OFFICIAL: NONE

Data Protection Impact Assessment (DPIA) – template for report

This template was developed by the SG Data Protection and Information Assets team.

This template was last updated in June 2019.

Before conducting the Data Protection Impact Assessment, please refer to the guidance that accompanies this template.

1. IntroductionThe purpose of this document is to report on and assess any potential Privacy Impacts as a result ofthe implementation of section 38 of the Human Trafficking and Exploitation (Scotland) Act 2015.

2. Document metadata3.3.1 Name of Project: Section 38 of the Human Trafficking and Exploitation (Scotland) Act 2015

3.2 Author of report: Susan Young

3.3 Date of report: 16 June 2019

3.4 Name of Information Asset Owner (IAO) of relevant business unit: Willie Cowan

3.5 Date for review of DPIA: (tbc following the consultation period)

Review date Details of update Completion date Approval Date(tbc)

4. Description of the project

4.1 Description of the work:

Background – Hidden Crime

It is widely recognised that human trafficking is a hidden and often complex crime and therefore the true scale of the problem is unknown.

Victims can be reluctant to acknowledge the situation they are in and accept that they may be the victim of an offence. There are many reasons for this including fear and a lack of trust of authorities, fear of reprisals from their traffickers and a lack of awareness that there are agencies who can support them to safety and recovery.

The only available data on the numbers of trafficking victims in Scotland is taken from the UK National Referral Mechanism (NRM). The NRM is a framework for identifying potential victims of trafficking and ensuring they receive appropriate support and assistance. It was introduced in 2009

OFFICIAL: NONE1

OFFICIAL: NONE

to meet the UK’s obligations under the Council of Europe Convention on Action against Trafficking in Human Beings. If a victim consents to entering into the NRM they will receive a minimum of 90 days support, provided currently by the Trafficking Awareness Raising Alliance (TARA) or Migrant Help.

Since the NRM’s introduction, recorded numbers of victims have increased across the UK. In Scotland there has been a 130% increase in referrals to the NRM in the last 6 reported years (see table below). Although not its primary purpose, the NRM is the only significant mechanism for accruing and processing data about trafficking and exploitation in the UK. For those victims that do not consent to enter the NRM, no data is recorded.

Female MaleYear Adult Minor Adult Minor Total 2018 67 22 108 31 2282017 63 24 81 39 2072016 54 21 49 26 1502015 52 19 51 23 1452014 48 14 38 11 1112013 52 13 25 9 99

The purpose of duty to notify can be broken down into 3 main categories. Ultimately the collation and processing of data contained in notifications will help to achieve the original policy intention behind section 38 of the Act:

• To provide a more accurate picture of the scale and extent of trafficking in Scotland, to enable more effective targeting of enforcement activity and provision of support services.

However as time has moved on since the Human Trafficking and Exploitation (Scotland) Bill 2014 passed through Parliament, section 38 of the Act will now also feed into and meet the key outcomes of the Trafficking and Exploitation Strategy:

• Identify and support victims to safety and recovery, • Identify perpetrators and disrupt their activity, and • Address the conditions that foster trafficking

Further, Part 4 of the Act introduced Trafficking and Exploitation Prevention Orders (TEPO) and Trafficking and Exploitation Risk Orders (TEROs). These are orders that can be imposed on people who have committed, or might commit, a trafficking or exploitation offence prohibiting or requiring them to do certain things.

Although a person must have committed a trafficking or exploitation offence before a TEPO can be made, Police Scotland are able to apply to the Courts for a TERO if there is a risk that an adult may commit a trafficking or exploitation offence and there is a need to protect a particular person, or persons generally, from the physical or psychological harm which would be likely to occur if the adult was to commit a trafficking or exploitation offence.

The collation of the information below may assist Police Scotland in applying for TEROs that will safeguard victims whilst further investigations are ongoing into any alleged criminal activity and subsequent prosecutions.

OFFICIAL: NONE2

OFFICIAL: NONE

Section 38 of the Human Trafficking and Exploitation (Scotland) Act 2015 (“the Act”) places a duty on specified Scottish public authorities to notify the Chief Constable of the Police Service of Scotland (PSoS) about a person who is, or appears to be, a victim of an offence of human trafficking (section 1 of the Act) or an offence of slavery, servitude and forced or compulsory labour (section 4 of the Act).

A notification under section 38(1) of the Act must not include information about an adult that (a) identifies the adult or (b) enables the adult to be identified, unless the adult provides consent to the inclusion of that information.

Once PSoS have this information they must pass it on to a third party in terms of section 38(4) of the Act. In a similar way to notifications under section 38(1), notifications under section 38(4) of the Act must not include information about an adult that (a) identifies the adult or (b) enables the adult to be identified, unless the adult provides consent to the inclusion of that information.

The Scottish Government will require to work closely with the PSoS during implementation of this section of the Act amongst other key stakeholders such as local authorities, the NHS and others that may be named in Regulations.

Scottish Ministers have regulatory making powers to list the Scottish public authorities who must comply with this duty, to list the third parties that PSoS can pass information onto and what information should be included in such notifications. A consultation period on these regulations will be carried out.

It is important to remember there are a number of bodies who operate within Scotland but are governed by UK legislation. In terms of the Act the Scottish Government cannot impose the duty on UK bodies and they do not need to comply with section 38, however, the Scottish Government would like to introduce a voluntary scheme were bodies such as Border Force, the British Transport Police (BTP) and the Gangmasters and Labour Abuse Authority (GLAA) will be able to submit information in a similar manner to those specified in Regulations. Further Grant terms and conditions for third sector organisations who support victims of human trafficking and exploitation will have this duty included.

4.2 Personal data to be processed. Variable Data SourceGender Data will be submitted to the PSoS online portal.

Each agency that is involved in a the Duty to Notify (DTN) process will be issued with a secure login and password to access the encrypted on-line police portal, which is hosted on the police Scotland internet page (is hidden from public). The referring agency then completes an encrypted form which is then sent to police Scotland via secure email network. When the form is received it is decrypted and the data is assessed, placed on the established Scottish Intelligence Data (SID) base and NHTU files, thereafter messaged via SID to the relevant area where any action is required.

Nationality As above

OFFICIAL: NONE3

OFFICIAL: NONE

Country of Origin As aboveWas the victim under 18 at the time the alleged exploitation occurred

As above

Location victim was recovered As aboveLocation alleged activity took place As aboveVictim of a section 1 offence As aboveVictim of a section 4 offence As aboveConsent for additional information As aboveIf consent is given then the following information will be collectedIs the victim willing to be contacted by the Police As aboveFirst name As aboveFamily name As aboveAlias name(s) As aboveDate of Birth As aboveAlias Date(s) of Birth As aboveIs the victim a mother or father As aboveOther victims whereabouts As aboveSafe Phone Number As aboveSafe Address As aboveSafe Post Code As aboveDetails of persons responsible/perpetrators As above

4.3 Describe how this data will be processed:As mentioned previously the data is sent via encrypted email, assessed and recorded within the National Human Trafficking Units files, thereafter transferred into the Scottish Intelligence Database (SID) and sent out via SID to the area where the exploitation is occurring. A data flow diagram is available at the Annex that shows how Police Scotland will receive and process the data. The National Human Trafficking Unit sits within Public Protection. Public Protection sits within the Crime and Protection portfolio that ACC Gillian MacDonald has responsibility for.

4.4 Explain the legal basis for the sharing with internal or external partners:GDPR Article 6(1)(c) – Legal obligationGDPR Article 9(2)(g) - Processing of special categories of personal dataData Protection Act 2018, section 35 - The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fairData Protection Act 2018, schedule 8 - Conditions for sensitive processing under Part 3

Section 38 of the Act provides for the sharing of information between specified Scottish public authorities and Police Scotland and also provides for the sharing of information between Police Scotland and third parties.

5. Stakeholder analysis and consultation

5.1 List all the groups involved in the project, and state their interest. Group InterestPolice Scotland Will be subject to the legal duty

OFFICIAL: NONE4

OFFICIAL: NONE

NHS Health Scotland NHS Health Scotland were the main point of contact between Scottish Government and NHS until early 2018

NHS Chief Execs Proposed body that will be subject to the legal duty

Scottish Ambulance Service Proposed body that will be subject to the legal duty

Scottish Fire and Rescue Service Proposed body that will be subject to the legal duty

Scottish Prison Service Proposed body that will be subject to the legal duty

SEPA Proposed body that will be subject to the legal duty

Marine Scotland Proposed body that will be subject to the legal duty

Royal College of Midwives Proposed body that will be subject to the legal duty

COSLA Represent local authorities’ interests who are a proposed body that will be subject to the legal duty. Involved in the trial implementation of the legal duty.

NHS Chief Execs of Regulatory Bodies Proposed body that will be subject to the legal duty

Information Commissioner Office To ensure that Scottish Government plans are compliant with data protections regimes.

City of Edinburgh Council Involved in a trial implementation of the legal dutyBorder Force Involved in a trial implementation of the legal

duty. The Scottish Government would like to work with Border Force to encourage voluntary notifications as if it were a statutory body.

Gangmaster and Labour Abuse Authority Involved in a trial implementation of the legal duty. The Scottish Government would like to work with GLAA to encourage voluntary notifications as if it were a statutory body.

British Transport Police The Scottish Government would like to work with BTP to encourage voluntary notifications as if it were a statutory body

Action Area 2 Strategy Implementation Group Duty to Notify forms a large part of Action Area 2 as well as being one of the last provisions in the Act to be implemented.

Strategy Implementation Group This group has oversight of the delivery of the Strategy.

5.2 Method used to consult with these groups when making the DPIA.Interested stakeholders were consulted through direct discussions, email, groups, workshops and presentations.

5.3 Method used to communicate the outcomes of the DPIA .The DPIA will be published on the Scottish Government webpages for human trafficking.

OFFICIAL: NONE5

OFFICIAL: NONE

6. Questions to identify privacy issues

6.1 Involvement of multiple organisationsThe duty will result in increased information sharing between specified Scottish public authorities and PSoS. The duty will also result in increased information sharing between PSoS and, to be identified, third parties.

All bodies subject to the duty will need to ensure that they are compliant with data protection regimes and any issues arising are addressed.

6.2 Anonymity and pseudonymitySection 38(1) and (4) provide that information must not be shared that identifies an adult either on its own or in combination with other information, unless the adult consents.

6.3 TechnologyPSoS have created an online portal where the information will be uploaded by bodies and then processed by the National Human Trafficking Unit.

A new digital system is also being created by the Home Office in respect of the National Referral Mechanism and section 52 of the Modern Slavery Act 2015. The Scottish Government is engaging with the Home Office on its development and it is hoped that this will incorporate referrals under section 38 of the Act. This activity is currently on-going and is likely to be in force in summer 2019.

Initial legal advice is that the system used by Home Office may not be able to be used for the purposes of section 38 of the Act. However this is something that the Scottish Government will explore further to determine if there is a technological solution to allow information received by the UK wide system to be immediately sent to Police Scotland and diverted away from the Home Office.

6.4 Identification methodsOnce Police Scotland receive the notification it is allocated a reference number for internal use only.

6.5 Sensitive/Special Category personal dataCountry of origin Safe address details

6.6 Changes to data handling proceduresN/A

6.7 Statutory exemptions/protectionThe following exemptions apply to processing personal and special category data.

GDPR Article 6(1)(c) – Legal obligationGDPR Article 9(2)(g) - Processing of special categories of personal dataData Protection Act 2018, section 35 - The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fairData Protection Act 2018, schedule 8 - Conditions for sensitive processing under Part 3

OFFICIAL: NONE6

OFFICIAL: NONE

6.8 JustificationSection 38 of the Human Trafficking and Exploitation (Scotland) Act 2015 (“the Act”) places a duty on specified Scottish public authorities to notify the Chief Constable of the Police Service of Scotland (PSoS) about a person who is, or appears to be, a victim of an offence of human trafficking (section 1 of the Act) or an offence of slavery, servitude and forced or compulsory labour (section 4 of the Act).

A notification under section 38(1) of the Act must not include information about an adult that (a) identifies the adult or (b) enables the adult to be identified, unless the adult provides consent to the inclusion of that information.

Once PSoS have this information they must pass it on to a third party in terms of section 38(4) of the Act. In a similar way to notifications under section 38(1), notifications under section 38(4) of the Act must not include information about an adult that (a) identifies the adult or (b) enables the adult to be identified, unless the adult provides consent to the inclusion of that information.

Action Area 2 of the Trafficking and Exploitation Strategy has a large focus on duty to notify and a specific outcome that public bodies and others carry out their duty to notify obligations. This goes further as can be seen in the diagram below.

As noted in box 4.1 above it is widely recognised that human trafficking is a hidden and often complex crime and therefore the true scale of the problem is unknown.

Victims can be reluctant to acknowledge the situation they are in and accept that they may be the victim of an offence. There are many reasons for this including fear and a lack of trust of authorities,

OFFICIAL: NONE7

OFFICIAL: NONE

fear of reprisals from their traffickers and a lack of awareness that there are agencies who can support them to safety and recovery.

The only available data on the numbers of trafficking victims in Scotland is taken from the UK National Referral Mechanism (NRM). The NRM is a framework for identifying potential victims of trafficking and ensuring they receive appropriate support and assistance. It was introduced in 2009 to meet the UK’s obligations under the Council of Europe Convention on Action against Trafficking in Human Beings. If a victim consents to entering into the NRM they will receive a minimum of 90 days support, provided currently by the Trafficking Awareness Raising Alliance (TARA) or Migrant Help.

Since the NRM’s introduction, recorded numbers of victims have increased across the UK. In Scotland there has been a 130% increase in referrals to the NRM in the last 6 reported years (see table below). Although not its primary purpose, the NRM is the only significant mechanism for accruing and processing data about trafficking and exploitation in the UK. For those victims that do not consent to enter the NRM, no data is recorded.

Female MaleYear Adult Minor Adult Minor Total 2018 67 22 108 31 2282017 63 24 81 39 2072016 54 21 49 26 1502015 52 19 51 23 1452014 48 14 38 11 1112013 52 13 25 9 99

The purpose of duty to notify can be broken down into 3 main categories. Ultimately the collation and processing of data contained in notifications will help to achieve the original policy intention behind section 38 of the Act:

• To provide a more accurate picture of the scale and extent of trafficking in Scotland, to enable more effective targeting of enforcement activity and provision of support services.

However as time has moved on since the Human Trafficking and Exploitation (Scotland) Bill 2014 passed through Parliament, section 38 of the Act will now also feed into and meet the key outcomes of the Trafficking and Exploitation Strategy:

• Identify and support victims to safety and recovery, • Identify perpetrators and disrupt their activity, and • Address the conditions that foster trafficking

Further, Part 4 of the Act introduced Trafficking and Exploitation Prevention Orders (TEPO) and Trafficking and Exploitation Risk Orders (TEROs). These are orders that can be imposed on people who have committed, or might commit, a trafficking or exploitation offence prohibiting or requiring them to do certain things.

Although a person must have committed a trafficking or exploitation offence before a TEPO can be made, Police Scotland are able to apply to the Courts for a TERO if there is a risk that an adult may commit a trafficking or exploitation offence and there is a need to protect a particular person, or persons generally, from the physical or psychological harm which would be likely to occur if the adult was to commit a trafficking or exploitation offence.

OFFICIAL: NONE8

OFFICIAL: NONE

The collation of the information below may assist Police Scotland in applying for TEROs that will safeguard victims whilst further investigations are ongoing into any alleged criminal activity and subsequent prosecutions.

6.9 Other risks

7. General Data Protection Regulation (GDPR) Principles

Principle Compliant – Yes/No

Description of how you have complied

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Yes The processing of personal data is necessary for compliance with section 38 of the Act.

Exemptions for processing personal and special category data are under:

GDPR Article 6(1)(c) – Legal obligationGDPR Article 9(2)(g) - Processing of special categories of personal dataData Protection Act 2018, section 35 - The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fairData Protection Act 2018, schedule 8 - Conditions for sensitive processing under Part 3

Any adverse impact of processing personal data can be justified as it is necessary for the safeguarding of victims of human trafficking or of slavery, servitude and forced or compulsory labour.

Principle Compliant – Yes/No

Description of how you have complied

6.2 Principle 2 – purpose limitation

Yes The processing of personal data is necessary for compliance with section 38 of the Act.

The data will only be collected and used for this purpose.

Principle Compliant – Yes/No

Description of how you have complied

OFFICIAL: NONE9

OFFICIAL: NONE

6.3 Principle 3 – adequacy, relevance and data minimisation

Yes The only information that will be collected is for the purposes of section 38 of the Act.

The collection of personal data is relevant to safeguard victims of human trafficking or of slavery, servitude and forced or compulsory labour and to help inform law enforcement activity and the provision of support services.

No information will be held that is not necessary for compliance with section 38.

Principle Compliant – Yes/No

Description of how you have complied

6.4 Principle 4 – accurate, kept up to date, deletion

Yes This will be down to the submitting person to ensure that the data submitted to Police Scotland (PS) is accurate as PS will only receive the completed form. Where any inaccuracies are noted, PS will liaise with the submitting officer to have this updated and rectified. The actual police system will not delete any data, unless there is manual intervention (i.e. one of the NHTU staff physically delete the data).

There would be no other legal reason for Police to keep the data, other than to provided statistical information. To fulfil obligations under DTN

Principle Compliant – Yes/No

Description of how you have complied

6.5 Principle 5 – kept for no longer than necessary, anonymization

Yes Personal data will be held for the purposes of section 38 of the Act.

Police Scotland will ensure that it complies with GDPR and Data Protection requirements, and have an internal weeding policy to ensure information when no longer required or appropriate to retain is deleted.

Principle Compliant – Yes/No

Description of how you have complied

6.6 GDPR Articles 12-22 – data subject rights

YesPolice Scotland will comply with subject access requests in line with current policy and practice and adhere to GDPR and data protection requirements requests.

Data subject request should be referred to:

DataProtectionGlasgow@strathclyde.pnn.police.uk orData ProtectionInformation Management

OFFICIAL: NONE10

OFFICIAL: NONE

Police Scotland2 French StreetGLASGOWG40 4EH

As each Police Scotland data system has its own retention and weeding policy DTN may fall under a few of the different sections of the Record Retention Standard Operating Procedure   , depending on what information Police Scotland receive and where it needs to be recorded for example, intelligence would be recorded on the Scottish Intelligence Data Base – will determine what the retention policy is.

Principle Compliant – Yes/No

Description of how you have complied

6.7 Principle 6 - security YesPolice Scotland will ensure that personal data and is securely held and compliant with data security measures and already has policy and procedures in place with regards to processing and retaining data.

Principle Compliant – Yes/No

Description of how you have complied

6.8 GDPR Article 24 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

Police Scotland will only share personal data outside the EEA where there is a legal requirement to do so, or there is an immediate threat to life, that by not sharing the information may impact on the safety or an individual or organisation. Any requests to share information will be considered in terms of the latest GDPR and Data protection legislation.

8. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Ref Solution or mitigation Result

System going down 1 If the system the form sits on goes down then no form submissions can be made via the Police Scotland website.

accept

System being hacked

2 The form sits on a platform within a hosted environment at external webhost Pulsant.They have different forms of security

accept

OFFICIAL: NONE11

OFFICIAL: NONE

in place to mitigate hacking attempts to their infrastructure.3rd party company DosArrest are also used to mitigate against DDos attacks on website traffic.The public facing form doesn’t use a database so no data is stored on the public facing server.An attack on the public infrastructure wouldn’t result in a data breach.

If the process has not been thought about properly

3 The business have defined a process for receiving their content which they feel is suitable for their needs.This process has been in place for over a year now.If it’s felt that the form isn’t fit for purpose then this can be handled through the standard ICT service request route.

accept

System being accessed by someone who shouldn’t

4 The form is protected by a username/password combination.The password is randomly generated 16 digit alphanumeric (number and upper & lowercase letters).The partner agencies involved are issued with their login details and are trusted to store them in a safe manner.The form data is received by the business and it’s up to them to check the validity of the contained within the form.ICT provide the mechanism of getting the content of the form into the organisation.The business department need to validate the forms content.

accept

Physical security – door locked for the server

5 The server is part of a virtualised environment within Pulsant’s a co-located infrastructure.Only Pulsant engineers and other approved and authorised people can gain access to the data center.

accept

9. Incorporating Privacy Risks into planning

OFFICIAL: NONE12

OFFICIAL: NONE

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk Ref How risk will be incorporated into planning

Owner

System going down 1 Following the consultation on section 38 of the Act, if Regulations are laid in Parliament and the process is rolled out nationally, Police Scotland advise that they would complete their own DPIA to assess and manage any identified risk associated with data breaches etc. This would be completed in preparation for Regulations coming into force and the process going live nationally. Please refer to the Data Protection Principles at Section 6 for further information on Police Scotland’s policies on data protection, weeding and retention of information.

Data ProtectionInformation ManagementPolice Scotland2 French StreetGLASGOWG40 4EH

System being hacked 2 As above

If the process has not been thought about properly

3 As above

System being accessed by someone who shouldn’t

4 As above

Physical security – door locked for the server

5 As above

10. Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned. Advice from DPO Action

DPO consulted during development of this draft

OFFICIAL: NONE13

OFFICIAL: NONE

11. Authorisation and publication

The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division.

Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust, has addressed all the relevant issues and that appropriate actions have been taken.

By signing the DPIA report, the IAO is confirming that the impact of applying the policy has been sufficiently assessed against the individuals’ right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase “DPIA report” and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of (undertaking the project/applying the policy – add appropriate wording) has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a IAO or equivalent

Willie Cowan, Deputy Director

Criminal Justice Division

Scottish Government

Date each version authorised

OFFICIAL: NONE14

OFFICIAL: NONE

Annex

POLICE SCOTLAND

NATIONAL HUMAN TRAFFICKING UNIT (NHTU)

DUTY TO NOTIFY RECEIVING PROCESS

Duty tDuty too nDDDotify

OFFICIAL: NONE15

Specified Public Authority access secure DTN form hosted on

PSOS Website. Completed form, automatically encrypts and is

sent to NHTU DTN Email address.

Information decrypted and assessed by NHTU Staff

Actionable intelligence?

Log information on Scottish Intelligence Database

Recorded in NHTU files

for SG Stats

Allocated to Division for

further investigatio

n

Statistical return, with no further action that can

be taken?