Regulation of Legal Services (Scotland) Bill: data protection impact assessment

Data protection impact assessment (DPIA) for the Regulation of Legal Services (Scotland) Bill.


Data Protection Impact Assessment: Regulation of Legal Services (Scotland) Bill

This Bill delivers the Programme for Government commitment:

"The Bill will provide for a modern regulatory framework designed to promote competition and innovation while also improving the transparency and accountability of legal services regulation and the legal complaints system in Scotland."

Firstly, the Bill will implement a modern, forward-looking model for legal services regulation which will build on the existing regulatory framework. This will provide for a proportionate approach that seeks to balance and deliver the key priorities of all stakeholders. The existing regulators will retain their regulatory functions with a greater statutory requirement to incorporate independence, transparency and accountability within their regulatory approaches.

Secondly, the Bill will reform legal services regulation in key areas:

  • Introducing greater protections to consumers through regulation of legal businesses, to run in parallel with the current regime of regulating individual legal professionals.
  • Bringing in controls over the use of the title 'lawyer', protecting the professional title for the use of regulated individuals.
  • Reducing restrictions in respect of alternative business structures to encourage competition and innovation in the legal sector and place Scottish legal firms on an equal footing with counterparts within the UK and other jurisdictions.
  • Changing the way complaints about legal services are handled which will benefit both consumers and legal practitioners alike.

These measures are intended to modernise the existing regulatory framework and provide a proportionate approach which supports growth and competitive provision in the legal services sector while improving the consumer journey and consumer choice for legal service users, by placing consumer interests at the heart of regulation. In addition, the Bill will incorporate appropriate safeguards that deliver a balance between the independence of the legal profession with their duty to work in the public interest.

1. Contact and schedule information

1.1 SG department: Justice Directorate

1.2 Contact email: LegalServicesRegulationReform@gov.scot

1.3 Data protection support email: dpa@gov.scot

Data protection officer: dataprotectionofficer@gov.scot

1.4 Is your proposal primary legislation, secondary legislation or other form of statutory measure?:

Primary legislation

1.5 What stage is the legislative process at? Please indicate any relevant timescales and deadlines.:

The Bill was introduced to the Scottish Parliament on 20 April 2023.

This DPIA is designed to analyse, identify and minimise the data protection risks of the Bill.

The DPIA, and other impact assessments, will be reviewed and revised in line with each stage of the passage of the Bill to reflect any amendments as well as stakeholder feedback.

2. Introductory information

Question 2.1

Summary of proposal

Comments:

The Bill makes provision in relation to the regulation of legal services. It has five Parts.

  • Part 1 introduces the objectives of legal services regulation and the professional principles which apply to those who provide and those who regulate legal services provision in Scotland. Part 1 also introduces a two-category regulatory framework which imposes requirements on all legal services regulators and provides for Ministers to review regulatory performance in certain circumstances.
  • Part 2 creates a requirement for legal businesses to be authorised by a category 1 regulator to provide legal services and for category 1 regulators to produce a regulatory scheme for the authorisation and regulation of legal businesses.
  • Part 3 makes provision for how complaints in connection with legal services are to be investigated and determined.
  • Part 4 makes miscellaneous provision including changes to ownership restrictions to alternative business structures, removing practising restrictions on third sector organisations and the creation of offences around the use of professional legal titles.
  • Part 5 makes general provision.

The overarching policy objective of this Bill is to provide a modern, forward-looking regulatory framework for Scotland that will best promote competition, innovation, and the public and consumer interest in an efficient and effective legal sector. The Bill will implement a number of key recommendations from the 'Independent Review of Legal Services Regulation in Scotland' by Esther Roberton (the Roberton report)[1].

Key measures in the Bill include:

  • Implementing a modern, forward-looking model for legal services regulation which will build on the existing regulatory framework. This will provide for a proportionate approach that seeks to balance and deliver the key priorities of all stakeholders. The existing regulators will retain their regulatory functions with a greater statutory requirement to incorporate independence, transparency and accountability within their regulatory approaches.
  • The Bill makes provision for legal services regulators to be assigned as either a category 1 or category 2 regulator and places certain duties on each. The three existing regulators of legal services in Scotland are assigned by the Bill as follows:
    • the Law Society of Scotland ("Law Society") is assigned to category 1,
    • the Faculty of Advocates ("Faculty") is assigned to category 2,
    • the Association of Commercial Attorneys ("ACA") is assigned to category 2.
  • Introducing a modern set of regulatory objectives and professional principles, to incorporate the Better Regulation, Consumer and Human Rights (PANEL) principles. These can be found in the Bill at section 2(1)(b) to (d) (as read with section 3(2) to (4)). The Better Regulation principles aim to ensure that regulation is effective, proportionate, transparent, and based on evidence. The purpose of these principles is to improve regulatory outcomes by reducing unnecessary burdens and costs associated with regulation while maintaining necessary safeguards. The purpose of the Consumer Principles are to protect and advocate for the rights of consumers. These principles aim to ensure that consumers have access to accurate information, are treated fairly and transparently, that they understand their rights and can access effective redress where appropriate, placing consumer interests at the heart of regulation.
  • Allow Scottish Ministers to investigate and, if necessary, take certain measures in the event of the failure by legal services regulators to regulate in the public interest or meet the regulatory objectives.
  • Allowing for greater flexibility in the ownership of licensed legal services providers (also known as 'alternative business structures') by removing restrictions which currently require such legal businesses to operate for 'fee, gain or reward', and which require a minimum ownership of 51% by regulated professionals. Instead, regulated professionals would require to have at least a 10% stake in the total ownership or control of the entity.
  • Introducing regulation of a legal firm as a whole, to operate in conjunction with the current system of regulating at individual professional level.
  • Allowing for protection of the use of the title 'lawyer', to address concerns that unqualified persons, or persons who have been struck off, can currently use the term to describe themselves when providing legal services to the public.
  • Allowing regulators to grant waivers of targeted rules, in order to facilitate the use of regulatory sandboxes to promote innovation under regulatory scrutiny.
  • Reforming the legal complaints system, by reconstituting the Scottish Legal Complaints Commission as the Scottish Legal Services Commission ("the Commission") and providing it with an expanded independent oversight role of complaint handling by the regulated sector, in addition to a new role in overseeing complaints about unregulated legal services.

Key areas relating to information:

Register of regulated members

The Solicitors (Scotland) Act 1980 ("the 1980 Act") sets out that the Law Society has a duty to keep a roll (register) of all solicitors.[2] The legislation does not state that the roll should be accessible online, rather it must available to be accessed physically.

Section 17 of the Bill requires each category 1 and category 2 regulator to establish a register of the legal services providers that it regulates which are authorised to provide legal services (i.e. those who are currently practising).

Freedom of Information

Currently legal services regulators in Scotland are not subject to the provisions of the Freedom of Information (Scotland) Act 2002 ("FOISA").

Part 4 of the Bill makes category 1 regulators subject to the terms of FOISA in relation to the exercise of their regulatory functions. Although personal information is generally except from FOI requests, this is highlighted for completeness.

Legal Complaints

The Bill maintains the Commission's role as the single gateway for complaints against legal practitioners in Scotland and expands its role in overseeing how regulators and practitioners deal with complaints. These roles are set out in the Legal Profession and Legal Aid (Scotland) Act 2007 ("the 2007 Act").

After assessing the eligibility of a complaint by way of a number of tests, the SLCC categorises complaints as relating to either inadequate services or poor conduct. Services complaints are then investigated and determined by the SLCC. Conduct complaints are sent to the respective professional organisations for investigation and determination. Data sharing exists between the Commission and the relevant professional organisations[3] for the purposes of investigation and determination.

The data involved includes the personal information of those who have raised a legal complaint, and the details of legal professionals to whom a complaint relates[4]. It may also it also involve the data of other parties, particularly where a third-party complaint is made. However, the Bill seeks to provide clarity in respect of legal privilege at section 60, and sets out that the investigation of legal complaints may not override legal privilege.

The Bill provides a framework for legal complaint handling, allowing the Commission and regulators more discretion in how complaints are handled.

Provisions in the 2007 Act allow the SLCC to publish reports on individual complaints which have been upheld or a settlement reached[5]. The Bill expands this power to allow reports to be published relating to numerous complaints against a particular practitioner.

Complaints about unregulated legal services providers

Currently redress is available in respect of complaints about regulated legal service providers, i.e. solicitors, advocates, etc. However, a range of unregulated or 'unreserved' legal services are provided by individuals who are not regulated and not subject to professional indemnity or complaints rules.

Section 62 of the Bill introduces provision for complaints to be raised against unregulated legal services providers. The Commission would be able to set up a voluntary register of such unregulated providers, membership of which would have a bearing on the levy a practitioner is due to pay where a complaint is upheld against them. However, the Commission would also be able to pursue complaints about those who did not register.

Publication of discipline matters

Schedule 4 of the 1980 Act sets out that every decision of the Scottish Solicitors Discipline Tribunal ("SSDT") shall be published in full. The SSDT may redact certain information.

Sections 26(7) and 73 of the Bill require the publication of decisions relating to conduct complaints involving professional misconduct, in similar terms to that SSDT.

Question 2.2

Description of the personal data involved.

Please also specify if this personal data will be special category data, or relate to criminal convictions or offences

Comments:

The legislation strengthens the ability of some bodies to access and process some personal data. The bodies who will be data controllers already process information of a similar nature and have suitable controls and information sharing agreements already in place. They are each required to comply with General Data Protection Regulation[6] ("GDPR") requirements as operationally independent bodies.

The bodies which will be involved in data processing are the category 1 and 2 regulators currently and will continue to hold personal information in respect of their members, and in respect of complaint handling (which may contain personal information relating to their members clients).

Changes introduced by the Bill will require the regulators to publish information about their members on a publicly-available register. Information will only require to be published about members who are currently practising legal services. Where an individual is a member of a legal services regulator but is not currently practising, they may be included in the register if they so wish. An individual who has been struck off must be removed from the register.

The information on the register, i.e. the name of individuals, their place of business and how long they have been a member of the regulator, is already held by the regulators.

A new power introduced by the Bill will allow the Commission to request from legal services regulators the contact details of legal practitioners, for the purpose of investigating a complaint. This will involve regulators passing to the Commission information they already hold in relation to their members – e.g. phone numbers and/or email addresses. Postal addresses will already be available on the register.

The Bill introduces a requirement on the Faculty as well as new regulators to publish disciplinary decisions relating to allegations of professional misconduct by one of their members. Such information will include the practitioner's name, the facts of the case as established and the decision (e.g. whether the practitioner has been suspended or struck off). The provisions allow for information to be omitted whether its publication would damage the interests of persons other than the practitioner, their partner or family.

The Commission currently and will continue to hold personal information in respect of complaint handling, which may contain personal information relating legal services providers and their members clients.

The Commission will also have a new power to establish a register of unregulated legal services providers. The information to be included in such a register, which will be signed up to voluntarily, is to be determined by the Commission.

Question 2.3

Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights, or use of social profiling to inform policy making.

Comments:

It is not considered that the processing of personal data will have an impact about decisions made about individuals, groups or categories of persons. Changes to the way information is processed as a result of the Bill will be take effect after decisions are made. For example, members of category 1 or 2 regulators will be included on the register after the decision is made as to whether to admit them as a member. Similarly, decisions about conduct complaints will be published after the relevant decision has been made (it will not be a requirement to publish the fact that a complaint investigation is ongoing).

Question 2.4

Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

What policy objective is the legislation trying to meet?

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments:

One of the Bills intended aims is to address the public perception that regulation of legal services is not sufficiently transparent or accountable. The policy intention is to modernise legal services regulation in Scotland, improving the experience for consumers and introducing greater competition and innovation into the sector.

The provisions of the Bill which relate to how data is processed are part of the range of measures introduced to increase the transparency and accountability of existing legal services providers and set up a functional regulatory framework for any future regulators which enter the legal sector.

The Bill also focuses on improving the way that complaints about legal services are investigated and determined. The policy intention is to establish a new legislative framework which will allow the Commission to design its own flexible and responsive complaints system. It is intended to create a system which is proportionate in terms of how complaints are processed. Its core functions will be retained and developed. It will have oversight of complaint handling of the regulators, as it does now. It will continue to have a role in monitoring trends in legal complaints. In addition, the Bill seeks to promote collaboration between the Commission and the legal services regulators in respect of improving the complaints system based on trends in complaints. The Bill places a greater duty on consultation between the Commission and regulators in relation to the complaints system. The appeal process for complaints about poor service will be simplified in line with an ombudsman approach helping to make the system more accessible and affordable. The Bill will also introduce the ability for complaints to be made against those who provide legal services to the public but who are not regulated providing greater protections to consumers.

It is considered that the provisions already described are the least invasive and most privacy-friendly options which achieve the policy objective. The information involved is largely already collected by the data controllers. The relevant provisions in the Bill bring more information into the public domain, for the purpose of public awareness and protection.

It is not anticipated that there will be unintended consequences as a result of the proposals, this will be kept under review as evidence is provided to parliament on the Bill. The Bill seeks to provide a balance in terms of the handling of personal information with regard to legal services regulation and legal complaints, and that of the public interest.

In terms of safeguards, the Bill protects the position of legal professional privilege by ensuring that such information cannot be required by the Commission or the regulators as part of an investigation into a legal services complaint.

Where the Bill makes changes to the publication of data about the outcome of conduct complaints, there are provisions which allow for certain information to be omitted where necessary.

The information to be provided on registers created by the Bill is, in some instances, voluntary. Where it is not voluntarily, it is the minimum information necessary to provide appropriate public protection in the respect of consumers' ability to check on who they are accessing legal services from.

Question 2.5

Will the implementation be accompanied by guidance or by an associated Code of Conduct?

If the latter, what will be the status of the Code of Conduct? (statutory or voluntary?)

Comments:

It is not considered the proposals necessitate an associated code of conduct to be produced by the Scottish Government. As the data controllers in this instance are the Law Society, the Faculty, the ACA, and the Commission.

It is considered these bodies, which operate independently of the Scottish Government, are best placed to create any further guidance if needed, to ensure their staff comply with their obligations under the DPA e.g. principles of necessity and proportionality of the processing operations, storage limitation and the undertaking of regular reviews to ensure compliance with the statutory duties of the data controller.

It would not be appropriate for the Scottish Government to determine how these independent bodies approach their data protection requirements. The Scottish Government will continue to have ongoing engagement with these bodies as operational implementation planning takes place.

3. Data Controllers

3.1 Organisation

The data controllers are:

  • Law Society of Scotland,
  • Faculty of Advocates,
  • Association of Commercial Attorneys,
  • Scottish Legal Services Commission Scottish

3.2 Activities

The data controllers already require to hold a wide variety of personal data in relation to regulatory functions and complaints handling. The Bill makes changes as to how some of that data is used.

3.3 Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes – the Commission.

3.4 Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Processing is necessary for compliance with a legal obligation to which the controller is subject;

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

The Bill does not make provision for the processing of special category data and criminal convictions data in respect of the bodies set out in the Bill.

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

Data Protection Act 2018:

Schedule 1

Part 2:

14.Preventing fraud

(1)This condition is met if the processing—

(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and

(b)consists of—

(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,

(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or

(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).

(2)In this paragraph, "anti-fraud organisation" has the same meaning as in section 68 of the Serious Crime Act 2007.

Schedule 2

Part 2:

10. Regulatory functions relating to legal services, the health service and children's services

(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

3.5 Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018

N/A

Legal gateway for any sharing of personal data between organisations.

The 2007 Act makes provision for the data controllers to share information. I.e. the Commission must refer complaints about conduct to the relevant regulatory body.

4. Consultation

Question 4.1

Have you consulted with the ICO using the Article 36(4) form?

If the ICO has provided feedback, please include this.

Comments:

The Scottish Government consulted the ICO in respect of the Bill, and that engagement will continue throughout the parliamentary passage of the Bill and in respect of implementation.

Question 4.2

Do you need to hold a public consultation and if so has this taken place? What was the result?

Comments:

A public consultation ran from 1 October 2021 – 24 December 2021.

Analysis Report - Legal services regulation reform: consultation analysis - gov.scot (www.gov.scot)

Responses Published - Legal services regulation reform in Scotland - Scottish Government - Citizen Space (consult.gov.scot)

Question 4.3

Were there any Comments/feedback from the public consultation about privacy, information or data protection?

Comments:

A total of 158 substantive responses were included in the data analysis.

The analysis highlighted that all respondents, regardless of affiliation, shared as a common aspiration, the need for any future model to be transparent, open to public scrutiny and efficient to ensure that justice remains accessible to all.

In respect of the question around the regulatory framework being transparent, and placing an emphasis on publishing a range of information, including decision criteria, complaints data and outcomes of cases (to be able to advise on trends and issues emerging from first tier complaints) - 96% felt this was important.

The main concerns raised where around the need to balance transparency with ensuring suitable safeguards (and opportunities for redaction) to be in place to protect any individuals and particularly any sensitive information to provide protection for vulnerable persons involved in the system.

5. Further assessment and risk identification

Question 5.1

Will the proposal require the creation of new identifiers, or require the use of existing ones?

Comments:

The provisions will use existing identifiers.

Question 5.2

Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

Comments:

No.

Legal regulators and legal professionals are under a duty to use encrypted technology or ensure information security, under such confidentiality requirements and GDPR duties.

Question 5.3

Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

Comments:

Section 17 of the Bill provides that both category 1 and 2 regulators must establish and maintain a register of its members who are authorised to provide legal services (for example, in terms of solicitors this means practising solicitors). The register may also contain the details of a regulator's members who are not currently authorised (e.g. non-practising members). The register is to be accessible to the public, free of charge.

The Bill will also allow the Commission to establish a publicly-available register which can be joined voluntarily by unregulated legal services providers. It will be for the Commission to determine what information is collected and made available on the register.

Question 5.4

Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

Comments:

Section 61 relates to the ability of the Commission to request practitioner's details in connection with a complaint. It enables the Commission to obtain a practitioner's contact details from the relevant professional organisation for certain purposes where it considers this necessary in relation to a complaint.

Section 69 amends the the 2007 Act. The changes require the Commission to reach agreement with relevant professional organisations on how it will share information with them in relation to its functions relating to services complaints. The changes ensure that the Commission monitors practice by, and trends in the way in which practitioners, dealt with matters resulting in regulatory, as well as conduct, complaints.

Section 47 sets out how a category 1 regulator is to monitor and investigate the performance of authorised legal businesses. A category 1 regulator must review the performance of each of its authorised legal businesses as it considers appropriate, or when requested to do so by the Lord President.

Question 5.5

Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

Comments:

The provisions are not anticipated to have any negative impacts on a specific group as they apply equally to all groups of persons providing legal services or engaging legal services.

The Bill removes restrictions preventing charities, law centres and citizen's advice bodies from directly employing solicitors to provide certain legal services to some of the most vulnerable citizens.

Specific impacts on e.g. children and those with protected characterised e.g. disabled persons, are considered in the associated Children's Rights and Wellbeing Impact Assessment and Equality Impact Assessment for the Bill.

Question 5.6

Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments:

It is not anticipated the provisions will be controversial, intrusive or onerous, or will be of significant public interest as it relates to data processing.

No unintended consequences have been identified in relation to the provisions.

In terms of safeguards, section 60 of the Bill clarifies the position in respect of legal professional privilege, protecting communications between legal professionals and their clients. The Bill amends sections 17, 37 and 48 of the 2007 Act which confer various powers to obtain documents and information. It ensures that these powers do not require the provision of documents or information that are subject to legal professional privilege and would, in legal proceedings, be protected from disclosure. But they do not prevent the powers from being used to obtain a document or information that is subject to any other right of confidentiality.

Question 5.7

Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Comments:

The Bill significantly amends the 1980 Act and the 2007 Act. It also makes changes to the Legal Services (Scotland) Act 2010. Some of these amendments relate to the data processing provisions described above, e.g. the requirement for the Faculty to publish the outcome of professional misconduct complaints investigations.

The Bill also amends the Freedom of Information (Scotland) Act 2002 for the purpose of adding the regulatory committees of category 1 regulators to those bodies which are subject to the requirements of the Act.

Question 5.8

Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

Comments:

It is not considered appropriate for the proposals to necessitate an associated code of conduct to be produced by the Scottish Government.

The data controllers who operate independently of the Scottish Government, are best placed to create any further guidance if needed, to ensure their staff comply with their data protection obligations e.g. principles of necessity and proportionality of the processing operations, storage limitation and the undertaking of regular reviews to ensure compliance with the statutory duties of the data controller.

It would not be appropriate for the Scottish Government to determine how these operationally independent bodies approach their data protection requirements. The Scottish Government will continue to have ongoing engagement with the data controllers as implementation planning takes place.

Question 5.9

Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments:

The data controllers already have robust policies and procedures in place for the handling of data, and are well versed in the sensitivities and legal requirements for processing any of the personal data engaged by the measures in the Bill. As now, they will continue to ensure they comply with their statutory duties and have appropriate safeguards in place.

Question 5.10

Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.

Comments:

It is not anticipated that the processing of personal data as a result of the provisions within the Bill would have an impact on decisions made about individuals, groups or categories of persons.

Question 5.11

Will the proposal include automated decision making/profiling of individuals using their personal data?

Comments:

No

Question 5.12

Will the proposal require the transfer of personal data to a 'third country'? (Under UK GDPR this is defined as country outside the UK.)

Comments: No

6. Risk Assessment

6.1.1 Risk to individual rights

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? (This is particularly relevant if special category data is being processed).

Key measures highlighted include:

  • Section 17 Register of regulated legal services providers
  • Section 24 Register of directions
  • Section 59 Services complaints: reports
  • Section 65 Unregulated providers of legal services: voluntary register, annual contributions and complaints contributions
  • Section 73 Faculty of Advocates: complaint of professional misconduct and publication of decision / Section 26(7) Regulatory scheme (publication of a decision relating to a conduct complaint suggesting professional misconduct)

Solution or mitigation:

It is not anticipated that the provisions in the Bill will result in any risk to individual rights.

Where the Bill makes mandatory provisions about the creation of a register, the Bill requires the minimum information necessary to balance against the aim of introducing greater consumer protections.

The unregulated complaints register is voluntary, and those who raise complaints must agree to share the relevant information for a complaint to be investigated.

In respect of the register of directions, the Bill at section 24 sets out that a regulator must redact information in a document mentioned in subsection (2) if satisfied that its disclosure would or would be likely to breach the data protection legislation.

The publication of conduct findings will allow the regulators to omit any information from the published decision which it considers would be likely to damage the interests of persons other than the legal professional against whom the complaint is made, or (by association) their partner or family.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.1 Privacy risks

Purpose limitation

Solution or mitigation:

The Commission and regulators will continue to have a statutory duty to share information relating to the investigation of complaints. The Bill also places a duty on regulators to publish registers of their members and of any regulatory waivers. As data controllers the Commission, and regulators are already subject to GDPR and that will continue to be the case.

The Bill requires the minimum information necessary to balance against the aim of introducing greater consumer protections.

Legal professional privilege is enshrined in the common law of Scotland. There is (in broad terms) a right of absolute privilege in respect of communications emanating between a solicitor, notary or advocate, and a client relating to advice and also in respect of any documents. The Bill sets out a clear position in respect of legal privilege in relation to the investigation of legal complaints.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation:

Legal professionals use a range of channels to verify and engage with clients.

Those seeking such legal services should be informed as to the lawful basis for the processing of their information, and their rights.

Legal services provider are also data subjects. They should be informed of the lawful basis for the processing of their information, and their rights, in connection to their regulation.

The provisions do not create an obligation on controllers to undertake a processing activity that is unlawful.

The requirements in the Bill can be justified and are proportionate on the basis of the public interest in the proper regulation and accountability of legal services and protection of the rights of those accessing legal services.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.3 Privacy risks

Minimisation and necessity

Solution or mitigation:

The Bill requires the minimum information necessary to balance against the aim of introducing greater consumer protections.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.4 Privacy risks

Accuracy of personal data

Solution or mitigation:

Those seeking legal services will require to satisfy the relevant legal professional of their identify.

Legal professionals, as the data controllers and data processors, will require to assess and satisfy themselves that they are taking adequate protection and safeguards in respect of their clients' data, and the accuracy of that information.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.3.1 Security risks

Keeping data securely

Retention

Solution or mitigation:

The Data Protection Act 2018 requires the Commission, as a public body to ensure information is retained securely and deleted once it has been used for the purpose for which it was provided[7].

The ICO's Code of Practice[8] provides that bodies have regard to specific security standards outlined in the Code. The Code provides that bodies must have a security plan for sharing data. OSCR has processes in place to ensure they are compliant with these legal requirements.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or mitigation:

The Legal Profession and Legal Aid (Scotland) Act 2007 requires the commission to keep information about complaints (including personal information) confidential, unless the law requires them to share that data with certain people and organisations to carry out their role.

There are provisions within the Bill about the regulators sharing contact details with the Commission in respect of undertaking its functions and which place requirements on regulators and the Commission to share complaints data in undertaking their functions. Some of the changes to the 2007 Act make changes to data sharing provisions.

There are established procedures in place between the Commission and legal services regulators as data controllers for the purposes of sharing information relating to legal complaints.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.3.3 Security risks

Solution or mitigation:

The Commission[9], Law Society[10] and Faculty[11] have taken measures to prevent against security risks.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.4.1 Other risks

<will this impact on children?>

Solution or mitigation:

It is not anticipated the provisions would have any specific (specifically negative) impact on children or vulnerable persons.

Likelihood (Low/Med/High): Low

Severity (Red/Amber/Green): Green

Result: Mitigated

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO:

Advice has been sought from DPO throughout the drafting of this assessment.

Action:

All advice and comments have been incorporated where possible.

I confirm that the <what you are doing> has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent:

Denise Swanson

Deputy Director

Civil Law and Legal System Division

Date each version authorised:

Contact

Email: LegalServicesRegulationReform@gov.scot

Back to top