5. Questions to identify privacy issues
5.1 Involvement of multiple organisations
The Scottish Government commission and are responsible for the governance of the survey. SG is the data controller, holding and processing the survey data.
Ipsos MORI and ScotCen have been commissioned as a consortium to deliver the survey on behalf of the Scottish Government. In respect to personal data, they are responsible for the collection of the survey and initial processing of the survey data (cleaning, quality assuring and analysing the data). Both Ipsos MORI and ScotCen have taken steps to review and document their roles in the SCJS and their processing of the data. For example, risks to privacy are reduced by access to the data being restricted to named individuals working on the project in each organisation, whilst any data transmission between organisations and with the Scottish Government is done using secure FTP facilities.
Disclosure controlled datasets are made available to research organisations through the UK Data Service or Data Sharing Agreements between SG and relevant third parties for the purposes of further research. The disclosure control processes further reduce the risk of individuals being identified, and whilst the Data Sharing Agreements ensure the data is only used for legitimate research purposes in accordance with the legal basis for processing.
5.2 Anonymity and pseudonymity
The main SCJS data are split into multiple datasets and pseudonymised. In short, the questionnaire responses are contained within datasets which do not include direct personal identifiers, but do contain anonymised personal information like gender and age. A separate dataset of recontact information (including name, address, telephone number and email address) is held for those who have consented to providing this.
A serial number is assigned to each respondent and these are consistent across all SCJS datasets relevant to each individual year, so datasets can be matched if required – following necessary scrutiny and approval processes. This represents the biggest risk to individuals being identified. For this reason, the recontact dataset are stored securely and separately from the main survey dataset, and is only accessible by the Project Director in the Scottish Government. The recontact data (matched with survey data or on its own) can be provided to research organisations for the purposes of further research, but Data Sharing Agreements would be created before such processing takes place.
Within Scottish Government, personal data is held electronically on restricted areas of the SG secure server as previously described.
Scottish Government Data Protection and Information Assets team, in iTECS, are responsible for assessing each new or additional information technology for privacy intrusion. The SCJS Survey team only uses technology cleared by Scottish Government experts.
Personal data is collected by the survey contractors using laptop/tablet computers. Ipsos MORI and ScotCen are responsible for the integrity of these devices and the technology used to process the data. Both organisation have produced and maintain a data flow document which outlines how data is processed within and between the organisations, including the range of secure software and processes used.
Ipsos MORI's interviewing platform (Dimensions), used to carry out market research fieldwork, is hosted within a data centre, RackSpace UK. All applications and data are managed by Ipsos MORI.
5.4 Identification methods
A unique serial number is assigned to each respondent within the SCJS datasets. Whilst personal information such as name and address are stored separately from the main survey response data (for respondents who have consented to being recontacted), the unique serial number is common to all datasets to enable these data to be matched if required.
Only the SCJS Project Director (and necessary IT staff) has access to the recontact database containing names and addresses and this is only used for legitimate research purposes, in line with the legal basis on which these data are held. Research organisations can make applications to use the recontact data, as detailed elsewhere in this document.
5.5 Sensitive/Special Category personal data
Special category data collected via the SCJS includes:
Physical and mental health (also collected in the COVID-19 telephone survey)
From 2021/22 onwards the SCJS will ask new questions relating to sex and gender, including asking the respondent about their transgender status. This is in line with the SG guidance: Sex, gender identity, trans status - data collection and publication: guidance - gov.scot (www.gov.scot).
The SCJS also collects data on experiences of violent crime and property crime (also collected in the COVID-19 telephone survey), as well as partner abuse, sexual victimisation, stalking and self-reported illicit drug use.
The SCJS collects information on whether respondents have ever been convicted of a crime and related sentence (if any) they received. No specific details of convictions are recorded and this is only used for research/statistical purposes. Respondents are free to refuse to answer these questions, and any others, as they see fit.
No individual respondents are identifiable in any results published by SG, and sensitive information is stored separately from direct personal identifiers (name, address etc). Furthermore, steps are taken to ensure that datasets provided to the UK Data Service or shared with reputable research organisations have disclosure control processes performed on them to further reduce the risk of individuals being identifiable through the survey responses.
5.6 Changes to data handling procedures
Datasets are stored securely with access restricted to key named individuals. No changes to data handling procedures are envisaged at this time. Data retention policies were reviewed and updated in the process of completing this DPIA in 2018. The DPIA outlines the approach to data retention which will be used going forwards.
The intention is for the DPIA to be reviewed at least annually to consider whether any updates are required. Any notable changes to data handling procedures will be assessed from a data protection/privacy perspective, will lead to the DPIA being proactively updated, and changes to the Privacy Notice as appropriate.
5.7 Statutory exemptions/protection
The processing of the data meets Article 6(1)(e) of the GDPR as it is necessary to perform a task in the public interest and the task has a clear basis in law. This means that the right for data subjects to object to processing is more restricted. The privacy notice makes this clear.
The Data Protection Act 2018 also provides some exemptions for the purposes of research and statistics. It notes that: The listed GDPR provisions do not apply to personal data processed for (a) scientific or historical research purposes, or (b) statistical purposes, to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.
The listed GDPR provisions are the following provisions of the GDPR (the rights in which may be derogated from by virtue of Article 89(2) of the GDPR)—
(a) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(b) Article 16 (right to rectification);
(c) Article 18(1) (restriction of processing);
(d)Article 21(1) (objections to processing).
The exemption is available only where
(a) the personal data is processed in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and
(b) as regards the disapplication of Article 15(1) to (3), the results of the research or any resulting statistics are not made available in a form which identifies a data subject.
The information collected in the survey provides reliable evidence to the government and others on the extent and experiences of crime in Scotland, as well as perceptions and experiences of the criminal justice system in Scotland. This information is used to inform policy, monitor performance/changes over time and assess inequalities amongst the population. This evidence is not currently available from other sources, and no viable alternative to collecting this data is currently available. The SCJS datasets are therefore collected and processed to undertake tasks in the public interest. Steps are taken to minimise the risks to privacy associated with processing.
The recontact datasets are held and processed on the basis of explicit consent. Data Subjects are made aware of their rights and this data is placed under strict restrictions and has a bespoke retention policy.
5.9 Other risks