Register of Persons Holding a Controlled Interest in Land: DPIA

Explanatory note re risks

The data protection impact assessment for legislation is an iterative process. There are many ways that risks to privacy and/or data protection can arise in legislative proposals and also many options for addressing those risks through legislation. As with most responses to risks, these will vary in their implications and potential impacts (e.g. cost implications, creation of other risks, consequence scanning etc.).

Some of the risks you will need to consider as work develops on Bill proposals, ancillary documents, analysis of consultations, ICO feedback and other Bill development may include (but will not be limited to):

• There is insufficient justification for interference with Article 8 ECHR rights;
• Appropriate safeguards have not been included/incorporated into provisions;
• Appropriate safeguards have not been included/incorporated into provisions regarding impact to/on children;
• The legal basis for processing is not specified or not specific enough;
• The legal basis for processing is insufficiently expressed for the purposes of Article 9 GDPR or Schedule 1 Data Protection Act 2018 (processing of special category personal data);
• Data controllers are not specified (they are not required to be but, where appropriate, they should be specified);
• Legal gateways for data sharing are not included;
• Legal gateways for data sharing are not specific enough or are too specific (for example, a named organisation is specified which consequently changes it name/structure and there is no generalised provision to allow for continued data sharing, or the provisions are drawn so specifically that an area of data sharing is excluded even though, once implemented, that information is needed etc.);
• Provisions interfere with other ECHR rights (there will be an overlap between data protection (Article 8) and some of the other ECHR rights);
• Unintended consequences of the proposals lead to undesirable outcomes (including non-compliance) e.g. surveillance, impinging other rights, collection of more personal data than originally intended, invasive monitoring of citizens without appropriate safeguards, creation of 'big data' sets that allow for identification of individuals and discovery of unintended personal data;
• Data protection principles aren't incorporated into the legislation itself and/or
• The implementation of the legislation (i.e once the Bill is enacted) is problematic because insufficient provision was included in the legislation (e.g. through express or implied powers, legal gateways, flexibility with regards to manner of implementation/powers to implement etc.);
• Controversial measures;
• Other legislation is not repealed or amended which contains provisions that make new proposed provisions unclear or uncertain;
• Statistics or other exemptions aren't incorporated/become unclear through the new legislation;
• Failing to identify all of the personal data that will be created, that will need to be shared, the organisations it will need to be shared with, or failing to include sufficiently wide provisions to allow for necessary use, sharing or access to the personal data (or other future proofing issues).