Appendix: Letting and Registration and the Data Protection Act Principles
As part of undertaking this PIA we have considered the registration of letting agents against the 8 Data Protection Act principles. This is summarised below.
Principle 1: "Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."
Scottish Ministers are required by section 29 of the Housing (Scotland) Act 2014 to establish and maintain a register of letting agents. The 2014 Act also sets out information that must be provided within and application for registration in section 30 and provides powers to prescribe additional information that must be provided by regulations.
Section 34 of the 2014 Act sets out that Scottish Ministers must have regard to certain information in deciding whether an applicant is a fit and proper person to be admitted. To do this will therefore requires Scottish Ministers to collect and process both personal and sensitive personal information. For example, date of birth, home address, unspent convictions for certain types of offences.
We therefore consider that the requirement to process personal data for administering letting agent regulation is covered by the following conditions in schedule 2 of the 1998 Act:
- condition 3 - the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
- condition 5(b) - the processing is necessary for the exercise of any functions conferred on any person by or under and enactment; and
- condition 5 (c) - the processing is necessary for exercise of any functions of the Crown, a Minister of the Crown or a governmental department;
In terms of Scottish Ministers collecting and processing sensitive personal data we consider this is covered by the following conditions in schedule 3 of the 1998 Act:
- condition 7(b) - the processing is necessary for the exercise of any functions conferred on any person by or under an enactment;
- condition 7(c) - the processing is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
Principle 2: "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."
The personal data collected as part of an application for letting agent registration will be processed specifically for the purposes of administering the register including:
- establishing whether an applicant is a fit and proper person to be admitted to the register,
- have met the prescribed training requirements for admittance; and
- the applicant/registered letting agent's compliance with the requirements of the 2014 Act and the Letting Agent Code of Practice (Scotland) Regulations 2016.
Personal data shall not be used for any other purpose.
Principle 3: "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed."
We consider that the information we propose collecting will ensure the effective administration of the register of letting agents and that it is relevant and proportionate to the purpose that is being collected e.g. to allow us to determine whether an applicant is a fit and proper person and that they are complying with the legislative requirements placed on them.
Principle 4: "Personal data shall be accurate and, where necessary, kept up to date."
The publishing of personal information in the entry to the register ( e.g. name and address) is exempt, by virtue of section 34 of the Data Protection Act 1998, from the subject information provisions, the fourth data protection act principle and section 14(1) to (3), and the non-disclosure provisions of that Act.
Applicantsand those admitted to the register of letting agents are responsible for providing personal data and for informing Scottish Ministers of any changes. Section 31 of the 2014 Act makes it an offence for a person in an application for registration to knowingly provide false information or fail to provide information.
Section 37 of the 2014 Act also places a duty on a registered letting agent to inform Scottish Ministers of a change of circumstances and makes it an offence for a registered agent to fail to do so without reasonable excuse.
As part of implementing the register and related processes and procedures, Scottish Ministers will put in place suitable procedures to enable registered agents to update their information where necessary.
Principle 5: "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."
Personal information will only be held as long as necessary for the effective administration of the regulatory system.
We intend to use the following retention timescales:
- Retain all personal details relating to an applicant's registration for 4 years - this will allow those administering the system to check the accuracy of the information provided should evidence to the contrary be found either during registration or re-registration (registration is for a 3 year period).
- Personal information will also be retained where a registered letting agent's registration is being reviewed/investigated until the end of that process.
- Retain personal details of applicants who have been refused registration and registered agents who have had their registration revoked for 10 years.
Where a person is refused registration or they have it removed, this will be noted on the public register for 12 months from the date of final refusal/removal.
Principle 6: "Personal data shall be processed in accordance with the rights of data subjects under this Act (Data Protection Act 1998)"
In processing personal data as part of administering the register of letting agents we will ensure that we do so in accordance with the rights of data subjects and put in place any necessary policies and procedures to enable this to happen. For example, in relation to the data retention policies, and automated decision taking.
Principle 7: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
We are still in the process of developing our IT system and formal data handling procedures, however, in doing so we will ensure we take into account privacy issues to ensure personal data is handled appropriately and securely. For example, the use of information sharing protocols and agreements, penetration testing and other IT cyber security measures.
To ensure that the Scottish Government handles personal data appropriately and complies with its legal obligations under the Data Protection Act, it has developed a number of policies and procedures that will assist in meeting its legal obligations in relation to the holding and processing of data including:
- Data Protection Policy;
- Data Handling Policy;
- Information Security Policy; and
- Information Asset Owners handbook.
Where there is an unauthorised release of personal data, we will act in accordance with the Scottish Government procedures on handling a data breach.
In preparation for the register opening, registration staff training will include specific training on data handling and the procedures that should be followed should a data breach occur.
This impact assessment will be updated with further details as this aspect of implementation is progressed.
Principle 8: "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data."
We do not foresee that there will be a need to transfer personal data to a country or territory outside the European Economic Area. However, should this situation arise we will assess whether an adequate level of protection for the rights and freedoms of data subjects in the processing of personal data exists before deciding whether data should be transferred.
Email: PRS Regulation Team