Data Protection Impact Assessment for Legislation for Bill Team use only
This form is for Bill teams that are developing a legislative proposal or statutory guidance that will involve (explicitly or inherently) impacts on personal data.
The form works in conjunction with the Article 36(4) ICO consultation form, in the event your draft legislation meets the requirements for consultation with the ICO.
Your proposal may engage with Article 8 rights to privacy - this could come about in a variety of ways, for example, establishing a new organisation which will require information to be collected or shared, it may involve data sharing provisions explicitly, it may include requirements for an individual or organisation to be present in certain circumstances (e.g. for children or vulnerable people being interviewed) or it may involve powers to deliver services which will inherently require the processing of personal data in order to deliver those services. In such instances, an assessment of proposed provisions and the impact on data subjects must be undertaken.
Please note that the below questions seek to articulate how your proposals will meet the requirements of Article 35 of GDPR, Article 32 GDPR and other elements of both GDPR and Data Protection Act 2018, and seeks to assess the impact to individuals' personal data.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
The assessment shall contain at least:
a) systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned.
Article 32 (Security of processing)
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Title of proposal:
Domestic Abuse (Protection) (Scotland) Bill
Criminal Law, Practice and Licensing Unit
Criminal Justice Division
Data protection support email
Data protection officer
Is your proposal primary legislation, secondary legislation or a statutory measure?
Name of primary legislation your measure is based on (if applicable)
What stage is your legislation or statutory measure at and what are your timelines?
The Bill is currently being drafted with a view to introduction in Parliament in Autumn 2020.
While a matter for Parliament to determine, we anticipate the following timeline:
Stage 1 debate: early January 2021
Stage 2 debate: early February 2021
Stage 3 debate: late February 2021
Royal Assent: April 2021
Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?
Yes. See Annex A
If the ICO has provided feedback, please include this.
Yes. See AnnexB
Have you held a public consultation yet?
Were there any comments/feedback from the public consultation about privacy, information or data protection?
The only comments on GDPR matters related to a question as to whether there should be a statutory duty on the police, when making an application for a protective order to the courts, or putting in place protective measures, to refer a person at risk of domestic abuse to support services.
Victims' groups made the point that while the police should offer to refer a person at risk to support services if they wished, it was important that the person at risk should retain control as to whether a referral is made. those who did not support a mandatory requirement being placed on police expressed a concern as to whether it would be compatible with their obligations under GDPR and whether support service provision was sufficiency comprehensive in some parts of the country to make such a referral.
To note - the Bill does not provide for a statutory duty of referral to support services.
|Version||Details of update||Version complete by||Completion Date|
|2||Second draft||Linsay Mackay||24/09/2020|
|3||Third draft||Linsay Mackay||06/10/2020|
|4||Fourth draft||Linsay Mackay||08/10/2020|