Visitor Levy Bill: data protection impact assessment

Data protection impact assessment(DPIA) for the Visitor Levy (Scotland) Bill.

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?


5.2 Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security


5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?


5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers ( relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)


5.5 Would the proposal have an impact on a specific group of persons e.g.children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?


5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.


5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

The Bill will provide Scottish Ministers with a power to make regulations on national exemptions. In light of the VL being a discretionary local power any national exemptions will be limited. However, any such exemptions established through subordinate legislation may impact data protection arrangements of local authorities as the relevant data controllers.

5.8 Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

To support local authorities in using their discretionary power, we are committed to develop national guidance in collaboration with local government and the tourist industry. This guidance will aim to provide best practice on the processing of data by local authorities for the purposes of administering the levy.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Yes – the Bill will not introduce any further data protection requirements that local authorities do not already utilise.

As this is a local power, local authorities will also be subject to data protection legislation and engagement with the ICO prior to the introduction of a visitor levy. We expect this process to address any data protection concerns relating to administration of the register of accommodation providers, and for any exemptions.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

No – the data controllers identified in this assessment will not be required to hold any additional personal data than they currently hold for the purposes of their existing duties and functions.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?


5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)




Back to top