Local government candidate diversity survey 2022: data protection impact assessment

This data protection impact assessment (DPIA) reports on and assesses against any potential data protection or privacy impacts as a result of the running of the 2022 local government candidate diversity survey, and the data processing undertaken as part of the project.


6. UK General Data Protection Regulation (UKGDPR) Principles

Principle Compliant – Yes/No Description of how you have complied
6.1 Principle 1 – fair and lawful, and meeting the conditions for processing Yes The Information to be gathered is a proportionate response to the need to improve the evidence base on the diversity of political representation in Scotland. The data will be processed on the basis that it is necessary for the performance of a public task carried out in the public interest (Article 6(1)(e) of UKGDPR. The relevant public tasks are section 149 (public sector equality duty) and section 1 (the fairer Scotland duty) of the Equality Act 2010. In addition, the it is necessary and proportionate for reasons of substantial public interest, on the basis of domestic law, to process special Category data (Article 9(2)(g)) and of the Data Protection Act 2018 section (Section 10(3) and paragraph 8 of schedule 1) and the data will be processed in accordance with relevant data protection laws. Data subjects will be provided with an information leaflet alongside the questionnaire to provide information on how their data will be used. A privacy notice will also be published on the Scottish Government website Respondents are asked for explicit consent for their email addresses to be held for the purposes of sending the report once published and/or follow-up research. Information for how candidates are able to later opt-out is provided in the privacy notice.
Principle Compliant – Yes/No Description of how you have complied
6.2 Principle 2 – purpose limitation Yes This survey data is only collected and processed for the specified, explicit and legitimate purposes communicated to candidates. The data could also be shared with academics and researchers on application to the Statistics Public Benefit and Privacy Panel (SPBPP), which are then carefully assessed (special data requests). All applications follow a rigid approval process against a set of criteria, including researcher's accreditation and security of the research environment. Data would only be shared once appropriate disclosure control measures have been applied. The disclosure control methods pseudonymise the data so that candidates are not identifiable from the 2022 LGCDS data itself.
Principle Compliant – Yes/No Description of how you have complied
6.3 Principle 3 – adequacy, relevance and data minimisation Yes In terms of personal data (such as gender, age etc.) – collection and processing of this data will be done using established questions which produce meaningful data for the purposes of research and statistics. Personal information collected is essential for understanding of who stands, and who is elected in councils in Scotland. This is important so that we can understand how representative our candidates and elected members are of the communities they serve. To avoid the need to collect the diversity again in a second process after the election, we need to ask for candidate names. Once initial processing has been completed, data will be analysed using a unique identifier for each candidate. While this unique identifier can be (and needs to be) linked back to the name, party and constituency of the candidate following the results of the election, the linking information will be held separately and only used for that purpose before the dataset is pseudonymised. Access to candidate names and response data will be restricted to a small number of individuals involved in this project. Candidates are asked if they would like to be sent a copy of the report and/or if they would be willing to participate in possible follow up research. Email address are then collected only once the consent is given and are stored only so that candidates can be re-contacted in the future for these reasons. Candidates can withdraw their consent at any time.
Principle Compliant – Yes/No Description of how you have complied
6.4 Principle 4 – accurate, kept up to date, deletion Accurate: The information is obtained directly from data subjects. The more candidates who agree to take part, the more reliable the results of the survey will be of all candidates standing at the 2022 local government election in Scotland. However, taking part in the survey is voluntary. Quality assurance checks will be performed by the Scottish Government. There is no requirement for the data to be later updated, although analysis and results when published are clear about the time frame which results relate to. Up-to-date: The data will be accurate at the time of collection for the sample that respond to the survey. As further processing will use the data and tie it to the point of collection (i.e. candidates at the 2022 local government election that respond to this survey), the data will be accurate to and representative of that point in time. Deletion: As the data is processed in accordance with the public task clause, the right to erasure does not apply. Names of the candidates, will however, be deleted within 30 days of the Scottish Government receiving the full dataset. Recontact data (email addresses), where supplied with consent to be sent a copy of the survey report, will be deleted once the survey report has been sent. Email addresses, where supplied with consent to be contacted about potential future research, will be deleted after 6 years. Data subjects will be provided with contact details to enable them to withdraw their consent and remove themselves from the recontact database.
Principle Compliant – Yes/No Description of how you have complied
6.5 Principle 5 – kept for no longer than necessary, anonymization Yes The main survey data will be held indefinitely by the Scottish Government for the purposes of research and statistics. This data will be pseudonymised as it will not include direct personal identifiers, thus reducing the risk of individuals being identified. Names of the candidates will be deleted within 30 days of the Scottish Government receiving the full dataset. Email address will only be collected once consent is given and will be stored only so that candidates can be re-contacted in the future for these reasons. Each candidate will have a unique identifier in each dataset which allows them to be linked back following the results of the 2022 local government election. This processing only takes place to facilitate legitimate further research, and following ethical considerations and necessary approval processes being completed.
Principle Compliant – Yes/No Description of how you have complied
6.6 UKGDPR Articles 12-22 – data subject rights Yes Data subjects have rights defined under UKGDPR. The survey's information leaflet and pages on gov.scot explain how the data will be handled, rights of data subjects and where more information can be found. Whilst most subject rights under UKGDPR apply, as this data is being processed under the public task clause Individuals' rights to erasure and data portability do not apply. As the survey is carried out for reasons of public interest (rather than a legal obligation) and appropriate safeguards are in place to minimize the risk to privacy, the right to object is more limited as the processing is necessary for the performance of a task carried out in the public interest – as per Article 21(4). However, participation in the survey is voluntary, so data is only collected from willing participants. The data will not be used for direct marketing, and will only be processed for legitimate statistical and research purposes as specified in the privacy notice. Email address details are processed for the purposes of sending the published report or follow-up research, never market research. If applicants are not content for their data to be used for follow-up analysis they are free to withdraw consent. It is voluntary and this is made known to candidates.
Principle Compliant – Yes/No Description of how you have complied
6.7 Principle 6 - security Yes Paper questionnaires will be returned in sealed envelopes to APS. APS will maintain a clear desk policy and all paper forms will be locked away when not in use and destroyed as soon as possible. Access to personal data and the survey data will be restricted to only individuals who require access at different stages of the process The online version of the survey will be run using the Scottish Government's in-house survey tool Questback, a password protected secure online survey tool. All data is hosted in an all-certified data center in Germany which meets very high data protection and security requirements according to ISO 27001, SOC, PCI, SSAE16 and others. Data will be exported from questback in a timely manner following the close of the survey, deleted from the questback, and stored in a private secure Scottish Government folder only accessible by the analysts in CIMA. Once the data from the questionnaires has been processed the Scottish Government will store the data on a section of the government's secure server with access restricted to a small number of analysts working on the project. Only aggregated information will be published in reports and tables and disclosure control processes will be applied. All Scottish Government staff complete necessary Data Protection training at least once per year to ensure staff are aware of regulations.
Principle Compliant – Yes/No Description of how you have complied
6.8 UKGDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area. The survey data will be pseudonymised and retained indefinitely by the Scottish Government for statistical and research purposes. An international research institution may make a request for a special dataset. Should a data sharing request be received which would involve transferring data outside of the EEA, this would be considered by the Scottish Government's Data Access Panel.

Contact

Email: diverserepresentationdata@gov.scot

Back to top