Wild Animals in Travelling Circuses (Scotland) Bill: privacy impact assessment

Privacy Impact Assessment ( PIA)

1. Introduction

The purpose of this document is to report on and assess against any potential Privacy Impacts as a result of the implementation/use of - name of project/Bill/initiative

2. Document metadata

2.1 Name of Project: The Wild Animals in Travelling Circuses Bill.

2.2 Date of report: 06/12/16.

2.3 Author of report: Grant Campbell, Animal Health and Welfare Division.

2.4 Information Asset Owner ( IAO) of relevant business unit: Sheila Voas, Chief Veterinary Officer, Scotland.

2.5 Date for review of Privacy Impact Assessment ( PIA) - Review of the PIA and related privacy issues will be on-going.

3. Description of the project

3.1 Detailed description of the project work you are about to undertake. Include information on ownership and governance, the benefits of the project, and the planning and reporting mechanisms, with particular attention to risk management and reporting.

The Bill as proposed will ban the use of wild animals in travelling circuses. It does not ban the ownership of such animals, only the use. In terms of territorial extent, the Bill will apply to Scotland only. The Bill is being introduced on ethical grounds and has overwhelming public support as evidenced by the 2014 consultation. The meaning of "wild animal" is intended to mean an animal not commonly domesticated in Great Britain and "use" would mean the performance or exhibition of the animal as part of a travelling circus.

The Bill is strictly limited in its scope insofar as it will only ban the use (performance and exhibition) of wild animals in travelling circuses. Its real benefit will be measured in terms of the ethical contribution to advancing the welfare of wild animals and driving attitudinal change in the wider public.

3.2 Describe the personal data to be processed.

No personal data will be routinely gathered or recorded. Personal data would only ever be gathered by the authorities (appointed inspectors or police) for enforcement purposes. Given that there are currently no travelling circuses in Scotland that use wild animals, and nor is there likely to be in the future enforcement action now or in the future is extremely unlikely.

Furthermore, if the proposals in the Bill come into effect, given the need to register with the local authority under the 1925 Performing Animals Act and the inherent public display involved, it would be extremely difficult for any operator of a travelling circus to use wild animals without it coming to the attention of local authority inspectors. We do not therefore anticipate any operator risking prosecution by contravening the ban.

Clearly, the information gathered by appointed inspectors or the police would very much depend on the nature of the offence committed or suspected of being committed. It is not appropriate to speculate what evidence may or may not need to be gathered for criminal investigation purposes, the circumstances would dictate that. The information sharing pathways and safeguards between the key enforcement agencies, namely Police Scotland, appointed Animal Welfare Inspectors and the Crown Office and Procurator Fiscal Service are robust and long established. The proposed enforcement provisions in the Bill, including those on information gathering, are intended to mirror provisions currently in force under the Animal Health and Welfare (Scotland) Act 2006.

3.3 Describe how this data will be processed:

How will it be gathered?

The Bill does not set out how appointed inspectors or the police should gather evidence as part of criminal investigations. Well established protocols and procedures already exist.

Who will have access?

Access to information gathered as evidence (if that need ever arises) will be restricted to appointed inspectors, police and when necessary the Procurator Fiscal.

How will it be transmitted?

It is not intended that information be transmitted beyond established systems utilised by enforcement / prosecution agencies.

How will it be stored, and disposed of when no longer needed?

As has already been stated, the Bill does not require any routine gathering or storage of information. The storage of evidence gathered as part of investigating a contravention of the ban is a matter for the enforcement and prosecution agencies. There are already well established protocols in place covering data storage and disposal and accordingly these matters are not addressed by the Bill.

Given that any agencies that may be involved in gathering evidence will regularly be handling much more sensitive information, we are confident that existing systems will be more than adequate for the requirements of this Bill.

Who will own and manage the data?

The data will be owned and managed by the relevant authorities as part of enforcement of the prohibition. It is expected that, depending on the individual circumstances of an investigation or prosecution, the data will be owned and managed by Animal Welfare Inspectors, Police Scotland and/or the Crown Office and Procurator Fiscal Service in the same way as data is currently owned and managed under the Animal Health and Welfare (Scotland) Act 2006.

How will the data be checked for accuracy and kept up to date?

Not applicable. No routine data to be gathered.

3.4 If this data is to be shared with internal or external partners, explain the legal basis for the sharing.

The legal basis for the sharing of this information will be contained within the Bill. Any data shared would only be processed by relevant authorities as part of enforcement of the prohibition.

Any data gathered under this Bill will be utilised solely to determine whether the ban on the use of wild animals has been contravened. There will be no sharing of date beyond appropriate enforcement / prosecution bodies.

4. Stakeholder analysis and consultation

4.1 List all the groups involved in the project, and state their interest.

The Scottish Government conducted a 12 week public consultation on the use of wild animals in travelling circuses in Scotland from January 2014 and April 2014. The purpose of this consultation was to determine whether there was public support for a ban on the use of wild animals in travelling circuses on ethical grounds. The report on the consultation findings was published in May 2015: http://www.gov.scot/Publications/2015/06/1512

4.2 Detail the method used to consult with these groups when making the PIA.

Not relevant, as there is no proposal under the Bill to routinely gather personal or corporate information.

4.3 Discuss the means used to communicate the outcomes of the PIA with the stakeholder groups.

If deemed necessary, a copy will be emailed to key stakeholders when completed, and the document will be filed on eRDM.

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

• Will the initiative involve multiple organisations, whether they are public service partners, voluntary sector organisations or private sector companies?

Enforcement bodies only, and only in the very unlikely event that criminal evidence needs to be gathered.

5.2 Anonymity and pseudonymity

• If the project requires the matching of data sources together, would it become possible to identify an individual?

No such requirement under the Bill. Data may be brought together as part of a criminal investigation to identify an individual suspected of contravening the ban on the use of wild animals, or, for example, with the express purpose of confirming the identity of an animal.

5.3 Technology

• Will there be new or additional information technologies that have substantial potential for privacy intrusion?

No.

5.4 Identification methods

• Will there be the creation of new identifiers or re-using of existing identifiers?

No.

• Will there be new or substantially changed identity authentication requirements that may be intrusive or onerous?

No.

• What type of unique identifiers will be used in the project? These might have the effect of enabling identification of persons who were previously anonymous.

None.

5.5 Personal data

• Will there be new or significant changes to the handling of types of personal data that may be of particular concern to individuals? This could include information about racial and ethnic origin, political opinions, health, sexual life, offences and court proceedings, finances and information that could enable identity theft.

No.

• Will the personal details about each individual in an existing database be subject to new or changed handling?

No.

• Will there be new or significant changes to the handling of personal data about a large number of individuals?

No.

• Will there be new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?

No.

• Will the project involve the linkage of personal data with data in other collections, or any significant change to existing data links or holdings?

No.

5.6 Changes to data handling procedures

• Will there be new or changed data collection policies or practices that may be unclear or intrusive?

No.

• Will there be changes to data quality assurance or processes and standards that may be unclear or unsatisfactory?

No.

• Will there be new or changed data security access or disclosure arrangements that may be unclear or extensive?

No.

• Will there be new or changed data retention arrangements that may be unclear or extensive?

No.

• Will there be changes to the medium of disclosure for publicly available information in such a way that the data becomes more readily accessible than before?

No.

5.7 Statutory exemptions/protection

• Will the data processing be exempt in any way from the Data Protection Act or other legislative privacy protections? This might apply in areas such as law enforcement or public security.

The Data Protection Act 1998 ( DPA) contains an exemption, so that in certain circumstances it is not necessary to comply with all data protection principles, where personal data is processed for the prevention or detection of crime or prosecutions of offenders. It is expected that, under the provisions of the Bill, personal data would only be gathered for enforcement purposes. Data gathered as evidence in a criminal investigation would therefore likely fall within the exemption in the DPA.

• Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

No.

5.8 Justification

• Does the project's justification include significant contributions to public security measures?

No.

Is there to be public consultation?

A public consultation on the use of wild animals in travelling circuses in Scotland was issued on 22 January 2014, ran for 12 weeks, and closed on 16 April 2014.

http://www.gov.scot/Resource/0044/00442211.pdf

http://www.gov.scot/Publications/2015/06/1512

• Is the justification for the new data handling unclear or unpublished?

No new data handling proposed.

5.9 Other risks

• Are there any risks to privacy not covered by the above questions?

No.

6. The Data Protection Act Principles

Principle 1

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

a) at least one of the conditions in Schedule 2 is met, and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

6.1.1 Have you identified the purpose of the project?

Yes. The Bill bans the use of wild animals in travelling circuses.

6.1.2 How will individuals be told about the use of their personal data?

They would be notified as part of the criminal investigation.

6.1.3 Do you need to amend your privacy notices?

No.

6.1.4 Have you established which conditions for processing apply?

Not relevant.

6.1.5 If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?

Not applicable.

6.1.6 If your organisation is subject to the Human Rights Act, you also need to consider:

• Will your actions interfere with the right to privacy under Article 8?
• Have you identified the social need and aims of the project?
• Are your actions a proportionate response to the social need?

We are content that there are no implications under the Human Rights Act.

Principle 2

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

6.2.1 Does your project plan cover all of the purposes for processing personal data?

Not applicable.

6.2.3 Have potential new purposes been identified as the scope of the project expands?

Not applicable.

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

6.3.1 Is the information you are using of good enough quality for the purposes it is used for?

Not applicable.

6.3.2 Which personal data could you not use, without compromising the needs of the project?

Not applicable.

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

6.4.1 If you are procuring new software does it allow you to amend data when necessary?

No.

6.4.2 How are you ensuring that personal data obtained from individuals or other organisations is accurate?

Investigating authorities will determine if the personal data obtained as part of any investigation is accurate.

Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.

6.5.1 What retention periods are suitable for the personal data you will be processing?

The Bill does not require the processing of personal data.

6.5.2 Are you procuring software which will allow you to delete information in line with your retention periods?

No.

Principle 6

Personal data shall be processed in accordance with the rights of data subjects under this Act.

6.6.1 Will the systems you are putting in place allow you to respond to subject access requests more easily?

Not applicable.

6.6.2 If the project involves marketing, do you have a procedure for individuals to opt out of their information being used for that purpose?

Not applicable.

Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

6.7.1 Do any new systems provide protection against the security risks you have identified?

Not applicable.

6.7.2 What training and instructions are necessary to ensure that staff know how to operate a new system securely?

Not applicable.

Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

6.8.1 Will the project require you to transfer data outside of the EEA?

Not applicable.

6.8.2 If you will be making transfers, how will you ensure that the data is adequately protected?

Not applicable.

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk	Ref	Solution or mitigation	Result
Data may be released inappropriately.	1.	Data will only be processed as part of a secure enforcement process.	Eliminate.
Data may be stolen.	2	Enforcement partners will have robust and secure data management processes in place.	Eliminate.
Data may be lost due to systems failure.	3.	Enforcement agencies will have strict contingency measures given that the same channels will be handling more sensitive information.	Reduce.

8. Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk	Ref	How risk will be incorporated into planning	Owner
Data may be released inappropriately.	1	Matter for enforcement partners - systems already in place.	Enforcement partner.
Data may be stolen.	2	Matter for enforcement partners - systems already in place.	Enforcement partner.
Data may be lost due to systems failure.	3	Matter for enforcement partners - systems already in place.	Enforcement partner.

9. Authorisation and publication

The PIA report should be signed by your Information Asset Owner ( IAO). The IAO will be the Deputy Director or Head of Division.

Before signing the PIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust, has addressed all the relevant issues and that appropriate actions have been taken.

By signing the PIA report, the IAO is confirming that the impact of applying the policy has been sufficiently assessed against the individuals' right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase "Privacy Impact Assessment ( PIA) report" and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a PIA has been conducted.

I confirm that the impact of The Wild Animals in Travelling Circuses Bill has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a Deputy Director or equivalent Sheila Voas Chief Veterinary Officer (Scotland) Animal Health and Welfare Division

Date each version authorised 14.12.2016