Publication - Impact assessment

Register of Persons Holding a Controlled Interest in Land: DPIA

Published: 17 Dec 2020

Data Protection Impact Assessment (DPIA) which evaluates the impacts of the Land Reform (Scotland) Act 2016 (Register of Persons Holding a Controlled Interest in Land) (Scotland) Regulations 2021 in terms of data and privacy.

21 page PDF

268.9 kB

21 page PDF

268.9 kB

Contents
Register of Persons Holding a Controlled Interest in Land: DPIA
Data Protection Impact Assessment for Legislation

21 page PDF

268.9 kB

Data Protection Impact Assessment for Legislation

This form is for Bill teams that are developing a legislative proposal or statutory guidance that will involve (explicitly or inherently) impacts on personal data.

The form works in conjunction with the Article 36(4) ICO consultation form, in the event your draft legislation meets the requirements for consultation with the ICO.

Your proposal may engage with Article 8 rights to privacy – this could come about in a variety of ways, for example, establishing a new organisation which will require information to be collected or shared, it may involve data sharing provisions explicitly, it may include requirements for an individual or organisation to be present in certain circumstances (e.g. for children or vulnerable people being interviewed) or it may involve powers to deliver services which will inherently require the processing of personal data in order to deliver those services. In such instances, an assessment of proposed provisions and the impact on data subjects must be undertaken.

Please note that the below questions seek to articulate how your proposals will meet the requirements of Article 35 of GDPR, Article 32 GDPR and other elements of both GDPR and Data Protection Act 2018, and seeks to assess the impact to individuals' personal data.

Article 35(1)

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out and assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Article 35(7)

The assessment shall contain at least:

a) systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned.

Article 32 (Security of processing)

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Title of proposal:

Register of Persons Holding a Controlled Interest in Land) (Scotland) regulations 2021.

Your department:

Land Reform Policy and Legislation team.

Contact email:

robin.cornwall@gov.scot

Data protection support email

Data protection officer

dpa@gov.scot

dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or a statutory measure?

Secondary legislation – Scottish Statutory Instrument.

Name of primary legislation your measure is based on (if applicable)

Section 39 of the Land Reform (Scotland) Act 2016.

What stage is your legislation or statutory measure at and what are your timelines?

A copy of the proposed draft regulations were laid before Parliament on 20 June 2018, in accordance with the consultation requirements set out in sections 40 and 41 of the Land Reform (Scotland) Act 2016. In accordance with section 40(b)(i) of that Act, the proposed draft regulations were laid before Parliament alongside a revised proposed explanatory document for a second time on 23 January 2020 – incorporating amendments made as a result of representations received during consultation. The final step in the process will be for the draft regulations to be laid before Parliament for scrutiny under the enhanced affirmative procedure in December 2020.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Yes - stored internally on electronic records and document management system.

If the ICO has provided feedback, please include this.

Yes - stored internally on electronic records and document management system.

Have you held a public consultation yet?

Yes. A formal consultation (Improving transparency in land ownership in Scotland: a consultation on controlling interest in land) was carried out between 11 Sep – 5 Dec 2016.

A further formal consultation (Delivering Improved transparency in land ownership in Scotland: a consultation on draft regulations) was carried out between 20 June – 5 Nov 2018.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

Some about collecting the month and year of birth and personal address. Some respondents suggest this may be in breach of GDPR.


Contact

Email: LandReform@gov.scot