Annex B - Data Protection Act 1998 Compliance Check
1. What type of personal data is going to be processed?
Names, addresses, NI Numbers and conviction information.
2. Which of the grounds in schedule 2 of the
DPA will provide a
legitimate basis for the processing?
We consider that Schedule 2 Condition 5 (d) is appropriate. Schedule 2 Condition 5 (d), states that "The processing is necessary for the functions of a public nature exercised in the public interest by any person"
3. If sensitive personal data is going to be processed,
which of the grounds in schedule 3 (in addition to the schedule 2
grounds) will provide a legitimate basis for that
Sensitive personal data is personal data consisting of information as to (a) the racial or ethnic origin of the data subject, (b) their political opinions, (c) their religious beliefs, (d) whether they are a member of a Trade Union, (e) their physical or mental health, (f) their sexual life, (g) the commission or alleged commission by them of any offence and (h) any proceedings for any offence committed or alleged to have been committed by them.
In accordance with the Act, information to be received, stored,
and processed will be classified as "sensitive personal data".
To meet the second requirement we consider that Schedule 3 Condition 1 is appropriate. It states that "The data subject has given his explicit consent to the processing of the personal data."
In completing the application form the applicant will have signed to declare that they understand "… Disclosure Scotland may pass the information it holds about me to other Government departments or organisations, the police and other law enforcement agencies for the purposes of the prevention and detection of crime, of the apprehension and prosecution of offenders and for other related purposes..." and this declaration is the consent provided by the data subject.
Condition 7(c) will also apply, -"the exercise of any function of the Crown, Minister of the Crown or government department."
4. Are there any special considerations relating to Article
8 of the Human Rights Act that will not be covered by the
This Article provides that everyone has the right to respect for his private and family life, his home and his correspondence.
There are no special considerations not covered by this PIA
5. Will any of the personal data be processed under a duty
of confidentiality? If yes, how is that confidentiality being
6. How are individuals being made aware of how their
personal data will be used?
Individuals are informed on the "declaration" section of the application. There is extensive information and guidance on Disclosure Scotland's website. Information on the appeals process will be provided to the applicant, as is already the case.
7. Does the project involve the use of existing personal
data for new purposes?
8. What procedures will be in place for checking that the
data collection procedures are adequate, relevant and not excessive
in relation to the purpose for which the data will be
The process for collecting data is stated above in the section headed "How is information passed to Disclosure Scotland?"
9. How will the personal data be checked for
Validation checks are in place as stated in the section on "How is information passed to Disclosure Scotland?
10. Has the personal data been evaluated to determine
whether its processing could cause damage or distress to data
Yes – It has been determined that as the applicant has requested the disclosure certificate, they are aware of what information may be processed and shared with CSGs, therefore it is unlikely to cause damage or distress. The decision to appeal is made by the individual and they will be fully informed of its implications.
11. Will there be set retention periods in place in
relation to the storage of the personal data?
Disclosure Scotland hold this information indefinitely. The PVG Scheme is one of continuous monitoring. Disclosure Scotland are in the process of reviewing their retention periods.
12. What technical and organisational security measures
will be in place to prevent any unauthorised or unlawful processing
of the personal data?
The section "How is information passed to Disclosure Scotland?" details the technical and organisational security arrangements for the security of the information.
Will you be transferring personal data to a country outside
of the European Economic Area? If so where, and what arrangements
will be in place to ensure that there are adequate safeguards over