operational efficiency, portability, ownership of information for the applicant and give greater control over whom they share that information with the process of issuing a certificate directly to the employer will end. Under the Bill it will be necessary for the individual to authorise the release of their disclosure to a third party, after the individual has had a chance to see it for themselves.

Alternatives will be provided for individuals with no access to digital or who face other challenges using it. These alternatives will be developed in collaboration with service users to ensure that they meet all relevant accessibility and data protection requirements.

There will be no changes in the data protection implications for internal processing of online applications. Further information on the impacts of digital delivery will be detailed within the Disclosure Scotland Transformation Programme DPIA.

Widening the functions of the independent reviewer

The independent reviewer appointed under the Age of Criminal Responsibility (Scotland) Bill (“the ACR Bill”) will be given additional functions, making the independent reviewer responsible for all types of review (childhood conviction information, removable convictions and relevant police information) relating to the disclosure of vetting information. We believe that unifying the review mechanisms will make the system as simple and coherent as possible for applicants and stakeholders.

The processes required for the independent reviewer will be based around existing practice so will meet all privacy and data protection requirements. The independent reviewer will be appointed by Scottish Ministers and will agree to all necessary protections for handling sensitive information. As part of their review, the independent reviewer will contact various public bodies in order to obtain additional information regarding the individual and the behaviour that is proposed to be disclosed. There will be a new link needed between the Disclosure Scotland IT system and the Scottish Government network to be used by the independent reviewer. Information can also be shared via secure email or by Royal Mail. All appropriate measures will be taken to ensure data sharing with the various organisations is secure and compliant with the DPA and the GDPR. This will follow the same processes and procedures as those under the current system. Further information on the role of the Independent Reviewer is detailed within the Age of Criminal Responsibility (Scotland) Bill PIA.

The new review processes will also lead to new categories of data being processed by the Independent Reviewer and Disclosure Scotland. These will include any representations made by the individual as part of the review process, the outcome of any reviews and reasons for decisions.

Internal application for the removal of spent convictions

The Bill will introduce an internal process through which an applicant can apply directly to Disclosure Scotland for the removal of spent convictions. An internal assessment will be faster than an application to a sheriff, and cheaper for the applicant as legal representation is not required. The applicant can make an application to Disclosure Scotland to have a conviction removed from their certificate. There will be a prescribed fee for this application. Information will not be shared with a third party without authorisation from the applicant. Applicants will be able to provide representations in support of their application to have the conviction removed from their disclosure. If Disclosure Scotland refused to remove the conviction, the applicant would then have a right to apply to the independent reviewer to consider removal of the conviction, instead of applying to the sheriff. Under the new system an appeal to a sheriff would be available for the decision by the independent reviewer but on a point of law only.

The process required will be based on existing practice which meets all privacy and data protection requirements. As digital capability of the IT system increases, any process put in place will be equal to or better that the current processes which meet the required levels for DPA and GDPR.

Other Relevant Information (“ORI”)

ORI is information currently provided by the chief officer of a police force to Disclosure Scotland for inclusion in an enhanced disclosure or PVG scheme record. It is presently used very infrequently but is very important for public protection.

The Bill will change the point at which the individual becomes aware of the police intention to include relevant police information on a Level 2 disclosure, meaning individuals will have the opportunity to provide representations before relevant police information is shared with, for example, a potential employer. This will bring the disclosure regime in Scotland into line with the rest of the UK, where police forces follow Home Office guidance regarding the disclosure of relevant police information. Disclosure Scotland will publish statutory guidance for Police Scotland and the independent reviewer about making decisions on the provision of relevant police information.

An individual will be able to share representations with Police Scotland, Disclosure Scotland and the independent reviewer through existing channels of secure email or by Royal Mail. As digital capability of the
IT system increases, any process put in place will be equal to or better existing processes which meet the required levels for DPA and GDPR. The process by which Police will share proposed relevant police information with Disclosure Scotland will not change. Information is shared through the secure Scottish Government IT network. Applicants will be notified securely of relevant police information to be disclosed, given the opportunity to submit representations to the police, and will have the option to have police decisions reviewed by the independent reviewer before any relevant police information is shared with a third party. There will be a new link needed between the Disclosure Scotland IT system used for processing relevant police information and the Scottish Government network to be used by the independent reviewer.

There will be new categories of data created as part of this, including any reasons given by the police for their decision to disclose relevant police information. This will be processed by Disclosure Scotland for the purposes of enabling a review to the Independent Reviewer.

Disclosure provisions childhood conviction information

Building on the work that is being taken forward in the ACR Bill, the Disclosure Bill will further improve the prospects of people with childhood convictions. There will be no possibility of automatically disclosing a conviction for offences accrued under the age of 18, on any type of disclosure. This is a positive step as it potentially reduces the amount of sensitive personal information being disclosed. If there are childhood convictions present, Disclosure Scotland will make an assessment on whether or not to disclose information about the conviction. If the decision is to disclose the information the applicant will be informed through existing processes, such as Royal Mail. The applicant will be given the choice to apply for a review by the independent reviewer and have an opportunity to provide representations. Representations will be provided through existing processes. Once the independent reviewer has concluded their review, the individual and Disclosure Scotland will be securely notified. As digital capability of the IT system increases, any process put in place to share sensitive information will be equal to or better than the current processes which meet the required levels for DPA and GDPR.

Childhood conviction information will be a new category of data processed by Disclosure Scotland as a result of the Bill.

New referral powers for local authorities

At present there is no legal mechanism for local authorities to make referrals to Disclosure Scotland within the context of their normal safeguarding functions, even if formal child or adult protection investigations find evidence of physical, financial or sexual abuse of vulnerable people. The Bill will give local authorities and health and social care partnerships powers to refer individuals to Disclosure Scotland. By making a referral, local authorities will be sharing sensitive personal information about an individual, gathered within the context of their normal safeguarding functions. A template for this already exists as local authorities make referrals to Disclosure Scotland as an employer of people doing regulated work. The existing methods by which local authorities share sensitive information with Disclosure Scotland will not change as a result of this new referral power.

Wider referral powers for Police Scotland

Police Scotland presently cannot provide information to Disclosure Scotland about a person who is not a PVG scheme member. A mandatory PVG scheme means that Police Scotland will be able to give information to Disclosure Scotland about all those involved in working with vulnerable people. In circumstances where a person is doing such work unlawfully outside the PVG Scheme, Police Scotland must provide information as if the person concerned had been in the PVG Scheme.

Referral information will be shared through existing processes through the secure Scottish Government IT network, which meets the required levels for DPA and the GDPR.

Ending court referrals

Under section 7 of the PVG Act, courts are required to refer certain convicted individuals to Disclosure Scotland for consideration for barring, even if the individual has never sought or done regulated work with vulnerable groups. This enables Disclosure Scotland to pre-emptively consider and possibly bar those convicted of serious offences against children, lowering the risk that they might engage in regulated work without joining the PVG Scheme. The Disclosure Bill presents the opportunity to safely end the court referral process because, with a mandatory scheme, it will no longer be lawful carry out a regulated role without PVG membership. To continue these court referrals would be an unnecessary intervention in safeguarding terms. The Bill will help to ensure the PVG Scheme will only interfere with the privacy of those who are actually doing or seeking to carry out a regulated role with children or protected adults.

For extremely serious offences individuals will still be automatically barred, under section 14 of the PVG Act. The process by which courts share this information with Disclosure Scotland will not change.

Accredited bodies

Disclosure Scotland offers businesses the ability to submit bulk applications of basic disclosures (B2B disclosures). We will continue to offer this service for the basic disclosure successor, Level 1 disclosures, to organisations that require it, but will bring these organisations within the scope of accredited bodies, replacing the current non statutory definition of ‘responsible body’. This will assure the protection of personal data as the service moves onto new digital platforms, whilst still allowing for the efficient delivery of the service.

It is worth noting that although the consultation paper referred to ‘consent’ in this context, it is not intended to rely on consent as the legal basis for processing. What is meant by consent is that the B2B organisation has the explicit consent of the applicant to submit the application on behalf of the applicant.

Accredited bodies will also replace ‘registered persons’, under the Police Act, for access to Level 2 disclosures. The system of registering accredited bodies remains an important part of the disclosure regime as it ensures disclosures are issued to persons who are considered suitable to receive potentially sensitive information and to ensure that those receiving the information are legally entitled to see it for the purposes of the employment they are offering.

A noteworthy improvement is that control over the sharing of disclosure data will pass to the disclosure applicant. The practice of issuing a certificate directly to an employer, at the same time that it goes to the applicant, will end. The individual will have to explicitly elect to share electronic access to their disclosure record (or non-electronic equivalent), which means that sharing the disclosure with an employer will only be possible if the applicant chooses not to apply for any review, or after any review procedures have been exhausted.

Notification of consideration for barring and the outcome

The Bill will give Disclosure Scotland a power to issue section 30 notices (notification of listing, etc) to individuals who do not employ other persons in the course of a business, detailing the individual’s consideration for listing / listed status. The PVG Act does not enable Disclosure Scotland to currently send section 30 notices to anyone who does not fall under the definition of “organisation” or “personnel supplier”. This information will be shared securely using existing practices so will meet all privacy and data protection requirements.

Disclosure arrangements for personal employers

Organisations will be able to register to become umbrella bodies, entitling them to countersign applications and have access to vetting information, for the sole purposes of them offering a service to individuals who do not employ other persons in the course of a business to help them consider suitability of, for example, potential self-employed workers. The purpose of this is to prevent sensitive disclosure information from being shared more widely than is necessary and ensures the disclosure regime is lawful and proportionate. As part of the registration process for accredited bodies, Disclosure Scotland will ensure by having regard to vetting information that accredited bodies are suitable to have access to Level 2 disclosures.

When acting in the role of umbrella body, organisations will be subject to the registration system that applies to all accredited bodies, including a Code of Practice containing provisions on the safe handling of the disclosure certificates and will be subject to offence provisions in relation to the proper use of disclosure information.

Standard conditions

In the most serious of cases, details of any standard conditions to which a scheme member is subject while under consideration for listing will be disclosed to legitimate persons who have a legal right to have access to this information. If standard conditions were imposed, these would appear on confirmations of scheme membership. The processes required will be based around existing practice so will meet all privacy and data protection requirements.

3.4 Explain the legal basis for the sharing with internal or external partners:

Disclosure Scotland on behalf of Scottish Ministers protects the people of Scotland by providing disclosures under the Police Act 1997 (as amended) and the Protection of Vulnerable Groups (Scotland) Act 2007(as amended).