Bail and Release from Custody (Scotland) Bill: data protection impact assessment
This data protection impact assessment (DPIA) is undertaken in compliance with UK General Data Protection Regulation (UKGDPR) Article 35(10). This is an iterative impact assessment, which we expect to amend as the Bill makes its way through Parliament.
6. Risk Assessment
Risk
6.1.1 Risk to individual rights
There is a risk that members of the public attempting to assert their data subject rights may not know what controller organisation to contact leading to a breach of the transparency principle and inability to assert rights.
Solution or mitigation
Clear and consistent Privacy Notices across the relevant organisations.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Amber
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Mitigated
Risk
6.1.2 Risk to individual rights
Risks might arise as a result of the use of personal information (recording of reasons for bail decisions) to undertake analysis to provide a statistical understanding of the reasons for refusal of bail.
Solution or mitigation
No personal data would be released during any statistical analysis.
Data controllers will ensure as they do at the moment that personal data is processed in a manner that is compliant with DPA and GDPR obligations.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Amber
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Mitigated
Risk
6.2.1 Privacy risks
Purpose limitation – Information provided to VSOs
Solution or mitigation
The type of information which can be provided is limited to the information currently shared with victims and the legislation will set out the limited purposes for which it can be used.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Amber
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Mitigated
Risk
6.2.2 Privacy risks
Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights
Solution or mitigation
Clear and consistent Privacy Notices across the relevant organisations.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Green
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Mitigated
Risk
6.2.3 Privacy risks
Minimisation and necessity
Solution or mitigation
N/A
Risk
6.2.4 Privacy risks
There is risk that the personal information which is shared for the purposes of pre-release planning may not be accurate. This is due to the information disclosed by the data subject themselves.
Solution or mitigation
Data subject will be encouraged to provide accurate information with supported by clear and consistent Privacy Notices across the relevant organisations.
Likelihood (Low/Med/High)
Med
Severity if unmitigated (Red/Amber Green)
Green
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Accepted
Risk
6.3.1 Security risks
There is a risk that lack of maturity of some DP controls in VSOs may lead to personal information being mishandled.
Solution or mitigation
Early engagement with VSOs will ensure appropriate documentation and processes are in place. If necessary guidance will be developed, supported by links to ICO guidance.
VSOs will be encouraged to undertake an audit of their current technical and organisation measures to ensure they remain sufficient.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Red
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Reduced
Risk
6.3.2 Security risks
There is a risk that lack of maturity of some DP controls in VSOs may lead to personal information being mishandled.
Solution or mitigation
Early engagement with VSOs will ensure appropriate documentation and processes are in place. If necessary guidance will be developed, supported by links to ICO guidance.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Red
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Reduced
Risk
VSO risks
There may be a perceived risk that a VSO may access information about a prisoner where it is not appropriate for them to do so.
Solution or mitigation
The Bill makes provision so that a VSO is only entitled to information where it is providing support to a victim. That requirement for an existing relationship between the VSO and the victim means that it is unlikely that VSO will be provided with information other than where it is required to support a victim.
Furthermore, the Bill makes provisions requiring a VSO to be specified in secondary legislation in order to be capable of receiving information. In order to be so prescribed, a VSO will need to demonstrate that it fits the criteria in the Bill, thus providing a further safeguard against the passing of information to an organisation which should not rightly have it.
Likelihood (Low/Med/High)
Low
Severity if unmitigated (Red/Amber Green)
Red
Mitigated Result [Accepted Reduced Mitigated Eliminated]
Reduced
Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
Advice from DPO
Action
Advice has been sought from DPO throughout the drafting of this assessment
All advice and comments have been incorporated where possible.
I confirm that the Bail and Release from Custody (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018
Name and job title of a IAO or equivalent
Date each version authorised
Cat Dalrymple
31/05/22
Contact
Email: futureofcustody@gov.scot
There is a problem
Thanks for your feedback