Non-domestic rates/Council Tax second and empty homes consultation: partial impact assessments

4. Data Protection Impact Assessment

4.1 This assessment considers the data protection implications of undertaking the consultation.

4.2 The consultation asks 25 policy questions, with a mixture of closed and open questions. There is no text limit for the free text responses.

4.3 The Scottish Government will commission an external researcher to undertake independent analysis of the consultation responses. A report of this analysis will be published and used to inform the next stages of policy development.

Consultation Process

4.4 The consultation commenced on 18 April 2023 and runs for 12 weeks until 11 July 2023.

4.5 The consultation is being hosted on Citizen Space, the Scottish Government's digital platform for consultations. This enables people to submit their responses securely online. Citizen Space is managed by the Scottish Government's Digital Engagement Team. Consultations are also published on the Scottish Government website, enabling people to email or post a response too.

4.6 Measures are in place to ensure that data is collected, stored or transferred to and from the external researcher using secure technologies.

4.7 Where responses not received via Citizen Space, these will be transferred directly to the researcher using secure means.

Governance

4.8 The consultation is overseen by the Scottish Government policy lead, who is supported by: a Delegated Purchasing Officer to oversee the procurement of a researcher, an Assessment Panel to evaluate bids from researchers to analyse the consultation responses and a Contract Manager to manage the consultation analysis.

4.9 In addition, the Data Protection and Information Assets Team will provide expertise, as required, to ensure sufficient data protection measures are established and carried out.

Analysis

4.10 The Data Controller is the Scottish Government and the Data Processor is the researcher contracted to undertake the consultation analysis.

4.11 The researcher is responsible for analysing the consultation responses and preparing a consultation report by 28 August 2023, which will be published on the Scottish Government's website later in 2023.

4.12 When the researcher is given access to the dataset of responses, they will have access to the full respondent information provided by each respondent - e.g. name, contact details – as well as to their response.

4.13 The researcher must ensure their methods do not contravene Data Protection law. Data Protection law means any law, statute, subordinate legislation, regulation, order, mandatory guidance or code of practice, judgement of a relevant court of law, or directives/ requirements of any regulatory body, which relates to the protection of individuals with regard to the processing of personal data. This includes the Data Protection Act 2018, as well as the European Parliament General Data Protection Regulation (GDPR) (EU) 2016/679 and repealing Directive 95/46/EC.

4.14 All staff involved in processing data will be aware of procedures for data security and privacy, to comply with UK GDPR. All project staff will know how to recognise a personal data breach and how to report suspected breaches in line with UK GDPR requirements. All third parties are asked to sign appropriate agreements to ensure that they comply with data protection legislation and information security.

Publication of responses

4.15 The Scottish Government is responsible for ensuring that responses are published in accordance with respondents' expressed publication preferences.

4.16 Individual respondents' names will be published with their responses only if they have given explicit permission for this. Where an individual respondent selects 'publish response only', we will redact their name and any other potentially identifiable information from their response. Any direct quotations from responses included in the report will not be attributed to identifiable individuals, regardless of their expressed publication preference. There will be no quotations from responses where permission to publish has not been given.

4.17 Organisation respondents that select the option 'publish response only (without name)' will still have the organisation name published, but the name of the specific person submitting the response will not be published. Organisations that give permission for their response to be published could be mentioned by name in the final report, though it is also possible that, rather than being explicitly named, they might be referred to as 'an organisation from the private/public/third sector' etc.

4.18 The Scottish Government will provide quality assurance to ensure personal information is not identifiable. We will also review whether anything else needs to be redacted from responses if it risks revealing a respondent's identity.

Risk Management

4.19 Risk management, data protection, and research ethics are key considerations in planning and procuring consultation analysis. This includes ensuring the disclosure of personal data or the possibility of an individual being identified in data outputs is avoided. Measures will be continually reviewed to ensure that personal data is handled in accordance with data protection legislation. An ethical checklist will be completed and signed off prior to data analysis to ensure it is conducted to high standards.

Data archiving and purging

4.20 At the end of the contract, the researcher will transfer clean datasets to the Data Controller (Scottish Government). The datasets will be held on a secure, password protected server in the Scottish Government, in a sub-folder which is restricted to a limited number of staff working on the consultation. It is expected that the data will only be held for as long as the data is required after the contract is completed. After 12 months, a review will take place to determine whether the data needs to be retained or destroyed. If it is decided that there is no rationale to justify continuing to hold the data, then it will be destroyed. If it is decided that there is justification to continue to hold the data then it can be held until a further review 12 months later.