The Police Act 1997 remedial order 2018: privacy impact assessment
Privacy Impact Assessment for the Police Act 1997 and Protection of Vulnerable Groups (Scotland) Act 2007 Remedial Order 2018
Annex B - Data Protection Act 1998 Compliance Check
1. What type of personal data is going to be processed?
Names, addresses, NI Numbers and conviction information.
2. Which of the grounds in schedule 2 of the
DPA will provide a
legitimate basis for the processing?
We consider that Schedule 2 Condition 5 (d) is appropriate.
Schedule 2 Condition 5 (d), states that "The processing is
necessary for the functions of a public nature exercised in the
public interest by any person"
3. If sensitive personal data is going to be processed,
which of the grounds in schedule 3 (in addition to the schedule 2
grounds) will provide a legitimate basis for that
processing?
Sensitive personal data is personal data consisting of
information as to (a) the racial or ethnic origin of the data
subject, (b) their political opinions, (c) their religious beliefs,
(d) whether they are a member of a Trade Union, (e) their physical
or mental health, (f) their sexual life, (g) the commission or
alleged commission by them of any offence and (h) any proceedings
for any offence committed or alleged to have been committed by
them.
In accordance with the Act, information to be received, stored,
and processed will be classified as "sensitive personal data".
To meet the second requirement we consider that Schedule 3
Condition 1 is appropriate. It states that "The data subject has
given his explicit consent to the processing of the personal
data."
In completing the application form the applicant will have signed to declare that they understand "… Disclosure Scotland may pass the information it holds about me to other Government departments or organisations, the police and other law enforcement agencies for the purposes of the prevention and detection of crime, of the apprehension and prosecution of offenders and for other related purposes..." and this declaration is the consent provided by the data subject.
Condition 7(c) will also apply, -"the exercise of any function of the Crown, Minister of the Crown or government department."
4. Are there any special considerations relating to Article
8 of the Human Rights Act that will not be covered by the
PIA?
This Article provides that everyone has the right to respect
for his private and family life, his home and his
correspondence.
There are no special considerations not covered by this PIA
5. Will any of the personal data be processed under a duty
of confidentiality? If yes, how is that confidentiality being
maintained?
No
6. How are individuals being made aware of how their
personal data will be used?
Individuals are informed on the "declaration" section of the
application. There is extensive information and guidance on
Disclosure Scotland's website. Information on the appeals process
will be provided to the applicant, as is already the case.
7. Does the project involve the use of existing personal
data for new purposes?
No
8. What procedures will be in place for checking that the
data collection procedures are adequate, relevant and not excessive
in relation to the purpose for which the data will be
processed?
The process for collecting data is stated above in the
section headed "How is information passed to Disclosure
Scotland?"
9. How will the personal data be checked for
accuracy?
Validation checks are in place as stated in the section on
"How is information passed to Disclosure Scotland?
10. Has the personal data been evaluated to determine
whether its processing could cause damage or distress to data
subjects?
Yes – It has been determined that as the applicant has
requested the disclosure certificate, they are aware of what
information may be processed and shared with
CSGs, therefore it is
unlikely to cause damage or distress. The decision to appeal is
made by the individual and they will be fully informed of its
implications.
11. Will there be set retention periods in place in
relation to the storage of the personal data?
Disclosure Scotland hold this information indefinitely. The
PVG
Scheme is one of continuous monitoring. Disclosure Scotland are in
the process of reviewing their retention periods.
12. What technical and organisational security measures
will be in place to prevent any unauthorised or unlawful processing
of the personal data?
The section "How is information passed to Disclosure
Scotland?" details the technical and organisational security
arrangements for the security of the information.
13.
Will you be transferring personal data to a country outside
of the European Economic Area? If so where, and what arrangements
will be in place to ensure that there are adequate safeguards over
the data?
No.
Contact
There is a problem
Thanks for your feedback