Short-term lets – licensing scheme and planning control areas: consultation analysis

11. Data Protection Impact Assessment

11.1. The purpose of this impact assessment is to report on and assess against any potential data protection impacts as a result of the Licensing Order and Control Area Regulations. This legislation may have an impact on the protection of personal data within the meaning of the General Data Protection Regulation (GDPR).

11.2. Implementation of the legislation will involve processing of personal data. For the purposes of the GDPR, the key term is “processing”, which is very broad in scope and includes (but is not limited) to collecting, storing, recording, altering, using, consulting, transmitting or erasing data- in short, just about any possible use. “Personal” is also very broad in scope and means any information relating to a living person, where that person can be directly or indirectly identified.

A. Introductory information

11.3. Author of report: Short Term Lets Policy Team, More Homes Division, Directorate for Housing and Social Justice.

11.4. The Licensing Order and Control Area Regulations are secondary legislation. They will be laid in December 2020 and, subject to the approval of the Scottish Parliament, come into force on 1 April 2021. Local authorities must have licensing schemes open to receive applications on 1 April 2022 and the processing of personal data under the licensing scheme will begin at that point.

11.5. Local authorities may choose to designate control areas under the Control Area Regulations at any time, subject to the procedures set out in the Regulations. The Regulations do not introduce any new processes; they may require more planning applications but the process for making planning applications is well established. For this reason, we do not consider the Regulations further in this assessment.

11.6. We are engaging with the Information Commissioner’s Office and will continue to do so as we develop and issue guidance to local authorities on the operation of the licensing scheme and work with them as they prepare for implementation.

11.7. We have held two public consultations in 2019 and 2020 on the regulation of short-term lets; we consulted on a broad framework for regulatory proposals in 2019, and consulted again on detailed proposals in autumn 2020.

11.8. A small number of respondents raised privacy concerns about the sharing of personal data:

• within local authorities (between departments);
• between local authorities; and
• through the public register of short-term lets.

11.9. One local authority suggested that they had no concerns about sharing personal data relating to secondary letting, but had some concerns regarding home sharing or home letting.

11.10. Date of report: 8 December 2020.

11.11. Name of Information Asset Owner for relevant business unit: Brad Gilbert, Deputy Director, More Homes.

11.12. Dates of review for DPIA:

Review date	Details of update	Completion Date	Approval Date
8 December 2020	Version 1.0 published with 2020 consultation report.	8 December 2020	8 December 2020
March 2021	Review with guidance for local authorities and hosts and platforms
March 2022	Review before licensing schemes open
March 2023	Review after one year of live operation

B. Policy objectives of the legislation

11.13. The wider background to this work and policy objectives are set out in chapters 3 and 8 of this report.

11.14. The Licensing Order introduces a requirement on local authorities to establish a licensing scheme for short-term lets which prioritises safety. The safety component of the licensing scheme will be mandatory for all short-term lets in Scotland. Local authorities will also have powers to introduce additional conditions to respond to issues such as anti-social behaviour and noise, in order to address local issues of concern.

11.15. In addition to raising safety standards, the licensing scheme will help local authorities to understand what is happening in their area, improving the effective handling of complaints. At present the data available on short-term lets are limited to Airbnb’s activity and self-catering properties registered on the Non-Domestic Valuation Roll. Information on Airbnb’s activity includes data published by Airbnb (in the form of reports, and not datasets) and those published by Inside Airbnb (free of charge) and Air DNA (with fee), which are scraped from the Airbnb website.

11.16. As all short-term lets will require a licence, the licensing scheme will provide accurate up-to-date data on the number of short-term lets operating in Scotland, and their exact location (as well as other relevant data). The licensing scheme will be delivered by local authorities; therefore we require local authorities to share data with Scottish Government on an ongoing regular basis (quarterly). Scottish Government will use the data to monitor trends in the number of short-term lets, applications granted or refused etc. This data will form an evidence base for any future interventions by Government, if additional measures are needed.

11.17. The overall objectives, with regard to the collecting and processing of data, are to:

a) Require local authorities to collect sufficient data for monitoring and enforcement purposes, including setting out requirements for the sharing of relevant information between local authorities for hosts operating in more than one area (operational data). This operational data will need to be specified precisely so it is consistent across local authorities and can be shared effectively, if not done through the public register.

b) Require local authorities to share data, including the number, type and location of short-term lets, with Scottish Government on an ongoing regular basis (analytical data). The exact data to be shared shall be specified by Scottish Government to ensure consistent data is received from all local authorities which can be combined into a national database for subsequent analysis. Every data field will need to be defined precisely and have an associated quality assurance check specified for it.

c) Require local authorities to publish a register of short-term let licences and their status (granted, refused, being determined, revoked, lapsed etc.) which can be accessed by members of the public (public register). Local authorities will be required to publish the register on a quarterly basis. The public register will contain a limited amount of personal information (e.g. to allow people to check whether their neighbour had a licence to operate a short-term let) but we might want local authorities to share further data with Scottish Government. The public register would be similar to the landlord register, and any local authority public HMO registers (e.g. Fife).

C. The processing of personal data

11.18. The table below sets out personal data to be processed by each licensing authority in administering the licensing scheme. Some of the data below will be publically available (bold) and the rest will be restricted to those administering the licensing scheme.

11.19. Applicant(s) and any named agent(s) on the licensing application may be affected by the proposed processing.

• Applicant(s) / Licence holder(s) name (title, first name, surname)
  Licence application

• Agents (day-to-day manager) name (if applicable)
  Licence application

• Property (premises) address (including postcode and URN)
  Licence application

• Contact details – address, address history, email, telephone (applicant, agent, day-to-day manager)
  Licence application

• Date and place of birth (for all applicants, and any agent(s))
  Licence application

• Unspent convictions involving: i. fraud and dishonesty; ii. violence; iii. drugs; iv. firearms; v. sexual offences
  Licence application and Police Scotland background checks^[16]

11.20. The processing of the above data is required for the operation of the licensing scheme. Personal data, such as name, date and place of birth, address are required in order for local authorities and Police Scotland to carry out background checks to determine whether or not the applicant(s) and any agent(s) are fit and proper.

11.21. We are not proposing to collect any special category data.

Data minimisation

11.22. The personal data we are requiring local authorities to process is necessary in order to comply with their requirements to establish whether or not an applicant (or their agent) are fit and proper.

D. Engagement of rights under ECHR

11.23. Article 8 of ECHR concerns a person’s right to respect for their private and family life, home and correspondence and prohibits interference “… except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

11.24. The Licensing Order protects these rights as follows:

a) Introducing mandatory licence conditions for safety for all short-term lets will give neighbours of short-term lets peace of mind that they are operating safely, particularly those living next to short-term lets in flatted or tenement buildings.

b) Other licence conditions, imposed by local authorities as needed, will help manage noise, nuisance and antisocial behaviour, which has stopped some neighbours enjoying their home.

c) In some areas, high concentrations of short-term lets have affected the availability and affordability of homes. The licensing scheme and control areas give local authorities an effective means of managing high concentrations of short-term lets in order to balance the needs and concerns of local communities with the wider tourism and economic benefits of short-term lets.

11.25. In consultation, some hosts suggested that the legislation would negatively impact their Article 8 rights by restricting their ability to use their home for the purposes of short-term let. We consider this will only happen where it is the policy intention of the local authority and this will only be the case in circumstances where it protects the rights and freedoms of others or is for the greater economic well-being of their local community.

E. Regulation of technology

11.26. Each local authority must publish a register of short-term lets in their area, likely to be on their website. The public register will include the following personal data:

• Applicants’ / licence holders’ names (title, first name, surname)
• Names of agents (day-to-day manager) (if applicable)
• Property (premises) address (including postcode and licence URN).

11.27. Additional personal data will be processed by local authorities in order to determine whether or not persons named on the application form are fit and proper. This additional data may be shared internally between local authorities, and statutory consultees, such as Police Scotland, but will not be published.

Impact on the use of technology

11.28. Neighbours of short-term lets will be able to establish if a neighbouring property has a licence to operate as a short-term let via the public register, allowing them to raise any concerns with the relevant local authority (for example if they suspected a property was operating without a licence).

11.29. The licensing scheme will not require change the operation of an established public register or on-line services. However, platforms and holiday letting agencies (private sector organisations) will need to include licence URNs and EPC ratings on adverts and property listings.

F. Data to be used as evidence

11.30. Data will be stored in relation to applicants and their agents in relation to an active, suspended or revoked licence or a licence application. Data will also be stored in relation to the licence conditions in respect of licensed premises. This data will facilitate investigation of offences under the Licensing Order (such as operating without a licence) and potentially support the police in investigating serious and organised crime where criminals are making use of short-term lets for sex-trafficking or drug dealing.

G. Impact specific groups of persons

11.31. We have completed an EQIA, CRWIA and assessment against the Fairer Scotland Duty, all set out in this report, none of which have identified any adverse impacts on children or people with protected characteristics.

H. Data sharing between organisations

11.32. Personal data will be shared by local authorities as follows:

• with Police Scotland in order to complete background checks;
• with the Scottish Fire and Rescue Service as the licensed activity would be carried on in premises;
• internally as needed between relevant local authority departments, such as housing, licensing, planning and environmental health;
• with other local authorities (e.g. if an applicant had a licence revoked in one local authority and operated in another local authority); and
• limited personal data with Scottish Government and the public, by publishing data on a public register.

Lawful basis for sharing

11.33. Local authorities are required by the Licensing Order to establish and maintain a licensing scheme in their area for all short-term lets.

11.34. Paragraph 5(3) of Schedule 1 to the 1982 Act sets out that local authorities must refuse applications for a licence if the applicant is not a fit and proper person to be the holder of the licence. In order for local authorities to do this, they will be required to collect and process personal and sensitive information. This includes date and place of birth, home address, address history, and unspent convictions for certain types of offences.

11.35. The Licensing Order (by amending paragraph 14 of Schedule 1 to the 1982 Act) requires local authorities to publish data, and share data with the Scottish Government, on an ongoing quarterly basis. It also allows local authorities to share information as they consider appropriate about the suspension, revocation or variation of a licence with other licensing authorities.

I. Controversial or significant public interest in processing of data

11.36. During our recent consultation, neighbours were very supportive of our proposals to require local authorities to publish a public register of short-term lets. Some hosts raised concern about privacy impacts. However, the only personal data we are proposing to publish is:

• Applicants’ / licence holders’ names (title, first name, surname)
• Names of agents (day-to-day manager) (if applicable)
• Property (premises) address (including postcode and licence URN).

11.37. This is in line with the personal data published on the landlord register (for private landlords) and similar to that for HMOs. In addition, the 1982 Act requires local authorities to keep a register which shall be:

“…open to the inspection of any member of the public at such reasonable times and places as may be determined by the licensing authority and any member of the public may make a copy thereof or an extract therefrom” (1982 Act, Schedule 1, paragraph 14)

11.38. Local authorities might be expected to deal with a large volume of these requests, so publishing a register and keeping it up-to-date should reduce the administrative burden on local authorities and reduce costs (and therefore fees).

11.39. The public register will also provide benefits to both guests and neighbours:

• Guests would be able to verify that the property they have booked, or are looking to book, has a licence to operate, meaning that it should comply with mandatory safety conditions. (We would not expect guests to do this routinely but they may do so if they have doubts or concerns.)
• Neighbours will be able to check if neighbouring properties have a licence to operate, and will be able to share any concerns about properties operating without a licence with local authorities, which will assist with enforcement.

11.40. It will be for local authorities, as the data controllers to ensure that appropriate safeguards are in place in relation to the processing of personal data.

J. Changes to other legislation

11.41. No consequential amendments above and beyond those in the Licensing Order are required in relation to the processing and sharing of data related to the short-term lets licensing scheme.

K. Codes of conduct and guidance

11.42. We will be publishing non-statutory guidance for local authorities, as the data controllers responsible for operating the licensing schemes for short-term lets in their areas.

11.43. We will also be publishing non-statutory guidance for hosts and platforms. This guidance will explain to hosts how their data will be used by local authorities.

L. Summary: Data Protection Impact Assessment

Data controllers and safeguards

11.44. The licensing scheme for short-term lets will be administered by local authorities. Each local authority will be the data controller for the licence scheme they operate in their area, and therefore they will be required to carry out the operational aspects of a DPIA to assess any privacy risks associated with the actual processing of personal data, such as collecting, sharing and publishing etc. They will be responsible for developing appropriate privacy notices, data sharing agreements, ensuring secure transfers of data, deciding how the information will be collected (online or paper form), who will have access to that data, providing data protection training to their staff and dealing with personal data breaches.

Data Security

11.45. We expect local authorities to develop formal data handling procedures, taking into account privacy issues to ensure personal data is handled appropriately and securely. For example, the use of information sharing protocols and agreements, penetration testing and other IT cyber security measures. They should be doing this anyway in respect of other personal data which they already receive and process in relation to a host of functions they exercise.

11.46. To ensure that the Scottish Government handles personal data appropriately and comply with its legal obligations under the Data Protection Act, it has developed a number of policies and procedures that will assist in meeting its legal obligations in relation to the holding and processing of data including:

• Data Protection Policy;
• Data Handling Policy;
• Information Security Policy; and
• Information Asset Owners handbook.

11.47. We would expect local authorities to have similar policies and procedures in place with regard to handling personal data and complying with legal obligations. We will set out further detail on this in guidance for local authorities.

11.48. Where there is an unauthorised release of personal data, we will act in accordance with the Scottish Government procedures on handling a data breach.

Anonymity and pseudonymity

11.49. Scottish Government statisticians will only have access to personal data that is publicly available via the public register, at least initially.

11.50. If, in future, Scottish Government requires further personal data for analytical purposes, in addition to data published in the public register, this DPIA will be updated to reflect any new requirements.

11.51. Local authorities will be expected to ensure all data is periodically reviewed and erased or anonymised when it is no longer needed in line with the requirements of GDPR.

Data Handling Procedures

11.52. The application form and related processes are still to be developed by local authorities. As part of the development of these, we expect local authorities to consider how they can ensure that individuals required to provide sensitive personal data (for example in relation to unspent convictions) can do so in a confidential way without needing to disclose this information unnecessarily to other people who are part of the same application. For example, an applicant might not want to disclose this information to their agent. In order to assist local authorities to develop formal data handling procedures, we will work with them to assist them in ensuring that they take into account privacy issues to ensure personal data is handled appropriately and securely. They will need to consider, for example, the use of information sharing protocols and agreements, penetration testing and other IT cyber security measures.

Storage and disposal of data

11.53. Organisations must not keep personal data for longer than needed. Local authorities will be responsible for the storage and disposal of data when it is no longer needed. We expect that personal information will only be held as long as necessary for the effective administration of the licensing scheme.

11.54. We intend to outline the standard retention period in our guidance for local authorities. Some information will only need to be kept whilst a licence is operational but other information will be important to retain for longer for effective compliance and enforcement and assessing any future application by the same host.

11.55. Analytical data will be used to prepare an annual report summarising short-term let activity in Scotland, such as number and type of short-term lets by area. The analytical publications will not contain any personal data.

Identification Methods

11.56. Each licence holder will be given a licence number unique to the pairing of the licence holder and premises to which the licence applies. Under the Licensing Order, licence holders must include this number in all adverts and listings. This number will help to show that they are a licensed short-term let operator.

11.57. There are also a number of property URNs already in operation across Scotland, including those used by the Post Office, National Records of Scotland, the Land Registry and the valuation roll. These will assist local authorities in uniquely identifying premises, as the same premises could have several licences associated with it over time.

M. Impacts on decisions made about individuals, groups or categories of persons

11.58. Future policy interventions at a national and local level will be informed by the data provided by the licensing scheme. The key data Scottish Government are interested in are:

• Name of applicants and agents (to establish how many operate multiple properties).
• Address of property (to build a clearer picture of the location of short-term lets, and particular areas of high concentration).

11.59. We are also interested in other non-personal data, which the licence scheme will capture, such as:

• Short-term let type (home sharing or letting or secondary letting).
• Maximum occupancy.

N. Risks

11.60. We believe there are two key risks:

Risk

Mitigation

1. Release of personal data due to unauthorised access to an insecure IT system.

Local authorities to work with their IT systems provider/developer to ensure appropriate safeguards are built into the system to prevent unauthorised access to personal data. This could include consideration of similar measures already in place for existing licensing schemes under the 1982 Act, or other legislation.

2. Personal data compromised through accident or deliberate inappropriate sharing of personal data in the administration and processing of applications.

Clear and appropriate data and information sharing protocols agreed with relevant organisations. Privacy issues and data handling to form a key part of staff training. Appropriate supervision and vetting of staff.

O. Authorisation

11.61. The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.

11.62. Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.

11.63. By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals’ right to privacy.

11.64. The results of the impact assessment must be published in the eRDM with the phrase “Legislative DPIA” and the name of the project or initiative in the title.

11.65. Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of the Licensing Order and Control Area Regulations have been sufficiently assessed in compliance with the requirements of the privacy duty:

Name and job title of a IAO or equivalent:

Brad Gilbert, Deputy Director, More Homes

Date each version authorised:

8 December 2020