Marine planning zones - proposals to extend to 12 nautical miles: impact assessments

Data Protection Impact Assessment (DPIA)

Proposals to extend marine planning zones out to 12 nautical miles – Consultation only

1. Introduction

The purpose of this assessment is to consider the privacy implications associated with the public consultation on proposals to extend marine planning zones undertaken by the Marine Directorate of the Scottish Government.

2. Document metadata

Name of policy/project/initiative: Proposals to extend marine planning zones out to 12 nautical miles

Date of report: 08 July 2024

Version number: 1

Author of report: Joe Triscott

Name of information asset owner (IAO) of relevant business unit: Malcolm Pentland

Date for review of DPIA: At the end of the project or 30 June 2025, whichever is sooner

3. Description of the project and personal data

Extension to marine planning zones are being proposed in order to close a gap in current aquaculture planning regulations.

The consultation paper will ask a series of questions to seek views on the proposals to extend marine planning zones as defined in The Town and Country Planning (Marine Fish Farming) (Scotland) Order 2007, out to 12 nautical miles.

The preferred method of response will be through the online CitizenSpace system. The questionnaire will also be downloadable and hard copies may be posted / e-mailed out to meet specific respondent’s requirements if requested. Hard copies will be returned directly to Marine Directorate to ensure confidentiality. Personal data will also be requested to enable acknowledgement of receipt of response or to enable feedback to any queries received.

It is our usual practice to publish the responses as per the preferences that respondents have indicated via Citizen Space, or, where responses arrived by e-mail / post, via the Respondent Information Form (RIF), which asks about data release preferences.

Responses received via post or email will be uploaded on to Citizen Space by the Scottish Government, the original document or email will then be destroyed/deleted.

Following the closure of any consultation, we would look to publish responses where approval has been given for this by the respondent. All the responses will be moderated.

Marine Directorate will analyse the responses received and provide a clear and concise report for publication, which reflects a robust analysis of the consultation responses, in order to inform the next stages of policy / legislative development.

Consultation Process

Consultations are hosted on Citizen Space, the Scottish Government's digital platform for consultations, and published on the Scottish Government Consultations webpage, enabling people to submit their response online. Citizen Space is managed by the Scottish Government’s Digital Engagement Team.

Consultations are also published on the Scottish Government website, enabling people to email or post a response.

The consultations will run for a minimum of 12 weeks starting September 2024 to November/ December 2024.

Governance

The governance arrangements for consultations broadly involve the following:

• Consultation Manager (Scottish Government): Joe Triscott
• Digital Engagement Manager, Comms (Scottish Government): DigitalEngagement@gov.scot

Reporting

The Consultation Manager will be responsible for the analysis of the consultation responses, as well as the preparation of the final reports. The final consultation analysis report will be published on the Scottish Government’s website. It is the responsibility of the Consultation Manager to ensure that their methods do not contravene the provisions of current Data Protection Laws.

Data Protection Laws means any law, statute, subordinate legislation, regulation, order, mandatory guidance or code of practice, judgement of a relevant court of law, or directives or requirements of any regulatory body which relates to the protection of individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act 2018 and any statutory modification of re-enactment thereof, and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC.

4. Data controllers and data processors/sub processors

Data controllers

Organisation: Scottish Ministers

Information Asset Owner: Malcolm Pentland

Activities: Devolved Government

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?: Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing:

Public Task - Consultation is statutory requirement under Town and Country Planning (Scotland) Act 1997, Section 26, (6H):

Before making an order under subsection (6C), the Scottish Ministers—

(a)must consult—

(i)every planning authority, and

(ii)the Scottish Environment Protection Agency, and

(b)may consult such other persons as they think fit

Data to be processed

E-mail address

Citizen Space (online responses).

Respondent Information Form (e mailed or postal responses).

Name

Citizen Space (online responses).

Respondent Information Form (e mailed or postal responses).

Whether a person is responding on behalf of an organisation, or issuing a response as an individual. (If respondent is from an organisation, they are asked the type of organisation – developer, public sector, community council etc.).

Citizen Space (online responses).

Respondent Information Form (e mailed or postal responses).

Postal address

Respondent Information Form (postal responses).

Contact telephone number

Respondent Information Form (e mailed or postal responses).

Data Subjects

The data subjects are the self-selecting respondents to the consultation. Responses may be submitted by both individual members of the public and by organisations. During the data collection process, all respondents are asked to provide information about themselves, either via the Citizen Space online platform or by completing a Respondent Information Form. This form asks respondents to state their publication preference as follows.

The Scottish Government would like your permission to publish your consultation response. Please indicate your publishing preference:

Publish response with name

Publish response only (without name)

Do not publish response

If individual respondents do not answer this question, the default position is not to publish their response.

If organisation respondents select ‘do not publish’ or do not answer this question, the organisation name may still be listed as having responded to the consultation.

Respondents are also asked to indicate whether they are content to be contacted again in the future by the Scottish Government in relation to this specific consultation exercise.

The Respondent Information Form will direct respondents to the Scottish Government privacy note, which outlines respondents data protection rights and rights to complain.

Data Collection, Storage and Transfer

Data will predominately be collected from data subjects electronically via the Citizen Space online platform. Some respondents may also submit their response via post or email and these are uploaded on to Citizen Space by the Scottish Government. Responses on Citizen Space can either be downloaded individually or automatically entered into a database (downloadable onto Excel).

Marine Directorate will be the owner of the data and will be responsible for ensuring the data is managed in line with the retention schedule as described under the Data Purging and Archival section of this document .

Data Access

Citizen Space will securely hold the consultation responses submitted online or uploaded as attachments, and it will be possible to download the database of online responses onto Microsoft Excel.

The database will include all or some of the following information about each respondent who replied using the online data form or by email or post and either completed a Respondent Information Form or provided the information within their response:

• Name
• Email address
• Responding as an individual or an organisation (If responding on behalf of an organisation) Organisation’s name and sector (from list of options -e.g. public, private, third).
• Permission to publish consultation response (publish response with name, publish response only, do not publish response).
• Content to be contacted by the Scottish Government in the future in relation to this consultation exercise
• All inputted responses to the consultation questions.

Data Cleaning

Before beginning the analysis, the Consultation Manger will identify any blank or duplicate responses. Blank responses will be removed before analysis. Multiple different responses submitted by the same individual or organisation will be combined into a single composite response.

For audit and quality control purposes, a record will be kept of any exclusions or changes made to responses included in the final database (i.e. any responses that are excluded from the analysis and the reason for exclusion; any identified as campaign responses; and any reclassification of organisation type). This information will be provided in a separate worksheet within the master database and referred to in the final report.

Data Publication

Responses will be published in accordance with respondents’ expressed publication preferences. Where respondents have given permission for their response to be published, with or without their name, and after the Scottish Government has redacted any personal data or defamatory content, consultation responses will be published at http://consult.gov.scot.

All staff involved in processing and publishing data will have undergone data protection training and be aware of procedures for data security and privacy, to comply with GDPR and ensure data is nt published in error. All project staff will know how to recognise a personal data breach (PDB) and how to report suspected breaches in line with GDPR requirements

Data Purging and Archival

The consultation datasets will be held on a secure, password protected server in the Scottish Government, in a sub-folder which is restricted to a limited number of staff working on this project. It is expected that the data will only be held for as long as the data is required. As soon as possible after the project is completed, a review will take place to determine whether the data needs to be retained or destroyed.

If it is decided that there is

• no rationale to justify continuing to hold the data, then it will be destroyed,
• justification to continue to hold the data then it can be held until a further review 12 months later. This would most likely arise if the consultation period has been extended beyond the review date

Explain the legal basis for the sharing with internal or external partners:

The legal basis for processing personal data will be public task. Consultation is statutory requirement under Town and Country Planning (Scotland) Act 1997, Section 26, (6H):

Before making an order under subsection (6C), the Scottish Ministers—

(a)must consult—

(i)every planning authority, and

(ii)the Scottish Environment Protection Agency, and

(b)may consult such other persons as they think fit

The analysis of the data arising from the consultations provides information that will assist the Scottish Ministers in fulfilling their duties to engage under a range of legislation, including those requiring the preparation of impact assessments under environmental, equalities and islands legislation. The information may form the basis of future discussion with key stakeholders.

5. Stakeholder analysis and consultation

Planning authorities

Statutory role as decision-makers in the planning system

Other public bodies

May have a role as a key agency / statutory consultee, or use planning to deliver development.

Key Agencies in Development Planning are specified in regulation 25 of The Town and Country Planning (Development Planning) (Scotland) Regulations 2023

Respondents (members of public)

Opportunities proposed to consult the public as part of the process of extending marine planning zones out to 12 nautical miles

Community Councils

Statutory role in the planning system

Equality, Amenity and Environmental Interests / Groups

Provide representations reflecting their particular cultural, environmental, societal interest

Business and developer interests

Private sector organisations, individual businesses and enterprises use the planning system to deliver investment and development

Marine Directorate Team

Develop and produce the consultation paper for consultation, and analyse responses

Data Protection and Information Asset Team

Advise on completing the DPIA

Digital Engagement Unit

Create the consultation in Citizen Space

Method used to consult with these groups when making the DPIA

Respondents will be invited, through the consultation, to comment on the DPIA.

Data protection issues identified by these groups during consultation

To be updated following consultation

Method used to communicate the outcomes of the DPIA

We will publish the finalised DPIA on the Scottish Government official platform.

6. Questions to identify data protection issues

All staff involved in processing data will be aware of procedures for data security and privacy, to comply with GDPR. All project staff will know how to recognise a personal data breach (PDB) and how to report suspected breaches in line with GDPR requirements.

Anonymity and pseudonymity

Scottish Government will be responsible for ensuring that responses are published in accordance with respondents’ expressed publication preferences.

Individual respondents’ names will be published with their responses only if they have given explicit permission for this. Where an individual respondent selects ‘publish response only’, SG will redact their name and any other potentially identifiable information from their response. Any direct quotations from responses included in the report will not be attributed to identifiable individuals, regardless of their expressed publication preference. There will be no quotations from responses where permission to publish has not been given.

Organisation respondents which select the option 'publish response only (without name)' may still have the organisation name published, but the name of the specific person submitting the response will not be published. Organisations which have given permission for their response to be published could be mentioned by name in the final report, though it is also possible that, rather than being explicitly named, they might be referred to as ‘an organisation from the private/public/third sector’ etc.

We will keep under review whether anything else needs to be redacted from responses should it risk revealing a respondent’s identity.

Technology

Citizen Space is a secure online platform which will hold consultation responses. Where responses are not received via Citizen Space, such as by post / email, these are uploaded on to Citizen Space by the Scottish Government and original returns will be destroyed/deleted.

Identification methods

Identifiable respondent information is accessible in the dataset created through Citizen Space.

Sensitive/Special Category personal data

It is not anticipated that many of the consultation responses would contain ‘special category data,’ as defined by GDPR. The legal basis for processing this data, under Article 9 of GDPR, will be ‘substantial public interest.’

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’.

However, there is a risk that such data is submitted in free text boxes. Data on text boxes will be reviewed and irrelevant ‘special category’ data removed.

Changes to data handling procedures

There will be no changes to general data handling procedures for consultations.

Statutory exemptions/protection

We don’t believe that there any exemptions from the Data Protection Act will apply to this project.

Justification

Marine Directorate will analyse the responses received and provide a clear and concise report for publication, which reflects a robust analysis of the consultation responses, in order to inform the next stages of policy / legislative development.

Other risks

None identified

7. UK General Data Protection Regulation (UK GDPR) principles

Principle

7.1 Principle 1 – fair and lawful (see 4.1), and transparent

Compliant – Yes/No

Yes

Description of how you have complied

The legal basis for processing personal data will be ‘public task’. Scottish government has prepared a privacy statement which is available on the Scottish Government website. Privacy - gov.scot (www.gov.scot)

The Scottish Government would communicate this to consultees before they make their comments in any consultation.

Principle

7.2 Principle 2 – purpose limitation

Compliant – Yes/No

Yes

Description of how you have complied

The data will be collected for specific purposes and will not be processed in a manner incompatible with those purposes. The purpose will be clearly explained to respondents prior to responding.

Principle

7.3 Principle 3 – adequacy, relevance and data minimisation

Compliant – Yes/No

Yes

Description of how you have complied

The consultation will only gather necessary information to achieve the project’s objectives.

Participants are able to input as much information as they would like to open questions, and are able to skip open questions.

Principle

7.4 Principle 4 – accurate, kept up to date, deletion

Compliant – Yes/No

Yes

Description of how you have complied

The data from the consultation and analysis does not need to be kept up to date as it represents the participants’ views and circumstances at the point of collection. It will be deleted in accordance with SG retention and disposal strategy (See Principle 5 for deletion).

Principle

7.5 Principle 5 – kept for no longer than necessary, anonymization

Compliant – Yes/No

Yes

Description of how you have complied

The data processor will be processing data which is directly identifiable in the dataset. Anonymisation measures are set out in section 5.

Review measures will be in place to ensure that the data will be kept for no longer than is necessary for its lawful purpose by the Scottish Government.

Principle

7.6 UK GDPR Articles 12-22 – data subject rights

Compliant – Yes/No

Yes

Description of how you have complied

Data subjects rights are set in the SG privacy policy which is to be found in the RIF linked to the consultation process.

The data controller will process and manage any requests to exercise the rights of the data subject.

Principle

7.7 Principle 6 - security

Compliant – Yes/No

Yes

Description of how you have complied

Data will be protected from loss or unlawful processing using appropriate methods, including storing electronic data on password protected secure severs.

Principle

7.8 UK GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

Compliant – Yes/No

Yes

Description of how you have complied

The project is not expected to involve the transfer of data outside the EEA.

For customers in the EU, Rackspace is its Infrastructure as a Service hosting provider. Rackspace provides and manages the UK data centers in which the Citizen Space site is hosted.

8. Data Protection Officer (DPO) advice

Advice from DPO

Can you confirm that no special category data is being processed as part of this consultation

Action

Yes, that is correct - no special category data is being processed. This is referenced under the Identification Methods section on page 8 of the DPIA

Reason advice not actioned

N/A

Advice from DPO

Please confirm the review date of the DPIA

Action

Review date included

Reason advice not actioned

N/A

Advice from DPO

The DPIA needs to capture how all information is to be processed as part of this consultation so the further details need to be included on the processing of the manual forms etc and emails received both in terms of Storage/access and deletion as DPIA only covers Citizen Space for the full processing journey

Action

Updated to note that responses received via post or email will be uploaded on to Citizen Space by the Scottish Government, the original document or email when then be destroyed/deleted.

Reason advice not actioned

N/A

Advice from DPO

You have identified you will be relying on public task as your lawful basis – can I ask if this is statutory or non-statutory consultation?

Action

Consultation is statutory requirement under Town and Country Planning (Scotland) Act 1997, Section 26, (6H):

Before making an order under subsection (6C), the Scottish Ministers—

(a)must consult—

(i)every planning authority, and

(ii)the Scottish Environment Protection Agency, and

(b)may consult such other persons as they think fit

The DPIA has been updated to reflect this

Reason advice not actioned

N/A

Advice from DPO

You reference the public at large – I would consider using the term Respondents or Consultation Participants so their stakeholder role is clear

Action

Updated to ‘Respondents (members of public)’ as we want to make clear that one of the respondent group is likely to be individuals rather than specified groups or organisations

Reason advice not actioned

N/A

Advice from DPO

In terms of data retention, the personal data can only be retained for as long as it is necessary. My understanding from the current description is that although it will be reviewed at the 12 month stage you are potentially keeping the information indefinitely. You will need a strong justification for retaining the data indefinitely. I would recommend providing a clear retention point for transparency for the participants.

Action

The Data Purging and Archival section (page 5) has been updated to provide information on instances where data retention may be required (extension of consultation period beyond DPIA review date)

Reason advice not actioned

N/A

Advice from DPO

Please note that Citizen Space is used as the tool to facilitate the consultation, however your business area is the owner of the data and will be responsible for ensuring the data within is managed in line with your retention schedule.

Action

Data Collection, Storage and Transfer section has been updated to reflect this advice

Reason advice not actioned

N/A

Advice from DPO

Other Risk – you may want to consider including impacts such as publication in error, data subjects not being able to exercise rights, retaining information for longer than is necessary etc

Action

The following sections of the DPIA have been updated to outline these risks and how they will be mitigated against, rather than including in the Other Risks section

Data Subjects (Page 4)

Data Publication (Page 5)

Data Purging and Archival (Page 5)

Reason advice not actioned

N/A

9. Authorisation and publication

The DPIA report should be signed by your information asset owner (IAO). The IAO will be the Deputy Director or Head of Division.

I confirm that the impact of undertaking the project has been sufficiently assessed against the rights of the data subjects (people):

Malcolm Pentland - Deputy Director and Head of the Marine Economy and Communities Portfolio, Marine Directorate

29 August 2024

10. Annex A – privacy information

Privacy - gov.scot (www.gov.scot)