The Town and Country Planning (Masterplan Consent Areas) (Scotland) Regulations 2024 and The Masterplan Consent Area Scheme (Environmental Impact Assessment) (Scotland) Regulations 2024: impact assessments

Data Protection Impact Assessment (DPIA)

Masterplan Consent Area Regulations – Consultation Only

1. Introduction

The purpose of this assessment is to consider the privacy implications associated with the consultation arrangements undertaken by the Planning, Architecture and Regeneration Division (PARD) of the Scottish Government.

The Data Protection Impact Assessment (DPIA) was prompted by the development of the consultation on Masterplan Consent Area (MCA) Regulations.

2. Document meta data

Name of Project: Masterplan Consent Area Regulations Consultation

Author of report: Adam Henry

Date of report: 14 November 2023

Name of Information Asset Owner (IAO) of relevant business unit: Fiona Simpson

Date for review of DPIA: TBC

Review date

Details of update

Completion date

Approval Date

3. Description of the project

The Planning (Scotland) Act 2019 amended the Town and Country Planning (Scotland) Act 1997, and included provisions covering procedures for implementing MCAs. These provisions give Scottish Ministers powers to prepare secondary legislation and the consultation will be seeking views on the proposed approach to implementing these provisions.

Planning authorities will be able to use MCAs as part of a proactive, place-making approach to planning and consenting – enabling the type of development they wish to come forward in their places. The separate regulations on Environmental Impact Assessment (EIA) being developed and consulted upon in tandem will ensure that the preparation of MCA schemes is subject to, and meet EIA requirements, where necessary.

The consultation will ask a series of questions, with a mix of open and closed questions, although all the closed questions will allow the opportunity to provide reasons for their answer. There will be no text limit for the free text responses.

The questionnaire will be downloadable and hard copies may be posted / e-mailed out to meet specific respondent's requirements if requested. Hard copies will be returned directly to PARD to ensure confidentiality. Personal data will also be requested to enable a receipt of response or to enable feedback to any queries received.

It is our usual practice to publish the responses as per the preferences that respondents have indicated via Citizen Space, or, where responses arrived by e-mail / post, via the Respondent Information Form (RIF), which asks about data release preferences.

Following the closure of any consultation, we would look to publish responses where approval has been given for this by the respondent. All the responses will be moderated.

PARD will analyse the responses received and provide a clear and concise report for publication, which reflects a robust analysis of the consultation responses, in order to inform the next stages of policy / legislatively development.

Consultation Process

Consultations are hosted on Citizen Space, the Scottish Government's digital platform for consultations, and published on the Consultation Hub, enabling people to submit their response online. Citizen Space is managed by the Scottish Government's Digital Engagement Team.

Consultations are also published on the Scottish Government website, enabling people to email or post a response.

The consultations will run for 12 weeks starting on 28 February 2024 until 22 May 2024.

Governance

The governance arrangements for consultations broadly involve the following:

• Consultation Manager (Scottish Government): Adam Henry
• Digital Engagement Manager, Comms (Scottish Government): DigitalEngagement@gov.scot

Reporting

The Consultation Manager will be responsible for the analysis of the consultation responses, as well as the preparation of the final reports. The final consultation analysis report will be published on the Scottish Government's website. It is the responsibility of the Consultation Manager to ensure that their methods do not contravene the provisions of current Data Protection Laws.

Data Protection Laws means any law, statute, subordinate legislation, regulation, order, mandatory guidance or code of practice, judgement of a relevant court of law, or directives or requirements of any regulatory body which relates to the protection of individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act 2018 and any statutory modification of re-enactment thereof, and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC.

4. Data Controller and Data Processor

Data Controller and Data Processor: The Scottish Government.

Information Asset Owner: Fiona Simpson

Data to be processed

E-mail address

Citizen Space (online responses).

Respondent Information Form (emailed or postal responses ).

Name

Citizen Space (online responses).

Respondent Information Form (emailed or postal responses).

Whether a person is responding on behalf of an organisation, or issuing a response as an individual. (If respondent is from an organisation, they are asked the type of organisation – developer, public sector, community council etc.).

Citizen Space (online responses).

Respondent Information Form (emailed or postal responses).

Postal address

Respondent Information Form (postal responses).

Contact telephone number

Respondent Information Form

(emailed or postal responses).

Data Subjects

The data subjects are the self-selecting respondents to the consultation. Responses may be submitted by both individual members of the public and by organisations. During the data collection process, all respondents are asked to provide information about themselves, either via the Citizen Space online platform or by completing a Respondent Information Form. This form asks respondents to state their publication preference as follows.

The Scottish Government would like your permission to publish your consultation response. Please indicate your publishing preference:

• Publish response with name
• Publish response only (without name)
• Do not publish response

If individual respondents do not answer this question, the default position is not to publish their response.

If an organisation respondents select 'do not publish' or do not answer this question, the organisation name may still be listed as having responded to the consultation.

Respondents are also asked to indicate whether they are content to be contacted again in the future by the Scottish Government in relation to this specific consultation exercise.

Data Collection, Storage and Transfer

Data will predominately be collected from data subjects electronically via the Citizen Space online platform. Some respondents may also submit their response via post or email and these are uploaded on to Citizen Space by the Scottish Government. Responses on Citizen Space can either be downloaded individually or automatically entered into a database (downloadable onto Excel).

Data Access

Citizen Space will securely hold the consultation responses submitted online or uploaded as attachments, and it will be possible to download the database of online responses onto Microsoft Excel.

The database will include all or some of the following information about each respondent who replied using the online data form or by email or post and either completed a Respondent Information Form or provided the information within their response:

• Name
• Email address
• Responding as an individual or an organisation (If responding on behalf of an organisation) Organisation's name and sector (from list of options -e.g. public, private, third).
• Permission to publish consultation response (public response with name, publish response only, do not publish response).
• Content to be contacted by the Scottish Government in the future in relation to this consultation exercise
• All inputted responses to the consultation questions.

Data Cleaning

Before beginning the analysis, the Consultation Manger will identify any blank or duplicate responses. Blank responses will be removed before analysis. Multiple different responses submitted by the same individual or organisation will be combined into a single composite response.

For audit and quality control purposes, a record will be kept of any exclusions or changes made to responses included in the final database (i.e. any responses that are excluded from the analysis and the reason for exclusion; any identified as campaign responses; and any reclassification of organisation type). This information will be provided in a separate worksheet within the master database and referred to in the final report.

Data Publication

Responses will be published in accordance with respondents' expressed publication preferences. Where respondents have given permission for their response to be published, with or without their name, and after the Scottish Government has redacted any personal data or defamatory content, consultation responses will be published at http://consult.gov.scot.

Data Purging and Archival

The consultation datasets will be held on a secure, password protected server in the Scottish Government, in a sub-folder which is restricted to a limited number of staff working on the Consultation. It is expected that the data will only be held for as long as the data is required. As soon as possible after the project is completed, a review will take place to determine whether the data needs to be retained or destroyed.

If it is decided that there is

• no rationale to justify continuing to hold the data, then it will be destroyed,
• justification to continue to hold the data then it can be held until a further review 12 months later.

Explain the legal basis for the sharing with internal or external partners:

The legal basis for processing personal data will be public task.

The analysis of the data arising from the consultations provides information that will assist the Scottish Ministers in fulfilling their duties to engage under a range of legislation, including those requiring the preparation of impact assessments under environmental, equalities and islands legislation. The information may form the basis of future discussion with key stakeholders.

5. Stakeholder analysis and consultation

List all the groups involved in the project, and state their interest

Local authorities

Statutory role as decision-makers in the planning system

Other public bodies

May have a role as a key agency / statutory consultee, or use planning to delivery development.

Key Agencies in Development Planning are listed here: https://www.gov.scot/groups/key-agencies-group/

Development Management statutory consultees are listed in Schedule 5 of the Town and Country Planning (Development Management Procedure) (Scotland) Regulations 2013.

Public at large

Development decisions made by elected members impact on the places they live, work or play

Community Councils

Statutory role in the planning system

Equality, Amenity and Environmental Interests / Groups

Provide representations reflecting their particular cultural, environmental, societal interest

Business and developer interests

Private sector organisations, individual businesses and enterprises which use the planning system to deliver investment and development

PARD Team

Developing and producing the consultation paper for consultation, and analysing responses

Data Protection and Information Asset Team

Advice on completing the DPIA

Digital Engagement Unit

Creating the consultation in Citizen Space

Method used to consult with these groups when making the DPIA

Respondents will be invited, through the consultation, to comment on the DPIA.

Method used to communicate th eoutcomes of the DPIA

We will publish the finalised DPIA on the Scottish Government official platform.

6. Questions to identify privacy issues

All staff involved in processing data will be aware of procedures for data security and privacy, to comply with GDPR. All project staff will know how to recognise a personal data breach (PDB) and how to report suspected breaches in line with GDPR requirements.

Anonymity and pseudonymity

Scottish Government will be responsible for ensuring that responses are published in accordance with respondents' expressed publication preferences.

Individual respondents' names will be published with their responses only if they have given explicit permission for this. Where an individual respondent selects 'publish response only', SG will redact their name and any other potentially identifiable information from their response. Any direct quotations from responses included in the report will not be attributed to identifiable individuals, regardless of their expressed publication preference. There will be no quotations from responses where permission to publish has not been given.

Organisation respondents which select the option 'publish response only (without name)' may still have the organisation name published, but the name of the specific person submitting the response will not be published. Organisations which have given permission for their response to be published could be mentioned by name in the final report, though it is also possible that, rather than being explicitly named, they might be referred to as 'an organisation from the private/ public/ third sector' etc.

We will keep under review whether anything else needs to be redacted from responses should it risk revealing a respondent's identity.

Technology

Citizen Space is a secure online platform which will hold consultation responses. Where responses are not received via Citizen Space, such as by post / email, these are uploaded on to Citizen Space by the Scottish Government.

Identification methods

Identifiable respondent information is accessible in the dataset created through Citizen Space.

Sensitive/Special Category personal data

It is not anticipated that many of the consultation responses would contain 'special category data,' as defined by GDPR. The legal basis for processing this data, under Article 9 of GDPR, will be 'substantial public interest.'

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject'.

However, there is a risk that such data is submitted in free text boxes. Data on text boxes will be reviewed and irrelevant 'special category' data removed.

Changes to data handling procedures

There will be no changes to general data handling procedures for consultations.

Statutory exemptions/protection

We don't believe that any exemptions from the Data Protection Act will apply to this project. Though exemptions for statistical and research purposes may apply.

Justification

PARD will analyse the responses received and provide a clear and concise report for publication, which reflects a robust analysis of the consultation responses, in order to inform the next stages of policy / legislatively development.

Other risks

None Identified

7. General Data Protection Regulation (GDPR) Principles

Principle	Compliant–Yes/No	Description of how you have complied
6.1 Principle 1 – fair and lawful, and meeting the conditions for processing	Yes	The legal basis for processing personal data will be public task. Planning, Architecture and Regeneration Division has prepared a privacy statement which is available on the Scottish Government website. https://www.transformingplanning.scot/privacy/ The Scottish Government would communicate this toconsultees before they make their comments in any consultation.
6.2 Principle 2 – purpose limitation	Yes	The data will be collected for specific purposes and will not be processed in a manner incompatible with those purposes. The purpose will be clearly explained to respondents prior to responding.
6.3 Principle 3 – adequacy, relevance and data minimisation	Yes	The consultation will only gather necessary information to achieve the project's objectives. Participants are able to input as much information as they would like to open questions, and are able to skip open questions.
6.4 Principle 4 – accurate, kept up to date, deletion	Yes	The data from the consultation and analysis does not need to be kept up to date as it represents the participants' views and circumstances at the point of collection. It will be deleted in accordance with SG retention and disposal strategy (See Principle 5 for deletion).
6.5 Principle 5 – kept for no longer than necessary, anonymization	Yes	The data processor will be processing data which is directly identifiable in the dataset. Anonymisation measures are set out in section 5. Review measures will be in place to ensure that the data will be kept for no longer than is necessary for its lawful purpose by the Scottish Government.
6.6 GDPR Articles 12-22 – data subject rights	Yes	Data subjects rights are set in the SG privacy policy which is to be found in the RIF linked to the consultation process. The data controller will process and manage any requests to exercise the rights of the data subject.
6.7 Principle 6 - security	Yes	Data will be protected from loss or unlawful processing using appropriate methods, including storing electronic data on password protected secure severs.
6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.	Yes	The project is not expected to involve the transfer of data outside the EEA. For customers in the EU, Rackspace is its Infrastructure as a Service hosting provider. Rackspace provides and manages the UK datacentres in which the Citizen Space site is hosted.

8. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk	Solutionor mitigation	Result
We may not have a lawful basis to process the personal data	We have identified an appropriate lawful basis under Article 6(1)(e) 'necessary in the performance of a task carried out in the public interest' to meet our duties under the Planning (Scotland) Act 2019.	Eliminated
We may fail to keep personal data protected against loss, unauthorised access and accidental damage	Electronic data is securely transferred to the data processor and must be password protected or encrypted. Any paper copies of documents holding personal information (i.e. posted responses) are kept in locked cabinets when possible. Data processing staff are required to comply with SG terms and conditions around data security.	Reduced
We may publish data that may enable the identification of individuals	The data will be reviewed and prepared for redaction to ensure that where an individual has not provided permission for their name to be published it is removed. This responsibility sits with the policy lead.	Reduced
We may fail to properly inform individuals of the data processing activity	A privacy notice will be in place to fully inform individuals about the processing and will be made available to view in Citizen Space before any data is request. The privacy notice will also be available in hard copy.	Reduced
We may process special category data without lawful basis	Free text box content will be reviewed and any irrelevant data will be deleted as soon as possible.	Reduced
We may keep personal data for longer than necessary	There is a process to ensure that personal data is deleted at the end of consultations timeously. (see above under Data Purging and Archival section for timescales)	Reduced

9. Incorporating Privacy Risks into planning

Risk	How risk will be incorporated intoplanning	Owner
We may publish data that may enable the identification of individuals We may fail to properly inform individuals of the data processing activity We may process special category data without lawful basis	The data will be reviewed and prepared for redaction to ensure that the appropriate permissions are in place and that information in free text boxes is reviewed. This responsibility sits with the policy lead.	Information Asset Owner
We may keep personal data for longer than necessary	It will be the responsibility to comply with the requirements of removing personal data within the required time limit.	Information Asset Owner

10. Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

Confirm the legislative basis for the regulations and associated consultation

Action

Confirmed

11. Authorisation and publication

I confirm that the impact of undertaking the MCA Regulations Consultation has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a IAO or equivalent Fiona Simpson, Chief Planner

Date each version authorised

15 November 2023