Cost of Living (Tenant Protection) (Scotland) Bill: data protection impact assessment
Data protection impact assessment for the Cost of Living (Tenant Protection) (Scotland) Bill and considers any potential privacy impacts arising from this legislation.
Cost of Living (Protection of Tenants) (Scotland) Bill Data Impact Assessment (DPIA)
Title of proposal: The purpose of this document is to report on and assess against any potential privacy impacts as a result of the Cost of Living (Tenant Protection) (Scotland) Bill
Your department: Local Government and Housing Directorate
Contact email:
Data protection support email
Data protection officer
dataprotectionofficer@gov.scot
Is your proposal primary legislation, secondary legislation or a statutory measure?
Primary Legislation
Name of primary legislation your measure is based on (if applicable)
Cost of Living (Tenant Protection) (Scotland) Bill
What stage is your legislation or statutory measure at and what are your timelines?
The Bill was introduced to Parliament on 4 October 2022.
Have you consulted with the ICO using the Article 36(4) form?
Yes
If the ICO has provided feedback, please include this.
They commented there was only a limited opportunity to engage on the proposal, given that this emergency legislation is being treated as urgently as it can be with expedited processes. They had no major concerns based on the information provided.
Have you held a public consultation yet?
Given how urgently the measures in this Bill are required as a result of the unprecedented challenges faced by renters during the cost of living crisis, no formal public consultation has taken place. However, the measures in the Bill reflect concerns highlighted by members of the public, stakeholders and Members of the Scottish Parliament. In addition, the ‘New Deal for Tenants – Draft Strategy Consultation’ undertaken earlier in the year has provided some insight into people’s general views around the principle of rent controls (albeit in a different context) and the concerns of tenants. Furthermore, consideration has been taken of the consultation on the Coronavirus Recovery and Reform (Scotland) Bill.
Were there any comments/feedback from the public consultation about privacy, information or data protection?
N/A
Introductory information
Version | Details of update | Version complete by | Completion Date |
---|---|---|---|
1 | Michael Boal | 14/09/2022 | |
2 | Steven Paxton | 15/09/2022 | |
3 | Michael Boal | 21/09/2022 | |
Catriona MacKean | 25/9/2022 |
Article 35(7)(a) – “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
Question 1
What issue/ public need is the proposal seeking to address? What objective is the legislation trying to meet?
Comments
The purpose of the Cost of Living (Tenant Protection) Bill (“the Bill”) is to respond to the emergency situation caused by the impact of the cost crisis on those living in the rented sector in Scotland by introducing a temporary rent freeze, temporary moratorium on evictions, and increased damages for unlawful evictions until at least 31 March 2023 with additional powers to temporarily reform rent adjudication. The intended effect of the Bill is to:
1. protect tenants by stabilising their housing costs;
2. where possible, during the cost crisis, reduce impacts on the health and wellbeing of tenants caused by being evicted and/or being made homeless by giving them more time to find alternative accommodation; and
3. seek to avoid tenants being evicted from the rented sector by a landlord wanting to raise rents between tenancies during the temporary measures and reduce unlawful evictions, through the complementary measures of a moratorium on evictions and raising the level of damages that may be awarded;
As this is emergency legislation, it is intended that a three-monthly reporting requirement will be included in the legislation, to demonstrate the need for provisions to either continue or expire, where appropriate, and based on evidence at the relevant time.
Although the Bill aims primarily to support tenants, it is recognised that the impacts of the cost crisis may also be felt by some landlords so appropriate safeguards have been considered as part of the Bill development process and provided for within the Bill.
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
Question 2
Does your proposal relate to the collection of personal data? If so, please explain how and what kind of personal data it might involve.
Comments
Please also specify if this personal data will be sensitive or special category data or criminal convictions or offences?
(Note: ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation and sensitive personal data means criminal information or history)
The temporary provisions relating to protecting private and social rented sector tenants and students in college and university halls of residence and Purpose Built Student Accommodation (PBSA) do not give rise to substantial new arrangements concerning the processing of personal data.
However, through Rent Service Scotland landlords will have a means to apply to increase rent for specific prescribed costs related to offering the property for rent. The processes and data required have not yet been finalised.
No measures in the Bill require the processing of sensitive or special category data or criminal convictions or offences.
Article 35(7)(a) “purposes of the processing, including, where applicable, the legitimate interest pursued by the controller” and Article 35(7)(b) “…necessity and proportionality of the processing operations”
Question 3
How will your proposal engage with Article 8 ECHR? How will your proposal balance rights and requirements with Article 8 rights? If impinging on Article 8 rights, what is your justification for doing so – why is it necessary?
Article 8 ECHR:
Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Comments
N/A
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
Note Article 32 GDPR for s.4 also
Question 4
Will your proposal require you to regulate:
- technology
- behaviour of individuals using technology
- technology suppliers
- technology infrastructure
- information security
(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)
Comments
No.
No measures in the Bill require the supply or creation of technology solutions. It is intended that existing systems will be utilised.
Question 4a
Please explain how your proposal will regulate behaviour using technology or the use of technology.
Please consider/address any issues involving:
- Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals);
- Surveillance (necessary or unintended);
- Tracking of individuals online, including tracking behaviour online;
- Profiling;
- Collection of ‘online’ or other technology-based evidence
- Artificial intelligence (AI);
- Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals
(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people’s information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)
Comments
N/A
Question 4b
Will your proposal require establishing or change to an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?
Comments
Private Rented Sector
Under the Private Housing (Tenancies) (Scotland) Act 2016, tenants can make a referral to a Rent Officer in relation to a rent increase notice issued by their landlord through an online process. As part of the Bill we will be introducing temporary changes to the basis on which referrals can be made, including introducing a process to allow landlords to request an increase to the rent (providing some conditions are met). We do not anticipate significant changes to the existing online process in order to deliver these and any new processes will be delivered in line with the existing approaches. The collection process is not prescribed in the legislation and will be developed in due course in accordance with data protection requirements. We will re-assess the Data Protection Impact Assessment as necessary.
Similarly, as part of existing processes, landlords and tenants are able to make an appeal to the First-Tier Tribunal (Housing and Property Chamber), again through an online process. Again, the Bill will introduce temporary changes to the basis on which appeals can be made but there will not be significant changes to the existing processes in order to deliver these and any new processes will be delivered in line with the existing approaches.
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
*Note exemptions from GDPR principles where applicable
Question 5
Please provide details of whether your proposal will involve the collection or storage of evidence or investigatory powers (e.g. fraud, identify theft, misuse of public funds, criminal activity, witness information, online behaviour, victim information or other monitoring of online behaviour)
Comments
N/A
Article 35(7)(b) “…necessity and proportionality of the processing operations”
Article 35(7)(c) “assessment of the risks to the rights and freedoms of data subjects”
Article 35(7)(d) “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned”
Question 6
Would your proposal affect a specific group e.g. children, vulnerable individuals, elderly people? (Please specify)
Comments
Social Rented Sector
Social landlords gather and hold information about and from their tenants on a contractual basis under the Scottish Secure Tenancy or Short Scottish Secure Tenancy Agreement.
All Social landlords are regulated by the Independent Scottish Housing Regulator (SHR) who collect governance and financial information from Registered Social Landlords (RSLs) and annual performance information against the Scottish Social Housing Charter from both RSLs and Local Authority landlords.
All social landlord contact details and their performance information are held by the SHR and are publicly available on their website. This information is available to social housing tenants, landlords and anyone else. Both tenants and landlords in the social rented sector can apply to the Sheriff Courts which are independent of both the Scottish Government and Scottish Ministers and therefore will have their own data protection compliance measures in place, when processing, handling and storing personal information relating to tenants and landlords who are making use of their service.
College and university halls of residence and Purpose Built Student Accommodation (PBSA)
It should be noted that 61% of students who live in PBSA are under 21 and 74% of students who live in college and university halls of residence are under the age of 21.
As a large number of students living in college and university halls of residence and PBSA are first year undergraduate students, vulnerable young adults and children, namely 17 year olds, will be affected.
Question 7
Will your Bill necessitate the sharing of information to meet the objectives of your proposal?
If so, are the appropriate legal gateways for sharing personal data included?
Would your proposal benefit from appointing or specifying Data Controllers/creating obligations in law for responsibility for managing personal data?
(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s.)
Comments
N/A
Question 8
Is there anything potentially controversial or of significant public interest in your policy proposal?
Are there any potential unintended consequences with regards to the provisions e.g. would unintended surveillance or profiling be an outcome of information collection provisions; will the public’s personal information have appropriate safeguards – could those safeguards interfere with the ability to investigate crime or protect the public etc. Please provide details about how you are balancing competing interests where they relate to personal data.
Comments
No
Question 9
Will any of the provisions affect/engage ECHR rights in addition to Article 8 e.g.:
- Article 6 right to a fair trial (and rights of the accused)
- Article 10 right to freedom of expression
- Article 14 rights prohibiting discrimination
Comments
Or any other convention or treaty rights?
The provisions raise issues in terms of:
- A1P1 ECHR: Protection of property
- Article 6 ECHR: Determination of a civil right
The Scottish Government is, however, satisfied that the provisions are compatible with the European Convention on Human Rights, in particular, with Article 1 of Protocol 1 which gives protection for property rights.
Question 10
Are there legacy provisions in other legislation that need to be addressed/repealed etc. in your current proposal?
(This might include, for example, the creation of statutory regulations (which would need enabling powers in Bills; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).
Comments
The measures in the Bill will automatically expire six months after they come into force. The Scottish Parliament may extend these measures for two further periods of six months, giving the measures in the Bill a maximum duration of 18 months.
Where a measure is no longer considered necessary, Scottish Ministers can bring it to an end earlier than on this six-monthly schedule.
Scottish Ministers are required by the Bill to report on the continued need for the measures, and on the use of powers in the Bill.
Question 11
Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
Comments
No. The measures in the Bill are a temporary urgent response to the current cost of living crisis.
Summary – Data Protection Impact Assessment
Question 12
Do you need to specify a Data Controller/s?
Comments
These are temporary measures, but are likely to lead to the requirement to collect, store or process some new data from landlords. Given the emergency nature of this legislation, the process itself remains in development and we will reassess any Data Protection Impacts as necessary.
Question 13
Do you need to include information collection duties or powers (legal basis for processing)?
Comments
At this time, we do not envisage the need to include new or additional information processing duties or powers. Existing routes will provide the legal basis for the collection of any new information.
Question 14
Do you need to include explicit information sharing provisions (as related to duties, legal gateways, express powers):
- From one public sector organisation to another public sector organisation;
- From a public sector organisation to a private sector organisation, charity, etc.;
- Between public sector organisations;
- Between individuals (e.g. practitioners/ service users/sole traders etc.);
- Upon request from a nominated (or specified) organisation?
Comments
No. The process as currently envisaged will not require new data sharing provisions.
Question 15
Have you included any safeguards for personal data/interference with Article 8 rights?
Comments
Data collection and handling processes are already established within SG and Rent Services Scotland. Whilst these temporary measures may require the collection, storage and processing of new data, there is no need to include new or additional safeguards. We will reassess any Data Protection Impacts as necessary.
Question 16
Have you included any safeguards for personal data/interference with other rights?
Comments
Data collection and handling processes are already established within SG and Rent Services Scotland. Whilst these temporary measures may require the collection, storage and processing of new data, there is no need to include new or additional safeguards. We will reassess any Data Protection Impacts as necessary.
Question 17
Will the collection of personal data affect decisions made about individuals, groups or categories of persons, or might provisions result in the denial of a right or rights?
Comments
Data collection requirements specifically resulting from this legislation will not create any new risks to the denial of any pre-existing right or rights.
Question 18
Please summarise the key elements to be included for Bill drafters; please highlight risks to personal data, any comments about mitigating those risks, including any costs or options for addressing those risks through legislation.
This should be included in the Bill Instruction.
No measures in the Bill are expected to constitute any risks to personal data.
The temporary measures in the Bill do not include any new requirements to store or process new data.
All data will therefore be processed in accordance with current rules and systems.
Authorisation
The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.
Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.
By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals’ right to privacy.
The results of the impact assessment must be published in the eRDM with the phrase “Legislation DPIA” and the name of the project or initiative in the title.
Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.
I confirm that the impact of the Cost of Living (Protection of Tenants) (Scotland) Bill has been sufficiently assessed against the needs of the privacy duty:
Name and job title of a IAO or equivalent:
Catriona MacKean, Deputy Director Better Homes
Date each version authorised:
27 September 2022
Contact
Email: housing.legislation@gov.scot
There is a problem
Thanks for your feedback