We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Tied Pubs (Scotland) Act 2021 implementation: data protection impact assessment

Published
2 May 2024
Directorate
Agriculture and Rural Economy Directorate
Topic
Business, industry and innovation
ISBN
9781836012221

Data protection impact assessment which considers the potential impacts of the implementation of the Tied Pubs (Scotland) Act 2021.

View supporting documents Supporting documents

6. Risk Assessment

6.1.1 Risk to individual rights

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Solution or mitigation

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed.

If individuals do not want their personal data to be processed, in the case of arbitration, this may make it impossible to carry out arbitration cases and to ensure that tenants can access their rights under the Scottish Pubs Code.

If individual pub-owning businesses do not share contact information (which could include personal data) then they could be found in breach of the code. This could result in a financial penalty, a direction to do, or stop doing, a course of action, or the requirement to publish specified information relating to an investigation.

Individuals could receive a fine if they fail to provide information to the Adjudicator, in three circumstances: investigating whether a pub-owning business has complied with the code, monitoring whether the requirement to comply with an Adjudicator’s direction has been fulfilled or exercising functions in relation to the offer of an MRO lease.

Many of the risks to individual rights are already mitigated for in the Act. For example, there are only three circumstances in which parties can be fined by the Adjudicator for not providing information. The Scottish Pubs Code also specifies what information pub-owning businesses can provide and focuses these on specific purposes.

Likelihood(Low/Med/High): Low

Severity(Red/AmberGreen): Green

Result: Accepted

6.2.1 Privacy risks

Purpose limitation

Solution or mitigation

The Adjudicator should create a data protection policy and include a data protection notice when dealing with any queries.

Likelihood(Low/Med/High): Medium

Severity(Red/AmberGreen): Amber

Result: Mitigated

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation

The Adjudicator should refer any contacts to their data protection policy and their data protection/GDPR notice.

Likelihood(Low/Med/High): Medium

Severity(Red/AmberGreen): Amber

Result: Mitigated

6.2.3 Privacy risks

Minimisation and necessity

Solution or mitigation

The operation of the Adjudicator and the Scottish Pubs Code will be kept under review by the Scottish Government, this includes considering the impact on affected businesses.

A retention policy for keeping personal data should also be created by the Adjudicator.

Likelihood(Low/Med/High): Medium

Severity(Red/AmberGreen): Amber

Result: Reduced

6.2.4 Privacy risks

Accuracy of personal data

Solution or mitigation

The personal data collected will be minimal, it will be the responsibility of the pub-owning business or pub tenant to provide the correct data.

Likelihood(Low/Med/High): Low

Severity(Red/AmberGreen): Green

Result: Accepted

6.3.1 Security risks

Keeping data securely

Retention

Solution or mitigation

The Adjudicator should create a data protection policy and should comply with GDPR and the policy when setting up any customer relationship management system.

Likelihood(Low/Med/High): Medium

Severity(Red/AmberGreen): Amber

Result: Mitigated

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or mitigation

The Adjudicator should consider this risk as part of any contract it has with providers (if any) to deliver arbitration work and include specific clauses in a contract to ensure data is not lost. We consider this likelihood to be unlikely given the Adjudicator is expected to carry out arbitration in-house.

Likelihood(Low/Med/High): Medium

Severity(Red/AmberGreen): Amber

Result: Reduced

6.3.3 Security risks

6.4.1 Other risks

Solution or mitigation

There are no other risks. This will not impact on children.

Data Protection Officer (DPO)

The DPO has been consulted in the development of the Article 36(4) form.

The DPO was provided an opportunity to comment on this DPIA and their advice is below.

Advice from DPO

Clarify your intentions on how you will engage with the Adjudicator once established so that they understand how they need to comply with the various obligations on them.

Action

Officials have identified the relevant information on data protection from the public bodies team and will incorporate this into the Adjudicator’s work plan/induction.

I confirm that the Tied Pubs (Scotland) Act 2021 – implementation has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent: Alice Biggins, Deputy Director

Date each version authorised: 18 April 2024

Contact

Email: tiedpubs@gov.scot

Back to top