We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill: data protection impact assessment - revised

Published
10 November 2020
Directorate
Chief Medical Officer Directorate, +2 more … Justice Directorate, Population Health Directorate
Part of
Health and social care, Law and order
ISBN
9781800042841

This is an updated version of the data protection impact assessment originally published for the introduction of the Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill in November 2019.

View supporting documents Supporting documents

The Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill at Stage 2

Title of proposal:

The Forensic Medical Services (Victims of Sexual Offences) (Scotland) Bill at Stage 2

Your department:

Chief Medical Officer's Rape and Sexual Assault Taskforce Unit, Scottish Government

Contact email:

EquallySafeFMS@gov.scot

Data protection support email

dpa@gov.scot

Data protection officer

dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or a statutory measure?

Primary legislation, with the determination of the "self-referral" retention period left to regulations (secondary legislation). The regulations referred to will be subject to a full 12 week public consultation in 2021, should the Bill be passed by the Parliament at Stage 3.

Name of primary legislation your measure is based on (if applicable)

N/A

What stage is your legislation or statutory measure at and what are your timelines?

The Bill passed Stage 1 on 1 October 2020 and Stage 2 amendments will be debated in November 2020. Subject to the Bill being passed the Scottish Government's intention is to commence it in November 2021, following the public consultation exercise mentioned.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Yes (in 2019).

If the ICO has provided feedback, please include this.

Yes, the ICO reviewed a draft of this revised DPIA and the document was finalised in light of their comments.

Have you held a public consultation yet?

Yes, in 2019 as detailed in the Policy Memorandum for the Bill. The Health and Sport Committee has subsequently taken a wide range of written and oral evidence on the Bill, published on its website and referenced in the Committee's Stage 1 report. And as mentioned above a further public consultation will be held on retention period regulations in 2021.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

Yes, as set out in chapter 3 of the 2019 consultation analysis paper: https://www.gov.scot/publications/analysis-responses-equally-safe-consultation-legislation-improve-forensic-medical-services-victims-rape-sexual-assault/pages/4/ and in paragraphs 123 to 144 of the Committee's report.

Version Details of update Version complete by Completion Date
1.0 Draft shared with ICO 11/11/2019 11/11/2019
1.1 Revised draft for Information Asset Owner (IAO) approval 18/11/2019 18/11/2019
1.2 Final proofed version 20/11/2019 20/11/2019
2.0 Revised draft shared with ICO 19/10/2020 26/10/2020
2.1 Revised draft for IAO approval 28/10/2020 29/10/2020
2.2 Final proofed version 04/11/2020 04/11/2020

Article 35(7)(a) - "purposes of the processing, including, where applicable, the legitimate interest pursued by the controller"

Question 1

What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet?

Comments

The Bill's principal purpose is to introduce two new functions on health boards, provision of a forensic examination service and a retention service to victims of sexual offences. Access to these services will not require a victim over 16 to have made a police report (known as "self-referral"). The Bill requires that a forensic medical examination and retention service (which will involve the collection of data) is done for a criminal justice purpose in terms of the Data Protection Law Enforcement Directive. The Bill also includes a power for a police constable to request the transfer of collected evidence from health boards. Access to appropriate healthcare and forensic medical services is vital for people who are victims of sexual offences. The Scottish Government is clear that everyone who needs it should have access to a forensic medical examination, wider healthcare interventions and support, whether or not they have reported the crime.

The purposes of the Bill are fully described in the Policy Memorandum, and endorsed in the Committee's Stage 1 report.

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects" and Article 35(7)(b) "…necessity and proportionality of the processing operations"

Question 2

Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.

Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?

(Note: 'special categories' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person's sex life or sexual orientation and sensitive personal data means criminal information or history)

Comments

The Scottish Government considers that the Bill is necessary to address two of the recommendations in Her Majesty's Inspectorate of Constabulary in Scotland (HMICS)'s report on forensic medical examination services for victims of sexual crime published in March 2017. HMICS identified a lack of legal clarity in the basis for service provision, generally, and particularly in the case of self-referral services. To address the HMICS recommendations the Bill provides a clear statutory duty for health boards to provide forensic medical services for victims, supporting consistent access to "self-referral" so that a victim can access healthcare and request a forensic medical examination without first making a report to the police. The necessity of the Bill was recognised by consultees in 2019, 91% of whom agreed there should be a specific statutory duty for health boards to provide these services, including in self-referral cases. Subsequently, the Scottish Parliament's Health and Sport Committee and the chamber itself have endorsed the Bill as necessary and important.

The proportionality of the Bill's measures is secured through a number of features including that evidence in self-referral cases will be kept according to a statutory retention period and that victims are afforded important rights including that evidence be destroyed on request. Further, proportionality is secured by the Bill not endorsing an anonymous DNA database that could give rise to additional risks and issues (see further commentary on that below).

To answer the specific question, yes, the provision of the forensic medical examination service will require the collection by health boards of personal data. The Bill gives health boards a power to collect evidence for the purpose of investigating and for use in any proceedings connected to the incident related to the forensic medical examination. Such evidence collection will involve the processing of data and some of that evidence may constitute personal data. The type of personal data which is processed will depend on the facts and circumstances of each case. At the most basic level, this would involve a victim being asked to provide information to support the provision of healthcare, which will include their name, date of birth and address. The health section of a national form to be implemented later this year will capture data relevant to the medical assessment e.g. name, sex, address, brief history of the incident, allergies, current medical conditions, any current contraception, emotional wellbeing, and self-harm or suicide risk.

The form only captures evidence about a person's sex life to the extent that it would assist the Scottish Police Authority with analysing samples in the event of a police report. The forensic form asks about any sexual activity 7 days prior and post-incident with the alleged perpetrator and any consensual sex with anyone else.

Where a forensic medical examination is conducted, personal data collected may include special category (sensitive) data regarding the nature of the assault which may be pertinent to any future police investigation. Evidence in the form of physical samples may be collected from a forensic medical examination, including but not limited to, swabs of areas of the body, fingernail collection or hair collection, blood and urine samples. Samples taken will depend on what is relevant pertaining to a particular individual's case. All processing of sensitive data requires to be carried out in accordance with the safeguards at section 42 of the Data Protection Act 2018. At present it is not envisaged that biometric data would be collected by health boards, and should advancements in forensic science lead to this being captured in future it could be that it would be the criminal justice authorities that would do the collection (since a person's biometric markers do not change and time is not of the essence). Health boards will not take fingerprints. The health board is not considered to be collecting any "genetic data" (as it is defined for data protection purposes), even where samples retained may contain underlying genetic information. That is because at the stage of collection and retention of physical samples by health boards there will be no processing or analysis of samples such that an individual could be uniquely identified. Any further applicable analysis that may be done on collected samples will only be performed after the point at which data has transferred to the police following a request made by them in accordance with the terms of the Bill's transfer provision.

To emphasise this point, that there will be no processing or analysis of samples in the hands of health boards, the Committee has indicated at paragraph 140 of its Stage 1 report that it cannot support an "anonymous DNA database". What such a database would involve was not made clear by proponents but the Scottish Government notes it would likely involve the processing and analysis of samples in the hands of health boards, contrary to the policy for the Bill mentioned. The Scottish Government notes that the Information Commissioner's Office and other stakeholders do not support an anonymous DNA database and therefore the Scottish Government does not propose to bring forward Stage 2 amendments to provide for one. This protects the policy that there should be no processing or analysis of samples in the hands of health boards.

Point 17 below includes discussion of the position of third parties.

Article 35(7)(a) "purposes of the processing, including, where applicable, the legitimate interest pursued by the controller" and Article 35(7)(b) "…necessity and proportionality of the processing operations"

Question 3

How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so - why is it necessary?

Article 8 ECHR:

Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Comments

The Scottish Government considers that the Bill complies with the European Convention on Human Rights. The Bill ensures that data which is collected or stored as a result of a forensic medical examination can only be done so where it meets the law enforcement purpose set out. The retention service under the Bill has been developed with consideration of an individual's need for private and family life, specifically in relation to self-referral, allowing victims time to consider whether to make a report to the police, balanced against the need to ensure that the retention of data is not indefinite or arbitrary. The Bill provides for a delegated power to set the retention period, which can be regularly reviewed to ensure that the period fixed by regulations is proportionate. As mentioned, there will be a full public consultation in 2021 to inform the drafting of the first retention period regulations. The Bill requires that health boards ensure that samples, data and other evidence stored for the purposes of investigation of an incident is destroyed after the expiry of the retention period, or sooner, where the victim who had evidence stored requests its destruction. The Government Stage 1 response mentioned above highlights that it is a deliberate aspect of Bill policy that whilst the retention period for self-referral samples would be prescribed by regulations, decisions on what evidence should be taken in the course of forensic medical examination should not be. At this stage it is envisaged that a national protocol on self-referral will recommend the taking only of samples, underwear and - exceptionally - relevant outerwear.

Article 35(7)(b) "…necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"

Note Article 32 GDPR for s.4 also

Question 4

Will your proposal require you to regulate:

  • technology
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)

Comments

No. In terms of information security, the Bill does not legislate for information security requirements because these are already legislated for in Part 3 of the Data Protection Act 2018. Implementation of the Bill's data protection provisions is within the remit of the Information Governance Delivery Group of the Chief Medical Officer's Rape and Sexual Assault Taskforce.

Question 4a

Please explain how your proposal will regulate behaviour using technology or the use of technology.

Please consider/address any issues involving:

  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals);
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of 'online' or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals

(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people's information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)

Comments

N/A

Question 4b

Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

Comments

No.

Article 35(7)(b) "…necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

*Note exemptions from GDPR principles where applicable

Question 5

Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour)

Comments

Yes, the Bill provides for the collection and retention of evidence that may (in the event of a police report) be used for the purposes of investigating the incident relating to the examination or proceedings relating to that incident.

Article 35(7)(b) "…necessity and proportionality of the processing operations"

Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"

Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"

Question 6

Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify)

Comments

The Bill affects all groups equally however it provides that self-referral may only be provided to over 16s. This reflects that there are professional duties to report child sexual abuse to the police. This is also in line with current clinical practice in Scotland. More information about this, in the context that forensic medical examination is not relevant to many victims of child sexual abuse because the offending is often not disclosed within the 7 day DNA capture window, is contained in the Child Rights and Wellbeing Impact Assessment for the Bill.

The Bill does not directly legislate for vulnerable adults but the same principle applies - there will be rare circumstances where a police report must be made even where a victim would prefer to self-refer. Prior to any forensic medical examination being carried out, the Bill requires victims to be provided with information and have that information explained to them. The information includes the circumstances in which any evidence collected during the examination may be transferred to a police constable and the purposes for which that evidence may then be used. The Patient Rights (Scotland) Act 2011, which the Bill has applied to the provision of forensic medical services, includes amongst its health care principles that communication is clear, accessible and understood. It is intended that web portal material will be made available as a reference for survivors to refresh themselves on key points that would be communicated at the time of examination.

Question 7

Will your Bill necessitate the sharing of information to meet the objectives of your proposal?

If so, are the appropriate legal gateways for sharing personal data included?

Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?

(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)

Comments

Yes and the Bill contains an appropriate "gateway" for cases where collected evidence transfers from health boards to Police Scotland constables. The data sharing provision in the Bill has been designed to ensure compliance with the Data Protection Law Enforcement Directive in that it provides that a request made by a police constable to a health board for the transfer of evidence to the police must be for the purpose that the evidence is required to investigate the sexual offence or harmful behaviour related to the examination or for proceedings relating to that incident.

Question 8

Is there anything potentially controversial or of significant public interest in your policy proposal?

Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public's personal information have appropriate safeguards - could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.

Comments

The requirement for all health boards to offer self-referral is of significant public interest and should avoid a "post code lottery" where this service is only available to victims in particular areas.

The CMO Taskforce has reached a consensus based on the available evidence, regarding the appropriate retention period for evidence retained in self-referral cases. There will be a full public consultation on the retention period proposed, which will be set out in regulations (secondary legislation). The regulations will be supported by a formal protocol for healthcare professionals delivering a self-referral service, currently under development and to be approved by the Lord Advocate ahead of implementation.

The Scottish Parliament's Health and Sport Committee, in its Stage 1 report, has usefully highlighted two particular issues as being in its view of significant public interest.

The first issue is the case for differentiation between personal data, samples taken, and the data obtained from those samples. This was discussed from paragraph 123 of the Stage 1 report, leading up to the Committee's recommendation in paragraph 130.

The Bill as introduced provides for an inclusive definition of "evidence" in section 13. This provides an illustrative list of some of the main items that are usually taken in a contemporary forensic medical examination, but the definition is non-exhaustive and is designed to work effectively where there may be future changes in technology or practice. Of particular relevance to this Revised Data Protection Impact Assessment, the Scottish Government can clarify that the definition of "evidence" was intended to cover any personal data collected as part of the forensic examination - an example would be the victim's biographical information, any physical samples taken from the victim's body and any subsequent genetic data obtained from those samples (with genetic data only being known once analysis of evidence is conducted by the police following evidence transfer to them from a health board). The Scottish Government remains of the view that is appropriate for the same concept of "evidence" to cover all of these things.

The Scottish Government wishes to reiterate that no processing or analysis takes place of bodily samples whilst it is in the hands of health boards. What the criminal justice authorities may do following a police report will be regulated by their processes to comply with data protection legislation. It follows that the obtaining of any genetic data from samples is not something health boards are authorised to do under the Bill - this is not part of their current practice and will not become practice in future.

To the extent there may be a case for clearer guidance to health boards on what to do, and not do, with particular types of evidence, the Scottish Government considers that this is an operational matter best taken forward through the CMO Taskforce's relevant subgroups in their work to implement the Bill, should it be passed by the Parliament at Stage 3. This matter is particularly being addressed in the self-referral protocol referred to above.

On reflection, the Scottish Government considers that the definition of "evidence" in the Bill can be improved and therefore is planning to lodge appropriate Stage 2 amendments on this point.

The second significant public interest issue highlighted by the Committee is children's rights in relation to ownership of data to ensure a child's best interests are at the heart of sharing personal, information with alleged perpetrators.

The Scottish Government acknowledges that the question of adults making subject access requests on behalf of children is an issue that has been raised in this and other devolved policy areas. The Scottish Government wishes to emphasise that this issue is not unique to forensic medical examination, and that as is highlighted in the Child Rights and Wellbeing Impact Assessment for the Bill, forensic medical examination is not relevant to many victims of child sexual abuse because the offending is often not disclosed within the 7 day DNA capture window.

Whilst health boards do receive subject access requests for information from parents and guardians about their child (usually via a solicitor), we understand that these are always considered on a case by case basis. As far as we can comment on health board practices, we understand that consideration on whether to release information is done so in conjunction with appropriate advice from NHS Information Governance and Medical Records officials and in accordance with data protection legislation, any other relevant legislation governing the protection of children and existing health board protocols. Each health board has experts in child protection who provide support in such scenarios with the protection of the child always being at the centre. Any requests for records have to come through their Medical Records Team who send the relevant clinicians a form to complete which can specify that all or part of the record is withheld. The relevant clinician would then review the requested material and redact any material in line with existing policy and procedure. This can be either because it is third party information (like case conference minutes) or because it is felt to be in the best interests of the child or it would be potentially harmful if that information were to be released.

Since a general issue has been raised that is not unique to the Bill's context, and health boards have robust arrangements in place to handle subject access requests within the data protection legislative framework enacted by the EU and the UK Parliament, the Scottish Government does not propose to bring forward any Stage 2 amendments on this point.

A relevant development since the introduction of the Bill is that the Scottish Government has subsequently introduced the United Nations Convention on the Rights of the Child (Incorporation) (Scotland) Bill. Amongst other things the Incorporation Bill gives direct legal effect in Scots law to Article 16 of the Convention, which provides as follows:

"1. No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.

2. The child has the right to the protection of the law against such interference or attacks."

Should the two Bills be passed, they would require to be read and applied together by health boards. In the exercise of forensic medical examination functions health boards would be legally required to comply with children's rights to privacy under Article 16. The Scottish Government considers that this provides an additional safeguard that does not need to be re-legislated for in the FMS Bill.

The Scottish Government recognises that it is critical child victims accessing services under the Bill are fully able to understand their data protection rights. To support , this, child friendly materials and processes will be developed to aid their understanding.

Question 9

Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:

Article 6 right to a fair trial (and rights of the accused)

Article 10 right to freedom of expression

Article 14 rights prohibiting discrimination

Or any other convention or treaty rights?

Comments

The Bill's relevance to wider human rights obligations is set out in the Policy Memorandum.

Question 10

Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal?

(This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).

Comments

The schedule of the Bill makes appropriate consequential amendments to pre-existing legislation. The Government will bring forward further technical amendments to pre-existing legislation at Stage 2 to improve and clarify the Bill's interaction with the wider statute book - these are unconnected with data protection matters.

Question 11

Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

Comments

N/A

Summary - Data Protection Impact Assessment

Question 12

Do you need to specify a Data Controller/s?

Comments

By virtue of section 30(1)(b) of the Data Protection Act 2018, health boards will be competent authorities as the Bill requires health boards to process data in relation to the examination and retention service for a law enforcement purpose. Section 32(2) of the 2018 Act provides that health boards will therefore be a data controller in relation to the processing of that personal data under the Bill. Police Scotland will be a data controller when evidence is transferred to it for law enforcement purposes.

Section 5 of the Bill also requires health boards to address a victim's health care needs which may involve the processing of personal data, including health data. In accordance with section 6(2), the health board will be the data controller for the processing of personal data relevant to this duty.

Question 13

Do you need to include information collection duties or powers (legal basis for processing)?

Comments

Yes - the Bill provides for this.

Section 2 provides that health boards require to collect evidence from a forensic medical examination that is carried out for purposes including the use of that evidence in connection with any investigation of the incident relating to the examination or any proceedings related to the incident.

Section 6 provides that health boards may store evidence collected from forensic medical examinations for the purpose of the use of that evidence in connection with any investigation of the incident relating to the examination or any proceedings related to the incident.

Question 14

Do you need to include explicit information sharing provisions (as related to duties, legal gateways, express powers):

  • From one public sector organisation to another public sector organisation;
  • From a public sector organisation to a private sector organisation, charity, etc.;
  • Between public sector organisations;
  • Between individuals (e.g. practitioners/ service users/sole traders etc.);
  • Upon request from a nominated (or specified) organisation?

Comments

Yes - section 9 of the Bill includes a "gateway" for cases where evidence transfers from health boards to Police Scotland constables.

A constable may request that collected evidence is transferred to them either where a forensic medical examination has been conducted under referral by the police, or where a victim has self-referred for a forensic medical examination and made a report to the police regarding the incident relating to the examination.

Question 15

Have you included any safeguards for personal data/interference with Article 8 rights?

Comments

Section 4 of the Bill requires that individuals be provided with information, before the examination takes place, about the circumstances in which evidence (which will include personal data) is transferred to the police, the right to return of evidence and the destruction of evidence. The provision of such information to the victim allows them to foresee with a reasonable degree of certainty the consequences, in relation to the treatment of their personal data, of proceeding with an examination, which ensures that the treatment of personal data is compliant with Article 8.

Section 8 of the Bill requires the destruction of evidence after a set amount of time, so that personal data and other collected evidence, such as bodily samples is not retained indefinitely. The retention period is to be set by delegated power so as to allow for ongoing scrutiny to ensure the period set is proportionate. There will be a full public consultation in 2021 to inform the drafting of the first retention period regulations.

Question 16

Have you included any safeguards for personal data/interference with other rights?

Comments

We are of the view that the Bill does not interfere with other ECHR rights. In relation to safeguards for personal data, we have made provision to ensure that evidence is destroyed after a certain amount of time and that evidence shall be shared with the police only in specific circumstances for the purposes of an investigation or proceedings in relation to the incident.

Question 17

Will the collection of personal data affect decisions made about individuals, groups or categories of persons, or might provisions result in the denial of a right or rights?

Comments

The Bill requires it to be explained to victims the circumstances in which any collected evidence may transfer to a police constable.

In terms of third parties, DNA collected and held by health boards could include the DNA of alleged perpetrators and the DNA of people close to the victim (for example their partner). No processing or analysis will be conducted on samples unless and until they are transferred to a police constable at the request of the victim. Although sections 44 and 45 of the Data Protection Act 2018 confers rights to information and access to an individual's personal data, such information or access can be partially or wholly restricted where it is a necessary and proportionate measure to avoid prejudicing the detection, investigation or prosecution of criminal offences. The Scottish Government considers that a potential third party should not have an absolute "right to be informed" about the holding of their DNA, in the context of an alleged offence having been committed against the victim. In addition, samples would not be held indefinitely since they would be destroyed at the end of the statutory retention period, or earlier should the victim request their destruction.

Question 18

Please summarise the key elements to be included for legislative drafters; please highlight risks to personal data, any comments about mitigating those risks, including any costs or options for addressing those risks through legislation. This should be included in the Bill/legislation Instruction.

The Bill provides clear legal powers for health boards to collect and retain personal data, and to transfer it to Police Scotland in appropriate cases. All wider data protection requirements are within the remit of the CMO Taskforce Information Governance Delivery Group. Following the conclusion of Stage 1 proceedings of the Bill, this Impact Assessment has been fully reviewed and where appropriate updated, and due consideration has been given to specific issues highlighted by the Health and Sport Committee as being of significant public interest. Having carried out this exercise, the Scottish Government considers that the definition of "evidence" in the Bill can be improved and therefore is planning to lodge appropriate Stage 2 amendments on this point.

Contact

Email: EquallySafeFMS@gov.scot

Back to top