Publication - Impact assessment

Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill: DPIA

Published: 27 Nov 2019
Directorate:
Population Health Directorate
Part of:
Health and social care
ISBN:
9781839603600

Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill: data protection impact assessment.

16 page PDF

246.9 kB

16 page PDF

246.9 kB

Contents
Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill: DPIA
Data Protection Impact Assessment

16 page PDF

246.9 kB

Data Protection Impact Assessment

Title of proposal:

The Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill

Your department:

Health Improvement Division, Scottish Government

Contact email: EquallySafeFMS@gov.scot

Data protection support email dpa@gov.scot 

Data protection officer dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or a statutory measure?

Primary legislation, with the determination of the “self-referral” retention period left to regulations (secondary legislation).

Name of primary legislation your measure is based on (if applicable)

N/A

What stage is your legislation or statutory measure at and what are your timelines?

The Bill was introduced to the Scottish Parliament on 26 November 2019. The timings for the Bill’s progress will be determined by the Parliament, and subject to the endorsement of the Bill by the Parliament at Stages 1 and 3. Subject to the Bill being passed the Scottish Government’s intention is to commence it in April 2021.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Yes – see the Annex to this DPIA.

If the ICO has provided feedback, please include this.

The ICO provided feedback at meetings with the Bill Team on 20 May 2019 and on 14 November 2019. Amongst other things the ICO recommended that the Bill include a “data gateway” for instances where personal data transfers from health boards to Police Scotland constables.

Have you held a public consultation yet?

Yes, as detailed in the Policy Memorandum for the Bill published on the Scottish Parliament’s website.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

Yes, as set out in chapter 3 of the consultation analysis paper: https://www.gov.scot/publications/analysis-responses-equally-safe-consultation-legislation-improve-forensic-medical-services-victims-rape-sexual-assault/pages/4/

Version Details of update Version complete by Completion Date
1.0 Draft shared with ICO 11/11/2019 11/11/2019
1.1 Revised draft for Information Asset Owner (IAO) approval 18/11/2019 18/11/2019
1.2 Final proofed version 20/11/2019 20/11/2019
  Question Comments
Article 35(7)(a) – “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
1 What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet? The Bill’s principal purpose is to introduce two new functions on health boards, provision of a forensic examination service and a retention service to victims of sexual offences. Access to these services will not require a victim over 16 to have made a police report (known as “self-referral”). There is currently no clear legal basis that allows health boards to collect evidence, including forensic medical data. The Bill requires that a forensic medical examination and retention service (which will involve the collection of data) is done for a criminal justice purpose in terms of the Law Enforcement Directive. The Bill also includes a power for a police constable to request the transfer of collected evidence from health boards so that further analysis and investigation of the alleged sexual offence can be done by the police. Access to appropriate healthcare and forensic medical services is vital for people who are victims of sexual offences. The Scottish Government is clear that everyone who needs it should have access to a forensic medical examination, wider healthcare interventions and support, whether or not they have reported the crime.
The purposes of the Bill are fully described in the Policy Memorandum.
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
2 Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.
Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?
(Note: ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation and sensitive personal data means criminal information or history)
Yes, the provision of the forensic medical examination service will require the collection by health boards of personal data.
Personal data collected may include special category (sensitive) data including health data and data related to sexual life. At present it is not envisaged that biometric or genetic data would be collected by health boards, and should advancements in forensic science lead to this being captured in future it could be that it would be the criminal justice authorities that would do the collection (since a person’s biometric and genetic markers do not change and time is not of the essence). At the stage of collection and retention by health boards there will be no processing or analysis of samples such that a natural person could be uniquely identified. Any further applicable analysis that may be done on collected samples will only be performed after the point at which data has transferred to the police following a request made by them in accordance with the terms of the Bill’s transfer provision.
Point 17 below includes discussion of the position of third parties.
Article 35(7)(a) “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
3 How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so – why is it necessary?
Article 8 ECHR:
Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The Scottish Government considers that the Bill complies with the European Convention on Human Rights. The Bill ensures that data which is collected or stored as a result of a forensic medical examination can only be done so where it meets the law enforcement purpose set out. The retention service under the Bill has been developed with consideration of an individual’s need for private and family life, specifically in relation to self-referral, allowing victims time to consider whether to make a report to the police, balanced against the need to ensure that the retention of data is not indefinite or arbitrary. The Bill provides for a delegated power to set the retention period, which can be regularly reviewed to ensure that the period fixed by regulations is proportionate. The Bill will require that health boards ensure that samples and other data stored is destroyed after the expiry of the retention period, or sooner, where the victim who had data stored requests its destruction.

Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
Note Article 32 GDPR for s.4 also
4 Will your proposal require you to regulate:
technology
󠆺 behaviour of individuals using technology
technology suppliers
technology infrastructure
information security
(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)
No. In terms of information security, the Bill does not legislate for information security requirements because these are already legislated for in Part 3 of the Data Protection Act 2018. Implementation of the Bill’s data protection provisions is within the remit of the Information Governance Delivery Group of the Chief Medical Officer’s Rape and Sexual Assault Taskforce.
4a Please explain how your proposal will regulate behaviour using technology or the use of technology.
Please consider/address any issues involving:
  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals);
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of ‘online’ or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals
(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people’s information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)
N/A
4b Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s? No.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
*Note exemptions from GDPR principles where applicable
5 Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour) Yes, the Bill provides for the collection and retention of evidence that may (in the event of a police report) be used for criminal justice purposes.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
6 Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify) The Bill affects all groups equally however it provides that self-referral may only be provided to over 16s. This reflects that there are professional duties to report child sexual abuse to the police. This is also in line with current clinical practice in Scotland. The Bill does not directly legislate for vulnerable adults but the same principle applies – there will be rare circumstances where a police report must be made even where a victim would prefer to self-refer. Prior to any forensic medical examination being carried out, the Bill requires victims to be provided with information and have that information explained to them. The information includes the circumstances in which any evidence collected during the examination may be transferred to a police constable and the purposes for which that evidence may then be used.
7 Will your Bill necessitate the sharing of information to meet the objectives of your proposal?
If so, are the appropriate legal gateways for sharing personal data included?
Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?
(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)
Yes and the Bill contains an appropriate “data gateway” for cases where personal data and other evidence transfer from health boards to Police Scotland constables. The data sharing provision in the Bill has been designed to ensure compliance with the Law Enforcement Directive in that it provides that a request made by a police constable to a health board for the transfer of data to the police must be for the purpose that the data is required to investigate the sexual offence or harmful behaviour related to the examination or for proceedings relating to that incident.
8 Is there anything potentially controversial or of significant public interest in your policy proposal?
Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public’s personal information have appropriate safeguards – could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.
The requirement for all health boards to offer self-referral is of significant public interest and should avoid a “post code lottery” where this service is only available to victims in particular areas.
There is not yet consensus on the appropriate retention period for evidence retained in self-referral cases and therefore the determination of this period is left to regulations (secondary legislation). The regulations will be supported by guidance for healthcare professionals delivering a self-referral service.
9 Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:
Article 6 right to a fair trial (and rights of the accused)
Article 10 right to freedom of expression
Article 14 rights prohibiting discrimination
Or any other convention or treaty rights?
The Bill’s relevance to wider human rights obligations is set out in the Policy Memorandum.
10 Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal?
(This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).
The schedule of the Bill makes appropriate consequential amendments to pre-existing legislation.
11 Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
The CMO Taskforce Information Governance Delivery Group has consulted on information sharing agreements between health boards and Police Scotland https://consult.gov.scot/cmo/information-governance/.

Summary – Data Protection Impact Assessment

12 Do you need to specify a Data Controller/s? By virtue of section 30(1)(b) of the Data Protection Act 2018, health boards will be competent authorities as the Bill requires health boards to process data in relation to the examination and retention service for a law enforcement purpose. Section 32(2) of the 2018 Act provides that health boards will therefore be a data controller in relation to the processing of that personal data under the Bill. Police Scotland will be a data controller when evidence is transferred to it for law enforcement purposes.
Section 5 of the Bill also requires health boards to address a victim’s health care needs which may involve the processing of personal data, including health data. In accordance with section 6(2), the health board will be the data controller for the processing of personal data relevant to this duty.
13 Do you need to include information collection duties or powers (legal basis for processing)? Yes – the Bill provides for this.
Section 2 provides that health boards require to collect evidence from a forensic medical examination that is carried out for purposes including the use of that evidence in connection with any investigation of the incident relating to the examination or any proceedings related to the incident.
Section 6 provides that health boards may store evidence collected from forensic medical examinations for the purpose of the use of that evidence in connection with any investigation of the incident relating to the examination or any proceedings related to the incident.
14 Do you need to include explicit information sharing provisions (as related to duties, legal gateways, express powers):
  • From one public sector organisation to another public sector organisation;
  • From a public sector organisation to a private sector organisation, charity, etc.;
  • Between public sector organisations;
  • Between individuals (e.g. practitioners/ service users/sole traders etc.);
  • Upon request from a nominated (or specified) organisation?
Yes – section 9 of the Bill includes a “data gateway” for cases where personal data and other evidence transfers from health boards to Police Scotland constables.
A constable may request that collected evidence is transferred to them either where a forensic medical examination has been conducted under referral by the police, or where a victim has self-referred for a forensic medical examination and made a report to the police regarding the incident relating to the examination.
15 Have you included any safeguards for personal data/interference with Article 8 rights? Section 4 of the Bill requires that individuals be provided with information, before the examination takes place, about the circumstances in which evidence (which will include personal information) is transferred to the police, the right to return of evidence and the destruction of evidence. The provision of such information to the victim allows them to foresee with a reasonable degree of certainty the consequences, in relation to the treatment of personal information, of proceeding with an examination, which ensures that the treatment of personal information is compliant with Article 8.
Section 8 of the Bill requires the destruction of evidence after a set amount of time, so that personal information is not retained indefinitely. The retention period is to be set by delegated power so as to allow for ongoing scrutiny to ensure the period set is proportionate.
16 Have you included any safeguards for personal data/interference with other rights? We are of the view that the Bill does not interfere with other ECHR rights. In relation to safeguards for personal data, we have made provision to ensure that information is destroyed after a certain amount of time and that information shall be shared with the police only in specific circumstances for the purposes of an investigation or proceedings in relation to the incident.
17 Will the collection of personal data affect decisions made about individuals, groups or categories of persons, or might provisions result in the denial of a right or rights? The Bill requires it to be explained to victims the circumstances in which any collected evidence may transfer to a police constable.
In terms of third parties, DNA collected and held by health boards could include the DNA of alleged perpetrators and the DNA of people close to the victim (for example their partner). As mentioned, no processing or analysis will be conducted on samples unless and until they are transferred to a police constable at the request of the victim. Although sections 44 and 45 of the Data Protection Act 2018 confers rights to information and access to an individual’s personal data, such information or access can be partially or wholly restricted where it is a necessary and proportionate measure to avoid prejudicing the detection, investigation or prosecution of criminal offences. The Scottish Government considers that a potential third party should not have an absolute “right to be informed” about the holding of their DNA, in the context of an alleged offence having been committed against the victim. In addition, samples would not be held indefinitely since they would be destroyed at the end of the statutory retention period, or earlier should the victim request their destruction.
18 Please summarise the key elements to be included for legislative drafters; please highlight risks to personal data, any comments about mitigating those risks, including any costs or options for addressing those risks through legislation.
This should be included in the Bill/legislation Instruction.
The Bill provides clear legal powers for health boards to collect and retain personal data, and to transfer it to Police Scotland in appropriate cases. All wider data protection requirements are within the remit of the CMO Taskforce Information Governance Delivery Group.

Annex: Article 36(4) Enquiry Form
This form is for public authorities that are developing a legislative proposal or statutory guidance that relates to personal data. It will provide a template for you to enter information relevant to Article 36(4) of the General Data Protection Regulation (GDPR) in order to streamline the process of consulting with the Information Commissioner’s Office (ICO).

Title of proposal:

Equally Safe: A Consultation on Legislation to Improve Forensic Medical Services for Victims of Rape and Sexual Assault

Your department:

Criminal Justice Division, Scottish Government

Contact email:

EquallySafeFMS@gov.scot

Data Protection Officer Contact email:
(If different from above)

dpa@scot.gov

Is your proposal primary legislation, secondary legislation or a statutory measure?

Primary legislation, with the retention period for evidence retained in self-referral cases to be determined by regulations (secondary legislation).

Name of primary legislation your measure is based on (if applicable)

N/A

Provide a broad summary of which aspects of your proposal relate to personal data

The consultation fulfils a commitment in the Scottish Government Programme for Government 2018-19 to consult on legislative proposals to improve forensic medical services for victims of rape and sexual assault. This follows HM Inspectorate of Constabulary in Scotland recommendations made in their report of March 2017 about the need to provide greater clarity around the statutory responsibility for the function and delivery of forensic medical services.
Chapter 2 of the consultation paper proposes that a specific statutory duty be conferred on health boards
to provide forensic medical services to victims of rape and sexual assault, for people who have reported to the police (“police-referral”) as well as for those who have not (“self-referral”).
Chapter 3 explores what legislative underpinning might be required to provide for the secure transfer of personal data to the criminal justice authorities in appropriate circumstances.
Broadly, the consultation seeks to underpin the important work of the Chief Medical Officer for Scotland’s Taskforce, convened to improve healthcare and forensic medical services for adults and children who have experienced rape and sexual assault. The Taskforce’s Sub Groups include an Information Governance Delivery Group.

What stage is your legislation or statutory measure at and what are your timelines?

Our consultation is currently open and closes on May 8. Chapter 3 and Question 4 of the consultation paper directly address data protection issues.
Any resulting legislative proposals will be informed by the consultation findings and subject to finalisation of the Government's 2019-20 legislative programme.

Question Comments
What issue/public need is the proposal seeking to address? Access to appropriate healthcare and forensic medical services is vital for adults and children who are victims of rape or sexual assault. The Scottish Government is clear that everyone who needs it should have access to a forensic medical examination, wider healthcare interventions and support, whether or not they have reported the crime.
Does your proposal create a new power or obligation for the processing of personal data? Potentially, yes. Amongst other things the consultation paper calls for views on whether it would be desirable to enact new legislative provisions about data sharing to cover whether, with whom and for what purposes data relating to forensic medical examinations might be shared.
Does your proposal relate to the collection of personal data? Yes
If you’ve answered yes to the above question, what data items might this include? Patient records including the findings from a forensic medical examination.
And is this information collected directly from the data subject or from elsewhere? Please provide further details. The information is collected directly from the data subject.
Would your proposal affect a specific group? E.g. children, vulnerable individuals, elderly? Our proposals will affect victims of rape and sexual assault. These are predominantly women and girls but the proposals will provide equal access to services and support for victims who are men and boys.
Anyone can be affected by sexual offending. Though they may be more at risk if they have a history of previous sexual abuse, a disability or have experienced other forms of abuse
Does your proposal relate to the processing
'special categories' of personal data, or
'criminal convictions or offences data'?1
Yes: biometric data, health data and data related to sex life.
Does your proposal involve the sharing of personal data with another government department or 3rd party that you were not previously sharing with? No. The proposals do not involve sharing of personal data in ways going beyond current practice.
Is there anything potentially controversial or of significant public interest in your policy proposal? A key policy proposal is to increase access to self-referral services which will increase focus on data protection practices for such services.
Have you conducted a data protection
Impact assessment on your proposed legislation?
A Data Protection Impact Assessment will be carried out, informed by the consultation findings.

Contact

Email: EquallySafeFMS@gov.scot