Publication - Impact assessment

Hate Crime and Public Order (Scotland) Bill: data protection impact assessment

DPIA for the Hate Crime and Public Order (Scotland) Bill.

18 page PDF

1.2 MB

18 page PDF

1.2 MB

Contents
Hate Crime and Public Order (Scotland) Bill: data protection impact assessment
Data Protection Impact Assessment for Legislation

18 page PDF

1.2 MB

Data Protection Impact Assessment for Legislation

for Bill Team use only

This form is for Bill teams that are developing a legislative proposal or statutory guidance that will involve (explicitly or inherently) impacts on personal data.

The form works in conjunction with the Article 36(4) ICO consultation form, in the event your draft legislation meets the requirements for consultation with the ICO.

Your proposal may engage with Article 8 rights to privacy – this could come about in a variety of ways, for example, establishing a new organisation which will require information to be collected or shared, it may involve data sharing provisions explicitly, it may include requirements for an individual or organisation to be present in certain circumstances (e.g. for children or vulnerable people being interviewed) or it may involve powers to deliver services which will inherently require the processing of personal data in order to deliver those services. In such instances, an assessment of proposed provisions and the impact on data subjects must be undertaken.

Please note that the below questions seek to articulate how your proposals will meet the requirements of Article 35 of GDPR, Article 32 GDPR and other elements of both GDPR and Data Protection Act 2018, and seeks to assess the impact to individuals’ personal data.

Article 35(1)

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Article 35(7)

The assessment shall contain at least:

a) systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned.

Article 32 (Security of processing)

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Title of proposal:

Hate Crime and Public Order (Scotland) Bill.

Your department:

Scottish Government Local Government & Communities.

Contact email:

bill.brash@gov.scot

Data protection support email

dpa@gov.scot

Data protection officer

dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or a statutory measure?

Primary.

Name of primary legislation your measure is based on (if applicable)

N/A.

What stage is your legislation or statutory measure at and what are your timelines?

It is intended to lodge the Bill in the Scottish Parliament on 24 March 2020.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Yes. See Annex A

If the ICO has provided feedback, please include this.

Yes. See Annex B

Have you held a public consultation yet?

Yes.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

No. The only comments about data were concerned with collecting statistics on hate crime incidents/offences, which would not include personal information.

Question Comments
Article 35(7)(a) – “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
1 What issue/public need is the proposal seeking to address? What objective is the legislation trying to meet? The Bill seeks to modernise, consolidate and extend existing hate crime legislation by:
  • adding age as a new characteristic;
  • the conferral of an enabling power to allow the additional characteristic of sex to be added by regulations in the future;
  • updating the definition of transgender identity, including the removal of ‘intersexuality’ from the definition and creating a separate characteristic for variations in sex characteristics; and
  • providing new stirring up of hatred offences that will apply to all characteristics in the Bill (currently these offences only relate to race).
In addition, the Bill will abolish the common law offence of blasphemy.
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
2 Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.
Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?
(Note: ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation and sensitive personal data means criminal information or history)
Not directly. However, the Bill reforms and extends the criminal law on hate crime, creating new offences of ‘stirring up hatred’ and statutory aggravations. This will mean that records will be created and personal details will be held by Police Scotland, the Crown Office and Procurator Fiscal Service, Scottish Courts and Tribunals Service, and other justice agencies, relating to people who are suspected of committing one of the specified offences and evidence concerning those offences. As with other criminal records, these are disclosable in certain circumstances in accordance with existing legislation and as part of criminal prosecution information flows.
The nature of the offences may mean that special categories of data in relation to victims may be recorded, such as racial or ethnic origin, religious affiliation, sexual orientation and trans identity (this is already the case to a significant extent as there are existing statutory aggravations covering these characteristics). This will be done in line with the existing standards operated by justice agencies. Witness information may also be recorded but this will also be done in line with existing legislation and standards operated by justice agencies.
Article 35(7)(a) “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
3 How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so – why is it necessary?
Article 8 ECHR:
Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
It is possible that a person’s Article 8 rights may be engaged through the investigation of offences to which the Bill relates. It is considered that interference with Article 8 rights is justified as being necessary in the interests for the prevention of disorder or crime and for the protection of the rights and freedoms of others. To explain further, the Bill follows on from an independent review of hate crime legislation in Scotland. In his report, Lord Bracadale justified using legislation to tackle hate crime by stating ‘legislation sends a clear message to the victim, the group of which the victim is a member, and wider society, that criminal behaviour based on bias and inequality will not be tolerated’.
On this basis, interference with Article 8 through the investigation of offences is justified on the basis that the Bill is necessary to prevent disorder or crime and will also protect the rights and freedoms of the groups protected by this legislation. The aim is to promote an equal society where people with identified characteristics are protected from crimes committed on the basis of those characteristics.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
Note Article 32 GDPR for s.4 also
4 Will your proposal require you to regulate:
technology
󠆺behaviour of individuals using technology
technology suppliers
technology infrastructure
information security
(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)
No regulations are required for these areas of interest. For example, there will be no distinct provision on online hate speech; and the Bill does not provide any new powers for the police to investigate online crime or collect personal data.
It is possible for an offence which is committed online (such as under section 127 of the Communications Act 2003 or threatening or abusive behaviour committed online) to be aggravated by prejudice. Similarly it is possible that stirring up of hatred offences to be committed online. However, the provisions of the Bill do not distinguish between online and other forms of offending and delivery of the Bill relies on existing powers. In conclusion, no regulations are required for any of these categories.
4a Please explain how your proposal will regulate behaviour using technology or the use of technology.
Please consider/address any issues involving:
  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals);
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of ‘online’ or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals
(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people’s information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)
Delivery of the Bill will rely on the use of existing powers, therefore it will not regulate behaviour using technology or the use of technology. For example, the Bill creates new offences concerning stirring up of hatred, these offences can be committed both online and ‘in person’ and anyone reported for posting online hate speech will require to be identified to enable the collection of evidence in order for prosecutions to be made. However, delivery of the Bill makes no new provision in this area and police will continue to rely on their existing powers to investigate online criminal activity in the same way as they do currently.
4b Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s? No.

Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
*Note exemptions from GDPR principles where applicable
5 Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour) The Bill does not create new investigatory powers for the police. The data items that the police may require to record when investigating these crimes would include those necessary to be collected and processed in the course of investigation and prosecution of crime, such as name, address, date of birth, and criminal history. The nature of the offences may mean that special categories of data in relation to victims may be recorded, such as racial or ethnic origin, religious affiliation, sexual orientation and trans identity. This will be done in line with the existing standards operated by justice agencies.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
6 Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify) It is expected to affect, in some capacity all people living in Scotland. In particular, it will extend the characteristics to which hate crime statutory aggravations apply and extend existing ‘stirring up’ of hatred offences to all statutory characteristics (these are currently only provided for race).”
The legislation specifically creates criminal offences and statutory aggravations
in respect of the characteristics of age, disability, race, religion, sexual orientation, transgender identity and variations in sex characteristics. The legislation provides a criminal justice response to hate crime, acting as a deterrent and thereby sending a clear message to society that this behaviour is not acceptable and will not be tolerated.
7 Will your Bill necessitate the sharing of information to meet the objectives of your proposal?
If so, are the appropriate legal gateways for sharing personal data included?
Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?
(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)
Information sharing in relation to the investigation and prosecution of new offences created by the Bill will be carried out in line with the existing practices and standards operated by justice agencies.
Existing Crown Office, Police Scotland and Scottish Courts privacy notices will be sufficient.
8 Is there anything potentially controversial or of significant public interest in your policy proposal?
Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public’s personal information have appropriate safeguards – could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.
Not in relation to data. Some respondents to the consultation were against extending stirring up of hatred offences to all specified characteristics on the grounds that this would affect their rights to freedom of expression. However, the Bill is compatible with the ECHR.
9 Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:
Article 6 right to a fair trial (and rights of the accused)
Article 10 right to freedom of expression
Article 14 rights prohibiting discrimination
Or any other convention or treaty rights?
The Bill engages rights in relation to Articles 9 (freedom to religion) and 10 (freedom of expression) of the ECHR. It is considered that potential interferences with these rights in particular cases are necessary in the interests of protection of public order and for the protection of the rights and freedoms of others. Given the harms caused by prejudice based offending, it is proportionate for there to be a limited interference with Article 9 rights where that is to protect public order, however the Bill is framed to ensure only sufficiently serious conduct is caught. It is considered that the provisions of the Bill are compatible with the ECHR.
10 Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal?
(This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).
The Bill will repeal: section 96 of the Crime and Disorder Act 1998; section 74 of the Criminal Justice (Scotland) Act 2003, the Offences (Aggravation by Prejudice) (Scotland) Act 2009, and sections 18 to 21 of the Public Order Act 1986.
11 Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
No.

Contact

Email: Connected.Communities@gov.scot