The Police Act 1997 remedial order 2018: privacy impact assessment

Annex B - Data Protection Act 1998 Compliance Check

1. What type of personal data is going to be processed?

Names, addresses, NI Numbers and conviction information.

2. Which of the grounds in schedule 2 of the DPA will provide a legitimate basis for the processing?
We consider that Schedule 2 Condition 5 (d) is appropriate. Schedule 2 Condition 5 (d), states that "The processing is necessary for the functions of a public nature exercised in the public interest by any person"

3. If sensitive personal data is going to be processed, which of the grounds in schedule 3 (in addition to the schedule 2 grounds) will provide a legitimate basis for that processing?
Sensitive personal data is personal data consisting of information as to (a) the racial or ethnic origin of the data subject, (b) their political opinions, (c) their religious beliefs, (d) whether they are a member of a Trade Union, (e) their physical or mental health, (f) their sexual life, (g) the commission or alleged commission by them of any offence and (h) any proceedings for any offence committed or alleged to have been committed by them.

In accordance with the Act, information to be received, stored, and processed will be classified as "sensitive personal data".
To meet the second requirement we consider that Schedule 3 Condition 1 is appropriate. It states that "The data subject has given his explicit consent to the processing of the personal data."

In completing the application form the applicant will have signed to declare that they understand "… Disclosure Scotland may pass the information it holds about me to other Government departments or organisations, the police and other law enforcement agencies for the purposes of the prevention and detection of crime, of the apprehension and prosecution of offenders and for other related purposes..." and this declaration is the consent provided by the data subject.

Condition 7(c) will also apply, -"the exercise of any function of the Crown, Minister of the Crown or government department."

4. Are there any special considerations relating to Article 8 of the Human Rights Act that will not be covered by the PIA?
This Article provides that everyone has the right to respect for his private and family life, his home and his correspondence.

There are no special considerations not covered by this PIA

5. Will any of the personal data be processed under a duty of confidentiality? If yes, how is that confidentiality being maintained?
No

6. How are individuals being made aware of how their personal data will be used?
Individuals are informed on the "declaration" section of the application. There is extensive information and guidance on Disclosure Scotland's website. Information on the appeals process will be provided to the applicant, as is already the case.

7. Does the project involve the use of existing personal data for new purposes?
No

8. What procedures will be in place for checking that the data collection procedures are adequate, relevant and not excessive in relation to the purpose for which the data will be processed?
The process for collecting data is stated above in the section headed "How is information passed to Disclosure Scotland?"

9. How will the personal data be checked for accuracy?
Validation checks are in place as stated in the section on "How is information passed to Disclosure Scotland?

10. Has the personal data been evaluated to determine whether its processing could cause damage or distress to data subjects?
Yes – It has been determined that as the applicant has requested the disclosure certificate, they are aware of what information may be processed and shared with CSGs, therefore it is unlikely to cause damage or distress. The decision to appeal is made by the individual and they will be fully informed of its implications.

11. Will there be set retention periods in place in relation to the storage of the personal data?
Disclosure Scotland hold this information indefinitely. The PVG Scheme is one of continuous monitoring. Disclosure Scotland are in the process of reviewing their retention periods.

12. What technical and organisational security measures will be in place to prevent any unauthorised or unlawful processing of the personal data?
The section "How is information passed to Disclosure Scotland?" details the technical and organisational security arrangements for the security of the information.

13. Will you be transferring personal data to a country outside of the European Economic Area? If so where, and what arrangements will be in place to ensure that there are adequate safeguards over the data?
No.