Police (Ethics, Conduct and Scrutiny) (Scotland) Bill: data protection impact assessment
This impact assessment records how data will be used in relation to the Police (Ethics, Conduct and Scrutiny) (Scotland) Bill and how that use is compliant with data protection legislation.
5. Further assessment and risk identification
Question | Comments | |
---|---|---|
5.1 | Will the proposal require the creation of new identifiers, or require the use of existing ones? | No new identifiers are being introduced. |
5.2 | Will the proposal require regulation of:
|
This proposal will not require additional regulation of technology or information security, as PIRC are currently able to access Police Scotland's Complaints Database – Centurion – and rather the bill provides regulation making powers to allow the Scottish Ministers to set out how the PIRC will access this database. The subsequent regulations will potentially have some detail as to behaviour of individuals, etc, but this will be set out in the DPIA for those regulations. |
5.3 | Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s? | No change to established public registers required. |
5.4 | Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour) | Police Barred and Advisory Lists: Personal data which is included in the proposed barred list will be publicly available information and therefore could be used as evidence of previous wrongful behaviour in relation to any separate investigation. Cross Jurisdictional Issues and clarification of person serving with the police for criminal investigations: As set out above, this will involve the sharing of information about criminal investigations, in respect of wider classes of constable. The PIRC will need to be able to store information whilst they are carrying out an investigation. PIRC Access to Police Scotland's Complaints Handling Database: The information about complaints is already being collected and shared. This only changes the method by which it will be shared. To note, complaints about an act or omission of a police constable, Police Scotland or the SPA could not be investigated under the complaints investigation or complaints handling review provisions of the 2006 Act if they relate to criminal conduct. PIRC Power to Audit Whistleblowing Complaints: This will involve the sharing of information in respect of audit of whistleblowing complaints. The PIRC will need to be able to store information whilst they are carrying out an investigation. PIRC to Call in a Complaint: The information about complaints is already being collected and shared, but this will involve it being used for a different function in relation to complaints investigation, as set out above. |
5.5 | Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way? | A full equality impact assessment has been undertaken with no identifiable direct impacts on specific groups. For more information see the full EQIA. |
5.6 | Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous? Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling. Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing. | There is a high level of public interest in the conduct of police officers across the UK. Police Barred and Advisory Lists: The Barred and Advisory Lists is already an established mechanism used by the College of Policing in England and Wales to increase the accountability of those who are dismissed from policing. The lists are expected to further the transparency of the Scottish policing discipline system by publishing details of these individuals, where appropriate, in order to raise public confidence in the police. SPA will have responsibility for managing the list that will mirror the safeguards provided in England and Wales to those on the list by allowing certain exemptions, and reviews after agreed periods of time. |
5.7 | Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim? | The Bill will enable regulation making powers. Regulations made under those powers will be subject to compliance with UK GDPR when made and appropriate impacts assessments completed. Amendments to regulations will be coordinated and considered alongside implementation of the Bill provisions after parliamentary passing of the Bill. As described above, it is also envisaged that there will be an order under s104 of the Scotland Act 1998 to ensure that police forces in England and Wales and the Police Service of Northern Ireland will be sharing information with the PIRC to allow them to fulfil their functions around investigations of constables. |
5.8 | Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)? | There is no necessity for an associated code of conduct to be produced by the Scottish Government in reference to provisions for this Bill that relate to the safe management of data. The data controllers operate independently of the Scottish Government, and therefore are best placed to create appropriate guidance to ensure compliance with their data protection obligations under the UK GDPR. Separately there is an existing code of ethics for policing managed by Police Scotland. Provisions within this Bill will create a statutory obligation to prepare and maintain that code and will include additional requirements for consultation and regular consideration involving relevant stakeholders. |
5.9 | Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing. | The data controllers already have policies and procedures in place for the handling of data, and are well versed in the sensitivities and legal requirements for processing personal data. They will continue to ensure they comply with their statutory duties and have appropriate safeguards in place. This includes drafting of operational DPIAs, Data Sharing Agreements and updating Privacy Notices as appropriate. Safeguards for the Centurion system proposals will be shared in the DPIA for the regulations. |
5.10 | Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making. | See Section 2.3 |
5.11 | Will the proposal include automated decision making/profiling of individuals using their personal data? | No |
5.12 | Will the proposal require the transfer of personal data to a 'third country'? (Under UK GDPR this is defined as country outside the UK.) | No |
Contact
Email: policeethicsbill@gov.scot
There is a problem
Thanks for your feedback