Age of Criminal Responsibility (Scotland) Bill: privacy impact assessment

4. PIA screening process

The main aim of the Bill (raising the age of criminal responsibility) will not involve the handling of personal data. The provisions in the Bill relating to disclosure of ORI and the delivery of SCRA's Victim Information Service will involve handling and sharing personal data under restricted circumstances.

This PIA aims to assess and manage the risks associated with data protection and information privacy under those restricted circumstances. The first stage in the PIA is the screening process. A screening process was conducted to evaluate whether a full-scale PIA should be conducted. The screening questions and answers are detailed below.

Technology

Does the project apply new or additional information technologies that have substantial potential for privacy intrusion?

Sections 4 – 21 Disclosure:
No.

Section 22 Victim Information:
No.

Part 4 Chapter 4: Taking of prints and samples:
No.

Identity

Does the project involve new identifiers, re-use of existing identifiers or intrusive identification, identity authentication or identity management processes?

Sections 4 – 21 Disclosure:
No, the same identifiers are used as those under the current system. Names, National Insurance ( NI) numbers, dates of birth and address/address history are all collected as part of the official collection and recording of information. These are subject to all appropriate safeguards. None of this information could ever be published or released to the general public.

Section 22 Victim Information:
No, the same identifiers will be used as those under the current process for the Victim Information Service. There will be no new changed identity authentication requirements. The Principal Reporter will consider the same identifiers (including information from the Concern Report and Standard Prosecution Report) to determine if information may be disclosed to a victim of harmful behaviour of child under 12 or victim of an offence committed by a child/young person.

Part 4 Chapter 4: Taking of prints and samples:
It is expected that the same identifiers will be used as are currently used.

Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?

Sections 4 – 21 Disclosure:
No.

Section 22 Victim Information:
Yes. The Principal Reporter will not disclose the name of the child referred to the children's hearings system. However, the Principal Reporter may disclose limited information about the disposal of a case following a report of certain offending or harmful behaviour on the part of a child. This data may be used where the child's identity is already known.

Part 4 Chapter 4: Taking of prints and samples:
No.

Multiple organisations

Does the project involve multiple organisations, whether they are government agencies ( e.g. in 'joined up government initiatives) or private sector organisations ( e.g. as out-sourced service providers or as 'business partners')?

Sections 4 – 21 Disclosure:
Yes. As part of their review, the new IR will contact various public bodies ( e.g. SCRA, local authorities, etc.) in order to obtain additional information regarding the individual and the behaviour that is proposed to be disclosed. However, all appropriate measures will be taken to ensure data sharing with the various organisations is secure and compliant with the Data Protection Act 1998 ( DPA) and the EU General Data Protection Regulation ( GDPR). This will follow the same processes and procedures as those under the current system.

Information to support an appeal will need to be provided to a Sheriff and to the Scottish Government's Legal Directorate as part of appeals process.

Section 22 Victim Information:
Yes. However, implementation of the VIS under the new legislation will include the same organisations already involved in the processing of the data under the existing VIS process including SCRA, Police Scotland, Local Authorities, particularly Social Work, Victim Support Scotland and potentially other organisations such as the Criminal Injuries Compensation Authority and insurance bodies. All appropriate measures will be taken to ensure data sharing with the various organisations is secure and compliant with the DPA and the GDPR.

Part 4 Chapter 4: Taking of prints and samples:
Yes. Prints and samples will be taken by Police Scotland, and passed to the Scottish Police Authority Forensic Services for processing and analysis. This will be done in accordance with well-established secure processes and procedures. Samples taken under the Bill (and records derived from them) will not be sent to UK-wide databases, and so will not be accessible by other police forces in the UK.

Data

Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals?

Sections 4 – 21 Disclosure:
No. The process for handling data for appeals to a Sheriff in other circumstances already exists, there is no change caused by this new legislation other than the addition of the IR role, which will be subject to the same strict privacy rules. Disclosure Scotland and Police Scotland already share ORI by secure means.

Section 22 Victim Information:
Yes. The process for handling personal data to deliver the VIS already exists. However, the process of disclosing information under the VIS in relation to the harmful behaviour of children under the ACR is new. As noted above, only basic information is to be disclosed under section 22 of the Bill, explaining what action the Reporter has taken in response to the receipt of information about a child's behaviour but not providing more intrusive information such as the underlying welfare reasons for any action taken. The information will not be disclosed if the Principal Reporter considers that disclosure would be to the detriment to any child involved in the case or that disclosure would be otherwise inappropriate. These safeguards will enable the Principal Reporter to ensure that disclosure is not excessive in relation to the purpose of protecting the interests of victims.

The data handled by SCRA is protected from public access and can only be viewed by authorised personnel. All employees and contractors are prohibited from using personal information for any purpose out with SCRA's remit and legal responsibilities.

Part 4 Chapter 4: Taking of prints and samples:
No. Prints and samples taken will be handled in accordance with existing processes. However, the prints, samples, and any records derived from them must be destroyed once they are no longer needed for the investigation for which they were taken, or once resulting children's hearings proceedings have concluded. This is in contrast to the current position, under which samples taken from a child can be retained on police databases for three years if a children's hearing rules that grounds have been established for certain violent or sexual offences.

Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database?

Sections 4 – 21 Disclosure:
The IR will have the ability to gather additional information regarding an individual and their pre-12 behaviour. However, the processes and systems involved will be subject to the same strict privacy rules as other data held by Disclosure Scotland.

Section 22 Victim Information:
No. The process for handling considerable amounts of personal data by SCRA already exists.

Part 4 Chapter 4: Taking of prints and samples:
As explained above, the Bill creates strict destruction requirements for samples taken from children under these provisions: samples and any records derived from them must be destroyed once they are no longer needed for the investigation for which they were taken, or once resulting children's hearings proceedings have concluded. Samples and prints taken from children under the Bill will not be recorded on the Criminal History System, or passed to the National DNA Database or IDENT1. This means it will not be possible for the police (whether in Scotland or elsewhere in the UK) to check crime scene samples against samples taken from children under the Bill.

Does the project involve new or significantly changed handling of personal data about a large number of individuals?

Sections 4 – 21 Disclosure:
No. We anticipate the number of potential ORI disclosures by the police to be very small (less than 10 cases per year).

Section 22 Victim Information:
No. The process for handling personal data by SCRA about large numbers of individuals already exists. Section 22 provides new powers for disclosure of information to victims of harmful behaviour of children under the ACR, which means additional processing of the data in relation to children under eight, however these cases are expected to be few in number. Data provided by SCRA suggests that in 2017, only 53 victims of offences by children aged 8 to 11 opted in to the Victim Information Service. The number of victims of harmful behaviour of children under eight is therefore expected to be even lower.

Part 4 Chapter 4: Taking of prints and samples:
No, it is expected that the numbers of children affected will be very small. As an illustration, is understood that in the last three years only three children aged 8 to 11 have had biometric data captured and placed on the relevant database.

Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?

Sections 4 – 21 Disclosure:
As above, the IR will have the ability to gather additional information regarding an individual and their pre-12 behaviour from a number of public bodies. However, the processes and systems involved will be subject to the same strict privacy rules as other data held by Disclosure Scotland.

Section 22 Victim Information:
No. Implementation of the VIS under the new legislation will include the same organisations already involved in the processing of the data under the existing process including SCRA, Police Scotland, Local Authorities - Social Work, Victim Support Scotland and potentially other organisations such as the Criminal Injuries Compensation Authority and insurance bodies. All appropriate measures will be taken to ensure consolidation, inter-linking, cross-referencing or matching of personal data between multiple sources compliant with the DPA and the GDPR.

Part 4 Chapter 4: Taking of prints and samples:
No. As explained above the opportunities for cross-referencing or matching data will become more limited, because data derived from samples taken from children under the Bill will not be placed on the Criminal History System, IDENT1 or the National DNA Database, and it will not be possible to match that data with crime scene samples.

Exemptions and exceptions

Does the project relate to data processing which is in any way exempt from legislative privacy protections?

Sections 4 – 21 Disclosure:
No.

Section 22 Victim Information:
No.

Part 4 Chapter 4: Taking of prints and samples:
No.

Does the project's justification include significant contributions to public security measures?

Sections 4 – 21 Disclosure:
No.

Section 22 Victim Information:
No.

Part 4 Chapter 4: Taking of prints and samples:
No.

Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

Sections 4 – 21 Disclosure:
No.

Section 22 Victim Information:
No.

Part 4 Chapter 4: Taking of prints and samples:
No.