Disclosure (Scotland) Bill: data protection impact assessment

Principle

Compliant – Yes/No

Description of how you have complied

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

YES

The principal lawful basis for processing is Article 6(1)(e) of the GDPR. Some processing may also take place on the basis of article 6(1)(c). Special category data is processed under article 9(2)(g).

Disclosure Scotland gathers and processes data under the Police Act and the PVG Act, in line with the DPA and GDPR. Data processing will take place under a similar framework under the Bill.

6.2 Principle 2 – purpose limitation

YES

Data will only be gathered for the purposes covered under the following pieces of primary legislation and secondary legislation made under them:

The Police Act

The PVG Act

The Disclosure (Scotland) Bill

6.3 Principle 3 – adequacy, relevance and data minimisation

YES

Disclosure Scotland gathers and processes data under the Police Act and the PVG Act, in line with the DPA and GDPR. Data gathering and processing will take place under a similar framework under the Bill.

Disclosure Scotland ensures all information gathered is adequate, relevant and not excessive. Information is processed in accordance with the individual’s rights and is not kept for longer than is necessary.

6.4 Principle 4 – accurate, kept up to date, deletion

YES

Disclosure Scotland processes, gathers, retains and securely destroys data under the Police Act and the PVG Act, in compliance with DPA and GDPR.

The new system will allow access for members to update their information. Individuals can also request a review of accuracy if they believe information held about them is incorrect.

Members can ask to be removed from the Scheme if they are no longer in regulated work. The PVG Act does not currently give Scottish Ministers a power to remove a member from the Scheme unless the person is barred from regulated work. Under the Bill, a recurrent membership period ensures the Scheme is accurate and self-adjusts to the right size because people who do not need to be in it have the incentive and easy opportunity to safely leave.

6.5 Principle 5 – kept for no longer than necessary, anonymization

YES

Disclosure Scotland operates a data retention policy. This policy is inherent in the design of the new service and proposed processes. The Bill addresses the requirement not to keep data longer than necessary by making PVG scheme membership time limited, so that people can come out of the scheme when they are no longer doing a regulated role. This will help to ensure that personal data is only held for as long as necessary and relevant to Disclosure Scotland’s functions.

6.6 GDPR Articles 12-22 – data subject rights

YES

As stated within the Disclosure Scotland Privacy Statement, individuals have the right to access the information held about them by Disclosure Scotland, and can ask for any data to be amended if it is incorrect. Individuals can ask Disclosure Scotland not to process information used for the disclosure certificate if it would cause substantial unwarranted damage or distress. Individuals can request that non-automated decisions are made regarding their data.

6.7 Principle 6 - security

YES

DS has a security policy, technical architecture and security governance to provide compliance for DS systems and services. This includes independent testing, assurance and accreditation by key stakeholders.

Appeal process:

The Independent Reviewer (IR) (appointed under the ACR Bill) will have the ability to gather additional information regarding an applicant. The processes and systems involved will be subject to the same strict privacy rules as other data held by Disclosure Scotland.

The applicant will be aware that the IR’s request relates to the proposed disclosure of their personal and sensitive personal data to a third party.

6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area without additional safeguards.

YES

The design of the service ensures that no personal data is stored or transferred to a third party in a territory or country outside the European Economic Area (unless the data subject has consented).

Disclosure Scotland has no stakeholders outside the EEA. In addition we are authorised to process and gather data under The Police Act and the PVG Act, in compliance with DPA and GDPR.