Tied Pubs (Scotland) Act 2021 implementation: data protection impact assessment
Data protection impact assessment which considers the potential impacts of the implementation of the Tied Pubs (Scotland) Act 2021.
5. Further assessment and risk identification
5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?
Use existing ones.
5.2 Will the proposal require regulation of:
- technology relating to processing
- behaviour of individuals using technology
- technology suppliers
- technology infrastructure
- information security
No
5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?
No
5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)
Potentially – the Tied Pubs (Scotland) Act 2021 provides for the Adjudicator to possibly investigate a pub-owning business’s compliance with the code if the Adjudicator has reasonable grounds to suspect that the business has failed to comply with the code. Any investigation could include a request for personal information.
The Adjudicator can also require a person to provide information for certain purposes:
(a)investigating a pub-owning business’s compliance with the code,
(b)monitoring whether the requirement to comply with a direction given under section 9(2)(a) has been fulfilled,
(c)exercising functions in relation to the offer of a market rent only lease.
5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?
No.
5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to view the measures as intrusive or onerous?
Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.
Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.
No. There are similar processes in place in England and Wales – there is a pubs code and a Pubs Code Adjudicator.
No. There are no potential unintended consequences with regards to the provisions. These would not result in unintended surveillance or profiling.
The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data. Additionally, public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998, and they must not act in a way that would be incompatible with a person’s rights under the European Convention on Human Rights.
5.7 Are there consequential changes in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?
No.
5.8 Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
No.
5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so, briefly explain the nature of those safeguards.
Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.
Yes – as part of the creation of the Scottish Pubs Code Adjudicator office. This will involve developing procedures for recording information, retention policies and anonymisation in order to secure compliance with GDPR and Public Record requirements.
5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.
Not directly. The processing of personal data will be required to meet certain aims such as:
- the Adjudicator can arbitrate in disputes,
- the Adjudicator can provide guidance on the code,
- the Adjudicator can identify how many tenants a pub-owning business has,
- the Adjudicator can directly communicate and engage with relevant parties.
Arbitration could result in fees and expenses needing to be paid. It could also result in determining how much levy a pub-owning business should pay.
5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?
No.
5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)
No.
Contact
Email: tiedpubs@gov.scot
There is a problem
Thanks for your feedback