Visitor Levy Bill: data protection impact assessment

6. Risk Assessment

Risk

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Solution or mitigation

Local authorities will already be collecting and processing personal data of accommodation providers. The Bill has been designed as to ensure no new data protection burdens are placed on local authorities or accommodation providers.

In relation to requests for information by a local authority for enforcement purposes (such as business account or sole trader records), the Bill has been drafted to ensure that only information that is reasonably required for the purpose of checking eligibility is required. In addition, the proposed national guidance will set out best practice on information needed for enforcement purposes.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Reduced

Risk

6.2.1 Privacy risks

Purpose limitation

Solution or mitigation

The Bill does not require accommodation providers to process personal data.

Local authorities will already be collecting and processing personal data of accommodation providers due to existing legislation (Non-domestic rates, short term lets licensing).

In relation to requests for information by a local authority for enforcement purposes (such as business account or sole trader records), the Bill has been drafted to ensure that only information that is reasonably required for the purpose of checking eligibility is required.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Reduced

Risk

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation

The Bill does not require accommodation providers to process personal data.

Local authorities will already be collecting and processing personal data of accommodation providers due to existing legislation (Non-Domestic Rates, short term lets licensing).

In designing and implementing a VL scheme, a local authority will be required to adhere to its statutory data protection duties. The Bill also requires a local authority to consult with businesses prior to the introduction of a VL. The proposed national guidance will provide best practice on consulting.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Reduced

Risk

6.2.3 Privacy risks

Minimisation and necessity

Solution or mitigation

The Bill does not require accommodation providers to process personal data.

Local authorities will already be collecting and processing personal data of accommodation providers due to existing legislation (Non-Domestic Rates, short term lets licensing).

In relation to requests for information by a local authority for enforcement purposes (such as business account or sole trader records), the Bill has been drafted to ensure that only information that is reasonably required for the purpose of checking eligibility is required.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Reduced

Risk

6.2.4 Privacy risks

Accuracy of personal data

Solution or mitigation

The Bill does not require accommodation providers to process personal data.

Local authorities will already be collecting and processing personal data of accommodation providers due to existing legislation (Non-Domestic Rates, short term lets licensing).

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Mitigated

Risk

6.3.1 Security risks

Keeping data securely

Retention

Solution or mitigation

The Bill does not require accommodation providers to process personal data.

Local authorities will already be collecting and processing personal data of accommodation providers due to existing legislation (Non-domestic rates, short term lets licensing).

Where a local authority wishes to establish a separate register of accommodation providers, we would expect this need to be proportionate to the needs of administering a levy.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Mitigated

Risk

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or mitigation

The Bill does not require accommodation providers to process personal data.

Local authorities will already be collecting and processing personal data of accommodation providers due to existing legislation (Non-Domestic Rates, short term lets licensing).

Where a local authority wishes to establish a separate register of accommodation providers, we would expect this need to be proportionate to the needs of administering a levy.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Mitigated

Risk

6.3.3 Security risks

Solution or mitigation

N/A - the Bill does not require either data controller (Local Authority or accommodation provider) to process any additional personal data.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Mitigated

Risk

6.4.1 Other risks

Solution or mitigation

N/A - the Bill does not require either data controller (Local Authority or accommodation provider) to process any additional personal data.

Likelihood (Low/Med/High)

LOW

Severity (Red/Amber/Green)

Green

Result

Mitigated

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice has been sought from DPO throughout the drafting of this assessment

All advice and comments have been incorporated where possible.

I confirm that the Visitor Levy (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent

Ellen Leaver, Deputy Director – Local Government and Analytical Services Division

Date each version authorised

4 April 2023