Age of Criminal Responsibility (Scotland) Bill: privacy impact assessment

A privacy impact assessment for the Age of Criminal Responsibility (Scotland) Bill.


Annex A

Privacy Impact Assessment - Mitigation Summary

Questions to identify Privacy Issues

Answer and Risk rating

Mitigation

1. Does the proposal include the use of new or additional technologies with the potential for privacy intrusion?

Section 4-21 No – Low

Section 22: No – Low

2. Identity: Does the proposal include new identifiers, or substantially change or re-use existing identifiers or any intrusive or onerous identification, authentication or identity management processes?

Section 4-21 No – Low

Section 22: No – Low

3. Identity: Does the proposal affect anonymity or pseudonymity; will previously anonymous or pseudonymous transactions be identified?

Section 4-21 No – Low

Section 22: Yes – Low

The disclosure of information under section 22 is aimed at protecting the interests of those harmed or adversely affected by a child's behaviour and the restrictions on disclosure allow the Principal Reporter to ensure the child's interests are also respected.

The information that may be disclosed is limited and can be further limited, or not disclosed at all, at the discretion of the Principal Reporter. This ensures that the data disclosed is limited to what is necessary for the purposes of the disclosure. SCRA and all other organisations who will be involved in the processing of information under section 22 are subject to the DPA and GDPR.

4. Is the justification for the proposal either unpublished or unclear?

Section 4-21 No – Low

Section 22: No – Low

4. a) Does the proposal involve new or changed data collection policies or practices that may be unclear or intrusive?

Section 4-21 No – Low

Section 22: No – Low

There will be additional data/information collected by the IR but this will not be unclear or intrusive

4. b) Does the proposal involve new or changed quality assurance or security processes or standards that may be unclear and/or unsatisfactory?

Section 4-21 No – Low

Section 22: No – Low

4. c) Does the proposal involve new or changed data access or disclosure arrangements that may be unclear or permissive?

Section 4-21 No – Low

Section 22: No – Low

All new procedures and systems will be clear and the individual will be made aware of what their information is being used for.

Training will be carried out for staff responsible for the operation of the Victim Information Service. Information about the changes will be made available for those directly impacted and the general public for awareness.

4. d) Does the proposal involve new or changed data retention processes that may be unclear or extensive?

Section 4-21 No – Low

Section 22: No – Low

4. e) Does the proposal involve a new or changed medium or method of disclosure for publicly available information so data is more readily accessible?

Section 4-21 No – Low

Section 22: No – Low

5. Will the proposal involve multiple organisations, either government agencies ( e.g. 'joined-up government' initiatives) or the private sector?

Section 4-21 Yes – Low

Section 22: Yes – Low

A number of public bodies will be involved ( e.g. the police, local authorities, SCRA, Courts etc.); however, they all have strict rules for privacy and data protection.

6. Does the proposal involve personal data of particular concern to individuals?

Section 4-21 Yes – Low

Section 22: Yes – Low

The IR will have access to personal data but this will be used to determine disclosure of information about that individual – so will only be used for a positive purpose.

Only basic information is to be disclosed under section 22 of the Bill, explaining what action the reporter has taken in response to the receipt of information about a child's behaviour but not providing more intrusive information such as the reasons for the action taken. The information will not be disclosed if the Principal Reporter considers that disclosure would be to the detriment of any child involved in the case or that disclosure would be otherwise inappropriate. These safeguards will enable the Principal Reporter to ensure that disclosure is not excessive in relation to the purpose of protecting the interests of victims.

7. Does the proposal involve the linkage of personal data with data in other collections, or any significant change to existing data links or holdings?

Section 4-21 Yes – Low

Section 22: No – Low

There will be a new link needed between the Disclosure Scotland IT system used for processing ORI and the Scottish Government network to be used by the IR.

8. Will the proposal handle a significant amount of data about each person, or significantly change existing data-holdings?

Section 4-21 No – Low

Section 22: No – Low

Although the IR will have access to additional information this will only be used for the specific purpose of assessing disclosure.

9. Will the proposal handle data about a significant number of people, or change significantly the existing population scope or coverage?

Section 4 -21 No – Low

Section 22: No – Low

No, the number of individuals affected is expected to be very low.

10. Does the proposal consolidate, inter-link, cross-reference or match personal data from multiple sources?

Section 4-21 Yes – Low

Section 22: Yes – Low

Information for the IR's test will be gathered from multiple sources.

The reporter will consider existing information from multiple sources to apply the new powers provided by the Bill.

11. Is the proposal to process any data that is exempt from legislative privacy protections?

Section 4-21 No – Low

Section 22: No – Low

12. Does the proposal's justification include significant contributions to public security measures?

Section 4-21 No – Low

Section 22: No – Low

13. Does the proposal intend to disclose personal data to, or access by, third parties that are not subject to EU or comparable privacy regulation?

Section 4-21 No – Low

Section 22: No – Low

Contact

Back to top