GDPR principles including the principle of Data Minimization: FOI release

Information requested

1. (Part 1) Details of who is the data controller for the Scottish Government questionnaire which includes the controversial sex questions being asked of pupils in S4-S6.
(Part 2) What checks were taken to ensure that the survey adheres to all GDPR principles including the principle of Data Minimization.
(Part 3) Specifically, what was the defined "purpose" associated with the anal sex questions?

2. Details of who is the data controller for the Free Bus Pass application questionnaire which includes questions on Gender and also what checks were taken to ensure that the survey adheres to all GDPR principles including the principle of Data Minimization. Specifically, what was the defined "purpose" associated with the questions relating to Gender and sexual orientation?

Response

In response to part 1 of your request on the Health and Wellbeing Census, I enclose a copy of all of the information you requested. As the published documentation sets out, the Health and Wellbeing (HWB) Census is owned and managed by local authorities.

The approach for implementing the HWB census means that in UK GDPR terms each local authority are first and foremost the data controller for their own census. This means that local authorities can decide for themselves whether or not to undertake their own census. Local authorities are also required to ensure that they fully comply with UK GDPR requirements.

As the local authorities collect and analyse their local HWB Census data they are the data controllers and SG is their data processor (as we are providing local authorities with the IT infrastructure for them to gather their data). There are separate arrangements in place for when local authorities will share their data with the SG. Only then does the SG become the data controller of the data it then holds for its own statistical analysis and research purpose. Further detail on the approach is set out in the Scottish Government Health and Wellbeing Census Data Protection Impact Assessment (DPIA).

As each local authority is the data controller for their local data collection, they each have their own Privacy Notices and DPIAs which cover the local authority data collection and management. These are available from each local authority.

In response to part 2 of your request, as noted above, local authorities and SG have undertaken their own Data Protection Impact Assessment. Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. The SG has published their DPIA on its website. Local authorities have responsibility for undertaking their own DPIAs as data controllers. The SG DPIA was developed within the existing SG procedures, including consultation with the SG Information Assurance and Data Protection advisors.

UK GDPR applies to processing carried out by organisations. UK GDPR Article5 (1) (c) says: “ Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”. The HWB Census meets this principle.

The data collected is adequate, relevant and limited to the purpose identified in the DPIA in that it is sufficient to properly fulfil local authority and Scottish Government stated purpose. The purpose for local authority data processing is to meet the duties set out in:

• the Children and Young People (Scotland) Act 2014 which requires local authorities and their relevant health board, in respect of each three year period, prepare a children’s services plan for the area of the local authority.
• The Standards in Scotland’s Schools etc. Act 2000, under which the education authority must carry out the duty with a view to achieving the strategic priorities set out in the National Improvement Framework.
• the Local Government in Scotland Act 2003 states that a local authority has power to do anything which it considers is likely to promote or improve the well-being of its area and persons within that area.

The purpose for SG data processing is for Ministers to meet the duties set out in set out in:

• the National Health Service (Scotland) Act 1978 (Scottish Ministers have a duty “to promote the improvement of the physical and mental health of the people of Scotland”);
• the Standards in Scotland’s Schools etc. Act 2000 (Scottish Ministers have “to ensure that schools managed by education authorities, grant-aided schools, and hostels provided and maintained by education authorities for pupils, are health-promoting”); and
• the Local Government (Scotland) Act 1973.

In part 3 of your request, you ask for the purpose of the anal sex questions. The HWB Census does not ask questions specifically on anal sex. The questions, or responses, ask about anal or vaginal sex collectively, or penetrative sex. These questions provide the evidence on whether young people are using condoms and practicing safe sex, where relevant. As the questionnaire is digital, it also means only those young people for whom the questions apply to see the questions. For example, if a young person responds they have not had penetrative sex, they are not presented with the questions on safe sex.

Response to your request 2.
Transport Scotland commissioned Wellside Research to conduct an online survey gathering baseline data on travel behaviour ahead of the implementation of free bus travel for under 22s. The survey in question is not part of the application process for a National Entitlement Card.

Transport Scotland is committed to complying with the requirements of the General Data Protection Regulation (GDPR).

Transport Scotland are the Data Controller for this piece of work, with Wellside Research acting as the Data Processor.

All survey participants were fully informed and given sufficient information when the survey invitation was disseminated and on the covering page of the online survey to allow for an informed decision to be made about participation in the survey.

The demographic questions at the end of the survey, which included questions on gender and sexual orientation, were optional and therefore respondents to the survey were not required to provide an answer if they did not want to. The question on sexual orientation only applies to young people aged 16 and over and is also optional.

We ask optional demographic questions as part of our baseline survey as we want to understand if there are any barriers for young people from protected characteristics accessing public transport. For example, our initial research identified LGBTQ+ young people might be less inclined to use the bus for fear of homophobic and transphobic harassment.

As a survey incentive, participants were given the option to enter into a prize draw by providing their contact name and email. In doing so, participants consented for this personal data to be processed for the purposes of the prize draw alone. This data is processed only by Wellside Research and removed from the respondents survey response and held separately and securely. Once prizes have been allocated, the prize draw database will be permanently and confidentially deleted from systems, in line with GDPR regulations.

The survey response data set is anonymous and will only be kept for the required GDPR retention periods for this project.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.