Visitor Levy Bill: data protection impact assessment

4. Consultation

4.1 Have you consulted with the ICO using the Article 36(4) form?

(please provide a link to it)

If the ICO has provided feedback, please include this.

Yes. Policy officials met with the ICO on 16 December 2022. The following feedback was provided:

“Controllership

We discussed controllership and the importance of ensuring from an early stage who is intended to be the data controller for the register of accommodation providers. The discussion indicated that current thinking is to ensure that LAs would be the intended data controllers.

Any new powers / obligations / duties drafted within the legislation may engage section 6(2) Data Protection 2018 and create new controllers.

We discussed recent legislation which has been passed relating to short term lets. Between this and the information held by LAs on non-domestic rates, it is likely that LAs are already holding much of the information that will be required in a visitor levy scheme. The short terms lets requirement has allowed LAs to gather the information on short term lets already. Therefore, it is possible many LAs probably will not need to hold additional registers to collect the information. It will be important to ensure that data can flow as intended and can be assisted by looking at how data is already flowing via existing pieces of legislation.

We have produced some detailed guidance on controllership which you may find useful to look at when determining the role each organisation should play.

Exemptions - Special Category Data

We mentioned the national exemptions and the data protection considerations that should be taken into account when thinking about the sharing of this data. We discussed that there is a strong possibility of information being collected for the exemptions to be considered special category data under data protection laws.

Where there is a requirement for accommodation providers to share information with LAs of any exemptions, it will be important to consider how data will flow as intended. There will need to be a lawful basis under Article 6 of the UK GDPR and an Article 9 additional condition for processing for any special category data or an article 10 condition if there is sharing of criminal offence data with LAs.

The bill team may wish to consider including a specific mechanism to share the information within the bill. Our discussion mentioned that the draft bill is not likely to specify how LAs are going to prove individuals residing in the accommodation fall under an exemption. There was a suggestion that payment should be made initially by individuals and then payment recovered from LAs, as this would provide a more privacy friendly proposal. LAs may wish to consider how much personal data they will need to retain once an exemption has been demonstrated. LAs will want to consider what is necessary and proportionate for retention, and consider the data minimisation principle.

DPIA and Risk Management

We discussed the importance of drafting a DPIA to ensure that any risks to the rights and freedoms of individuals have been considered and mitigated.

Drafting a DPIA at an early stage will help you understand what needs to be incorporated into the legislation to manage any risks that have been identified.

Consultation

We discussed consultation with relevant bodies and we understand that this is taking place with LAs and other bodies. It will be important to ensure that any bodies that may have controllership obligations are consulted from an early stage to help identify any risks which may be posed that would need to be looked at as part of the DPIA process.

The DPIA should also contain details of the consultation process, such as who was consulted and how, and whether the stakeholder has amended any potential processing activities as a result of concerns.

Organisations you consult with will also be able to advise whether they have an existing lawful basis to process the data. Where they do not have a lawful basis, this can help inform any mechanisms that should be included in the draft bill.

Guidance for LAs

The bill team may also wish to consider whether there will be any need to produce guidance (statutory or otherwise) in order to encourage consistency with the way personal data is processed under the legislation. It will be worth considering whether any guidance should be consulted / co-authored with any other bodies (eg through COSLA or a local gov working group).

No further Actions at this stage for the 36(4) consultation.”

4.2 Do you need to hold a public consultation and if so has this taken place? What was the result?

Yes, a formal public consultation was undertaken in 2019. Responses to the consultation were published in March 2020.

The consultation asked 33 questions on the design of a visitor levy. 42% of respondents supported visitor levy set out mostly at the local level. 36% supported a wholly national framework. On exemptions, 78% of respondents thought that these should be set nationally.

Respondents were evenly divided as to whether accommodation providers should be ultimately responsible for collection and remittance of a levy.

4.3 Were there any Comments/feedback from the public consultation about privacy, information or data protection?

Yes, issues were raised with respect to General Data Protection Regulation (GDPR) compliance in handling of customer data.

To address these concerns, the Bill has been designed in a way to ensure that no additional personal data will be required for processing for the administration of a VL.

Following the 2019 consultation, the Scottish Government introduced legislation for the registration of short-term lets. The Civic Government (Scotland) Act 1982 (Licensing of Short-term Lets) Order 2022 allows for a local authority to create a public register of short-term lets in their area. This means a local authority will already possess the personal data required to populate the entry for a short-term let provider on a VL register. The remaining accommodation providers will be liable for Non-Domestic Rates, with a local authority already holding personal information via the existing valuation roll. While the VL Bill will provide local authorities with a power to create a new register of accommodation providers, they will not be required to process any new personal data.

In relation to the administration of exemptions, the VL Bill does not create any national-level exemptions and so does not introduce any associated data protection burdens. The Bill provides powers to local authorities to designate local exemptions and provides Scottish Ministers with powers to create national exemptions through subordinate legislation.