Senedd Cymru (Electoral Candidate Lists) Bill: data protection impact assessment
Data protection impact assessment of the impact of the bill for reform of Senedd electoral candidate lists.
This file may not be fully accessible.
In this page
Introduction
The Welsh Government’s Senedd Cymru (Electoral Candidate Lists) Bill (“the Bill”) will introduce candidate quotas for women into the proportional representation closed list electoral system used at elections to Senedd Cymru (“the Senedd”) (as provided for in the Senedd Cymru (Electoral Candidate Lists) Bill), with a view to implementation in time for the 2026 Senedd election. The Bill sets out the quota rules (i.e. the requirements regarding the proportion and placement of women on party candidate lists) and provides the powers for the operational detail, which will follow in subordinate legislation and may be explained in guidance.
The aim of the quota is to make the Senedd more representative of the gender makeup of the population of Wales. The purpose of this (which is also the purpose of the wider Welsh Government Senedd reform programme), is to make the Senedd a more effective legislature for, and on behalf of, the people of Wales. There is evidence that a gender balanced legislature can be a more effective one.
Specifically, the quota is seeking to ensure that the proportion of women in the Senedd broadly reflects that of the general population (which is over 50%), as women have consistently been an under-represented majority amongst Members of the Senedd and there is evidence as to the benefits to be derived from their representation in political institutions.
Election candidates who are to stand for a party will be required to state whether or not they are a woman as part of the nomination process in order to be a party list candidate for election to the Senedd. It is fundamental to the policy that party list candidates state whether they are a woman (or not) because the quota rules centre around women’s representation on political party candidate lists. The Bill contains rules relating to the proportion of candidates on a party list that are women and also about where women appear on any list (i.e. rules that apply at local level). In addition, there is a rule around the proportion of a political party’s lists across Wales which have a woman in the first or only (where it is a list of one) position (i.e. the rule that applies at national level).
All party list candidates for Senedd elections will be required, as part of the nominations process, to state whether or not they are a woman. This requirement and matters related to it, will be provided for in subordinate legislation.
The processing
The Welsh Ministers will have no direct involvement in the actual collection and processing of the data. Political parties, CROs and the NNCO will be data controllers. This DPIA has been completed to describe what we consider the data protection and privacy implications of the legislative provisions to be. Many of the details will be provided for in subordinate legislation yet to be prepared (and which will be dependent upon the Bill receiving Royal Assent). This DPIA sets out in broad terms what is likely to be provided for in the subordinate legislation.
Candidates standing for registered political parties will be required to state whether or not they are a woman as part of the nominations forms which they are required to complete in order to become a party list candidate. Registered political parties (as defined in the legislation) will need to collect the information from their candidates and will use this to ensure that their party lists comply with the requirements of the gender quota rules. Political parties (through their nominating officer or persons they have delegated to) will submit the nomination forms, including party lists to the CRO who will use the information to check compliance with the quota rules that apply at local level (as well as other requirements regarding nomination). In turn, the CRO will share only relevant information with the NNCO – this is to be limited to the minimum necessary to enforce compliance, and is expected to include information on whether or not the candidate in the first or only position on a party list submitted for the constituency is a woman. It is not expected to include the names of those candidates, but in due course, that information would become publicly available when the statements of persons nominated are subsequently published. Sharing information about whether or not candidates are women will enable the NNCO to determine whether each party standing candidates in the election is compliant with the rule that applies at a national level.
Existing Returning Officers are subject to performance standards, as set by the Electoral Commission (“the EC”), which lists “Assessment of GDPR requirements and records of management of personal data received as part of the nominations process” as information they need. This sets the expectation that Returning Officers should understand the impact of their activities in order to meet the outcome that “Everyone who is eligible and wants to stand for election is able to do so and has confidence in the process” (Performance standards for Returning Officers). They are also advised to maintain a document retention policy relating to the use, storage and deletion of data held for the purposes of administering the election (Data protection resource for EROs and ROs). This would all be relevant to the CROs’ administration of Senedd elections including once the quotas are implemented. As part of the ongoing policy development process, consideration will be given to a potential role for the EC in setting standards and providing advice in relation to the NNCO.
As controllers, CROs will provide a privacy notice (PN) to candidates explaining the purposes of the data collection and that the provision of the information by the candidates is required by law as part of the process to become a candidate in a Senedd election and how that information will be processed. This will also set out how that data will be shared once it has been submitted, and the purpose for it being shared. Consideration will need to be given as to whether the NNCO should also provide a PN as part of their role. The Bill gives power to make provision in subordinate legislation in respect of the inspection of gender statements (i.e. candidates’ statements on whether or not they are a woman).
Political parties also provide a PN separately to candidates as part of their role in managing membership of their parties, selecting candidates etc. They will need to expand these notices to refer to the use of this additional data for compiling compliant candidate lists.
The CRO will share personal data with the NNCO in a limited form. The detail of all the information which may need to be shared with the NNCO will be provided for in subsequent subordinate legislation. Similarly, the extent to which other persons may have rights to inspect gender statements and any related safeguards, will be provided for in subordinate legislation.
The CRO will be required to publish the list of validly nominated candidates in the Statement of Persons nominated. While the information provided in the gender statement will not be published, the order of the party list (which will be informed by these statements and the quota rules) will be made publicly available and so it may be possible to ascertain, or at least confidently predict, how some candidates have stated their gender (though not necessarily all candidates).
The data may subsequently be required for the purpose of legal proceedings, in particular, if an election petition is brought and the gender statement is relevant to it.
The legislation will require that candidates must state whether they are a woman or not a woman. For many people, the information they give about whether or not they are a woman will not be a sensitive matter. However, on occasion, it may be sensitive to the person concerned. This information is not special category data. Data concerning health is special category data, and whilst having to state one’s gender may very occasionally involve a connection to health (for example if the person has a diagnosis of gender dysphoria), the statement itself would not involve revealing any information about a candidate’s health.
Welsh Government has undertaken a full Equality and Human Rights impact assessment in relation to this Bill, which is published separately. The assessment has considered the impacts of these proposals in a range of circumstances, including the requirement to make a statement and its connection to a candidate’s right to stand for election. Candidates will only be asked to state whether or not they are a woman for the purposes of the quota. The quotas are for women, so the only information required is whether a party candidate is a woman or not. This is the wording in the Bill and in the statement that candidates will be required to make. It is not considered necessary to ask for any more information regarding gender.
It will cover all candidates standing for a party at a Senedd general election (covering the whole of Wales). Candidates will need to provide this information once for every Senedd election at which they wish to stand for a party. A Senedd election takes place once every 5 years, though the Senedd Cymru (Members and Elections) Bill is proposing to reduce this to 4 years. It is difficult to predict how many people will be put forward as party list candidates for future Senedd elections, especially given that there are also plans as part of the Senedd Cymru (Members and Elections) Bill to change the electoral system for the Senedd to a closed list system. Using the number of candidates in the 2021 Senedd election (470 candidates across 60 seats - Senedd election 2021: research briefing) as a baseline, we estimate that there could be around 700-800 candidates per Senedd general election cycle once the Senedd has expanded to include 96 Members under a closed list system.
The rules only apply in respect of the compilation of political parties’ candidate lists. They do not affect later matters such as the filling of vacancies occurring during a Senedd term. Accordingly, the information about whether a potential candidate is a woman or not will only be needed at or around the time of the general election and not after the period for any challenge has expired, or in the event of a challenge (an election petition) being brought after the election, once those proceedings (and any appeal on them) have been completed. While political parties may need the information ahead of the pre-election period in order to select candidates, the CROs and NNCO will only need the information during the nominations period and until the deadline for challenge has expired, or in the event of challenge, the proceedings have concluded.
The EC produces guidance for current Returning Officers, which includes advice on handling data in compliance with both electoral law and UK GDPR requirements. It is likely that the EC will update this guidance if necessary to reflect changes as a result of this Bill.
Political parties already collect and process information about candidates, e.g. home addresses via the nominations process. CROs are already required to receive and process personal data about candidates during and after the nominations process. Therefore, although the information to be provided is novel, in respect of political parties and CROs, it will be provided within an existing regime which already involves the provision and processing of personal data.
Candidates standing for parties will need to state whether they are a woman or not as part of the nominations forms which are mandatory in order to become a party list candidate. The submission of personal information is a well-established part of the electoral process and candidates are well-accustomed to providing their data in this way. Political parties and CROs already explain to candidates via a PN the purpose for which the data is being collected and processed and this legislation will add an additional piece of data to those requirements.
There has been some targeted engagement with relevant stakeholders around the new requirement for a gender statement as part of the broader package of information provided by candidates during the nominations process. It was generally felt that it would be appropriate to integrate this new element into existing systems and processes where best practice on data handling is already established. This engagement will continue as the primary legislation progresses and in the development of the subordinate legislation which will follow.
Further, the law on the quotas and the electoral process will be clear. So, it will be clear to potential candidates that they will need to state their gender (specifically, whether they are a woman or not) and that party lists will need to comply with those rules and that as the lists are published and visible to voters, it may be possible on occasion for people to work out how some candidates have completed their statement.
Vulnerable groups
No, The Government of Wales Act 2006 provides that candidates for election to the Senedd must be over the age of 18.
Although the type of data being collected is new and sharing some of the data with the NNCO is new, the collection of data by Returning Officers via nomination forms is standard practice at every election. As such, there are existing processes and rules in place to protect the data (and the rules may be extended, or new specific rules adopted, to cover the new information to be given) and provisions in respect of the NNCO handling the information will also be considered as part of plans for implementation of the legislation.
The purpose of the processing
The policy objectives are outlined in Section 1 – The aim of the quotas is to seek to make the Senedd more reflective of the gender makeup of the population of Wales. This is for the purpose (which is also the purpose of the wider Welsh Government Senedd reform programme) of making the Senedd a more effective legislature for, and on behalf of, the people of Wales.
Specifically, the quota is seeking to maximise the likelihood that the proportion of women in the Senedd broadly reflects that of the general population (which is over 50%) as women have consistently been an under-represented majority amongst Members of the Senedd and there is evidence of the benefits to be derived from women’s representation in political institutions.
Effect on individuals
The Bill requires that subordinate legislation makes provision for all party list candidates to state whether or not they are a woman as part of the nominations process. This is vitally important if the CRO and NNCO are to be able to effectively judge whether a party has complied with the legislation or not. The detail of the enforcement arrangements will be set out in subordinate legislation, but are likely to be along the following lines. In summary, if the gender statement is not completed by a party list candidate, the consequence will be that they will not be validly nominated and they will not be nominated as a candidate at the election for the party. If the party fails to ensure that their list complies with the local level rule, the list will be rejected. If the party fails to ensure that their list complies with the national level rule, the party will have the opportunity to select a list or lists to be changed, with the consequence that candidates on the selected list or lists will be moved up or down the list in order to achieve compliance. There will also be steps which the CRO may take to resolve issues of non-compliance in the event that a party does not take action itself. The outcome of this process is that there could be an impact on the likelihood of a candidate gaining a seat or that a candidate ceases to stand nominated.
As mentioned previously in this DPIA, some other people may see candidates‘ gender statements. This may not be sensitive for many, but could on occasion be so for some people. It may also be possible on occasion for people to work out how some candidates on a list have completed their statement. Although this may result in more personal information about a candidate being ascertainable by the public (that for some candidates may be sensitive), it could be argued that by standing for election a person is placing themselves in the public eye in a way that they may expect additional personal scrutiny.
The benefits of the processing
More specifically, the quotas are aimed at maximising the likelihood that the proportion of women in the Senedd broadly reflects that of the general population (which is over 50%). Addressing the underrepresentation of a majority group (i.e. women) is key to achieving a more representative and therefore effective Senedd.
International research has found that there are certain benefits to be derived from women’s representation in political institutions. Women in politics have been found to:
- Prioritise specific policy and legislative matters
- Prioritise particular types of work
- Champion particular ways of working
- Drive a higher calibre of candidates overall
- Create role models in positions of political leadership
- Increase minority representation
- Decrease corruption and unethical activity.
Collecting this data in the manner outlined will allow CROs and the NNCO to enforce the rules effectively. For political parties, this information will enable them to compile their candidate lists correctly, reducing the risk of their lists being non-compliant.
Consultation process
The Welsh Government will not be responsible for processing personal data. Processor and controller responsibilities have already been placed upon CROs and the political parties under the existing nominations process, who will need to expand the data they collect as a result of this policy. Those organisations are required to ensure their own compliance in this area, and current Returning Officers are subject to performance standards set by the EC. The NNCO is a new role and consideration will be given to whether they could also be subject to similar performance standards or best practice guidance, which may include data protection matters. The NNCO will need to comply with UK GDPR.
There has been early engagement with an Elections Practitioners Stakeholder Group, political parties and the EC on their respective roles and responsibilities, as well as Article 36(4) engagement with the ICO and liaison with internal GDPR/information rights officials. Feedback from these stakeholders has helped inform the Bill. There will be continued, more detailed, engagement with stakeholders as the primary legislative provisions are finalised and in developing any subordinate legislation which flows from the primary legislation.
Necessity and proportionality
The policy requires political parties to submit lists that comply with the quota rules, which will in turn require them to collect data on whether or not their candidates are women. CROs will also need to see this information to check that lists comply with the rules within the existing process of considering nomination papers and the validity of nominations. The NNCO will also need to know about some of this data to check for compliance, but it will be confined to sharing only the minimum necessary information with the NNCO.
Previous sections of this DPIA explain that the legislation is being introduced to require this processing because it is in the public interest for the Senedd to be more representative of society in relation to gender. It is in everyone’s interest to improve the effectiveness of the legislature in this way, bringing a greater range of perspectives into the Senedd to make decisions on policies and funding decisions that affect people’s lives. The information which will be required to be collected by virtue of the legislation will be proportionate to achieving this aim. This is because:
- the law will only require the collection, provision and processing of information necessary to effectively deliver the policy (both in terms of that which needs to be shared with the political party and what must be provided to the CRO and the NNCO)
- information about gender will not be published as part of the Statement of Persons Nominated.
Existing guidance issued to Returning Officers on the subject of data protection advises that "the processing of personal data by EROs/ROs is likely to fall under the ‘lawful basis that it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller’” (Data protection resource for EROs and ROs). It is for Returning Officers to determine the lawful basis for themselves and how to document in their PN the lawful basis for processing the data.
While it would be for CROs, the NNCO and political parties to determine the lawful basis for the processing of personal data that is necessary to comply with or administer the quota system and to be clear about this in their PN, we have completed our own assessment of the likely lawful basis below.
We consider that the lawful basis for them processing the information to comply with the rules and as envisaged in this DPIA would be compliance with a legal obligation, as the Bill requires political parties to comply with requirements regarding their candidate lists and the subordinate legislation will require CROs and the NNCO to enforce the quota rules as part of their official duties. This lawful basis is provided for under Article 6(1)(c) of UK GDPR:
Article 6(1)(c) UK GDPR: processing is necessary for compliance with a legal obligation to which the controller is subject.
The lawful basis that processing is ‘necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller’ (Article 6(1)(e)) may be relevant for some processing that the CROs and the NNCO will do to administer the quotas. The details of what they may or will be required to do and any limits to or safeguards regarding that processing, will be set out in the subordinate legislation.
Although whether or not a person is a woman is not likely to be special category data for the reasons given above, it could be sensitive on occasion for some people. In particular, there could be circumstances where the information, combined with other publicly known information, could reveal information or imply something about a candidate which is sensitive. As such, this assessment has considered the requirements for special category data and the following condition under Article 9 would be capable of being met:
Article 9(2)(g) UKGDPR: processing is necessary for reasons of substantial public interest, on the basis of domestic Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Additionally, Article 9(2)(g) is supplemented by Section 10 of the DPA 2018.
Section 10 says that if relying on ‘substantial public interest’ for the lawful basis, an extra condition also needs to be met. A list of acceptable conditions for this purpose are detailed in Part 2 of Schedule 1 to the DPA 2018. It is the “Statutory etc and government purposes” defined in paragraph 6 of Schedule 1 to the DPA 2018 that would be relied on here. To rely on the legal basis in article 9(2)(g) and the condition in paragraph 6, the controller must also have an appropriate policy document in place (see paragraph 5 of Schedule 1 to the DPA 2018) and Part 4 of the Schedule contains further conditions regarding that policy document.
It is anticipated that existing EC guidance for the CRO would be updated, and that similar guidance would be made available for the NNCO.
With a view to making the Senedd more effective, the policy is aimed at maximising the chances that the proportion of women in the Senedd broadly reflects that of the general population (over 50%) by requiring political parties to submit candidate lists that comply with the rules about the proportion and placement of women. CROs will check these lists for compliance with the local level rule and the NNCO will check for compliance with the national level rule. In order to achieve this, political parties, CROs and the NNCO will need to have information on whether or not candidates are women in order to comply and therefore to stand candidates at an election (in the case of parties) or assess for compliance (in the case of CROs and the NNCO). Processing data in the way described in this assessment achieves these purposes.
Consideration was given to a voluntary quota scheme, but this option was rejected. It was considered less likely to achieve the policy aim.
Consideration was also given to the necessity of a mandatory statement as to whether a candidate is a woman or not (i.e. whether they could be voluntary instead). It was determined that without information about whether each candidate was a woman or not, parties could face difficulties in showing that their lists complied and there could be risks of the system not working properly or effectively, in each case with adverse consequences for parties as to who they may stand and on some candidates’ ability to stand. The availability of this information, against which compliance is judged, gives the best chance of realising the aim of the quotas in a way which does not unfairly interfere with a party’s and its candidates’ rights to stand.
Consideration was also given to whether a separate group (such as the Electoral Management Board) should be responsible for checking lists for compliance with the gender quota criteria, but this option would have increased disproportionately the number of persons accessing candidate data. Such a group would have either required a direct submission of lists and gender statements from parties or candidates, or sharing of such data by CROs. It is considered more appropriate for the CRO to undertake these checks directly as part of their existing role in checking candidate nomination papers. This is considered a more streamlined process and maximises the benefits to be gained from the experience and existing duties of CROs in relation to handling sensitive data contained within nomination papers. It is intended that the NNCO will be appointed from within the existing pool of Local Authority Returning Officers, which means they will potentially bring to the role previous experience of electoral law and practices in fulfilling what will inevitably be a short-term role.
Necessity of political parties sharing personal data with the Constituency Returning Officer
To make the Senedd more effective, the policy aims to maximise the chances that the proportion of women in the Senedd broadly reflects that of the general population (over 50%) by requiring political parties to submit candidate lists that comply with the rules as to the proportion and placement of women. In order to carry out their duty to check that party lists have complied with the local rules, the CRO will need to know which candidates are women and which are not. This information will need to be stated by the candidate, and submitted to the CRO by the parties’ Nominating Officer as part of the nomination papers that are required as part of the existing nominations process. The nomination papers are used to confirm that a candidate is validly nominated and are a mandatory element of the nominations process.
Without this information, the CRO would not be able to check that party lists comply with the rules. As noted above, CROs are subject to existing performance standards which touch upon data protection and these are likely to cover the CRO’s activities in administering the quota rules.
Further operational details will be set out in subordinate legislation. Current Returning Officers publish a PN in relation to the information they collect through the nominations and wider electoral process. The information provided in the gender statement should be covered by these notices in the future, as well as how and why that information will be shared and with whom.
Necessity of Constituency Returning Officers sharing personal data with the National Nominations Compliance Officer
The Bill provides a power for Ministers to make provision regarding the role of the NNCO, therefore the detail of the NNCO’s role will be provided for in subordinate legislation. The quota involves a rule that applies at a national level and therefore compliance with that needs to be considered by a person at national level – this is to be the role of the NNCO. In order to do so, each of the CROs will need to provide the NNCO with information relating to the candidate in the first or only position on each party’s list in their constituency. As the NNCO will not need to identify these candidates, they will only need to know whether they have stated that they are women or not and how many candidates are on each party list, and so it is not expected that they will be provided with other personal data (although the lists of persons nominated will subsequently be published). Without this information, the NNCO will not be able to check for a party’s compliance with the national rule.
The NNCO is a new role and consideration will be given to relevant guidance and performance standards relating to their role, including whether there should be any specific retention rules to be applied to information shared with them at the time of preparing the subordinate legislation.
Achieving the same outcome without the collection of data which may be sensitive
The policy requires parties to compile lists that comply with the rules as to the proportion and placement of women on party lists and for CROs and the NNCO to check that these lists are compliant. It is not possible to compile and check candidate lists without collecting data on whether or not the candidates are women.
The legislation clearly defines the quota rules and provides powers for the subordinate legislation to deal with the operational requirements. The functions of CROs and the NNCO will be set out in and limited by that subordinate legislation. They and political parties will also be bound by data protection law. The Bill also includes a mechanism for the Senedd to consider reviewing the operation and effect of the new system following the first election at which it applies, and for the Welsh Government to respond to any report laid before the Senedd as a result.
Data quality and data minimisation
The information will be provided directly by the candidates. Although there will be no criminal sanction for providing false information in a statement, case law indicates that Returning Officers are entitled to reject nominations that are a manifest sham.
The EC currently publishes guidance to support Returning Officers in complying with electoral law. It is expected that this guidance will be updated to reflect the changes to electoral law following the passage of the Bill.
Measures to ensure compliance
Section 6(2) of the Data Protection Act 2018 provides that where a person on whom an obligation to process personal data is imposed by an enactment and it is processed only for the purposes for which it is required by the enactment to be processed and only by means by which it is required to be processed, the person is the controller.
Political parties, CROs and the NNCO, as controllers, will make decisions about processing activities. They will exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing. Accordingly, they will be responsible for complying with data protection legislation. As the information will be gathered as an extension of an existing process, that process together with the existing rules and performance standards that apply in relation to it, will be familiar to key players. The EC currently has a role in assisting them to comply with the legislation through guidance.
International transfers
n/a
Identify and assess risks
Describes the source of risk and nature of potential impact on individuals.
Likelihood of harm:
- Remote
- possible
- probable
Severity of harm:
- Minimal
- significant
- severe
Overall risk:
- Low
- medium
- high
Risk 1
Persons generally may be put off from standing for election as the legislation may be perceived to be too intrusive, including the potential effect that on occasion it may be possible from the published list of candidates to predict what a particular candidate has said in their statement.
It is possible that there could be a negative impact on some individuals who, because of their particular circumstances, may feel uncertain or anxious about stating whether or not they are a woman and consider this a barrier to their participation as a candidate for election.
Likelihood of harm
Remote (on basis that numbers impacted in this way are likely to be very low - for majority of candidates information about whether they are a woman or not will not be sensitive).
Severity of harm
Minimal or significant, depending on individual circumstances.
It could be argued that someone standing for election to the Senedd would be putting themselves into the public eye and that a degree of scrutiny is inevitable.
Overall risk: Low
Risk 2
Leak of sensitive data about a person’s gender statement into the public domain, as a result of data breach by controllers/processors. However, it could be that this information could be inferred in some instances from the list of candidates which is published and available to the general public.
Likelihood of harm
Remote (on basis there will be control measures in place and that for the majority of people this will not be sensitive information).
Severity of harm
Minimal or significant - depending on nature of the leak and circumstances of the individual.
Overall risk: Low
Risk 3
Leak of data about a person’s gender statement into the public domain, as a result of a person who has accessed a candidate’s statement via the inspection process leaking this information into the public domain.
As above, it could be that the same information could be inferred in some instances from the publicly available list of candidates.
Likelihood of harm
Possible (on basis there is slightly less control over who sees the information and what they do with the information. However, for the majority of candidates this will not be sensitive information.)
Severity of harm
Minimal or significant - depending on nature of the leak and circumstances of the individual.
Overall risk: Medium
Risk 4
Release of personal information relating to a candidate’s gender into the public domain as a result of legal challenge e.g. through the election petition process. Should a candidate be subject to a challenge, personal information related to their gender may be revealed during the legal proceedings, potentially leading to significant consequences for the individual.
Likelihood of harm
Remote (on the basis that legal challenges are rare.
Also, in the majority of cases, a candidate’s gender is unlikely to be called into question and the information will not be sensitive for the candidate.)
Severity of harm
Minimal or significant - depending on circumstances of the individual.
It could be argued that someone standing for election to the Senedd would be putting themselves into the public eye and that a degree of scrutiny is inevitable.
Overall risk: Medium
Measures to reduce risk
Options to reduce or eliminate risk.
Effect on risk:
- eliminated
- reduced
- accepted
Residual risk:
- low
- medium
- high
Measure approved:
- Yes
- No
Risk 1
Guidance to candidates and PNs (amended to reflect the change in the law) could reassure individuals about why the information is required and how their information will be used, stored and shared (including period for retention and arrangements for disposal).
Candidates will only be asked to state whether or not they are a woman for the purposes of the quota, as any additional information is not necessary for the purpose of effectively implementing and enforcing the quota.
Effect on risk
Reduced in part by seeking only the information that is necessary to implement the legislation (i.e. whether a candidate is a woman, or not).
Residual risk
Minimal
Measure approved
Guidance and PNs provided by data controllers may provide further mitigations.
Ultimately, candidates will decide whether to share personal information relating to their gender for the stated purposes.
Risk 2
As data controllers, the political parties, the CROs and the NNCO will be bound by UK data protection legislation.
Consideration will be given to the appropriateness of further safeguards in subordinate legislation.
Effect on risk
Reduced – given current GDPR law will apply and the risk may be further reduced through subordinate legislation.
Residual risk
Minimal
Measure approved
For further consideration at subordinate legislation stage.
Risk 3
Consideration will be given to placing restrictions on who may inspect nomination papers and conditions for doing so.
Effect on risk
Reduced
Residual risk
Low/Medium
Measure approved
For further consideration at subordinate legislation stage.
Risk 4
While it will not be an offence to provide an incorrect gender statement, there may be circumstances in which the information given by a candidate could be relevant to a legal challenge.
Effect on risk
Accepted
Residual risk
Medium
Measure approved
N/A