How they are sharing your sacrosanct medical data contrary to your freely given inalienable rights: Refer ICCPR International Law.
Per FOISA please supply the following information contained in your records:
1. The information sharing agreement, appropriate policy document including any data protection impact assessment for multi agency working which includes high risk personnel data with Police Scotland.
2. Please advise if this data sharing is by consent or public task.
The ICO have provided specialised and strict legal measures to ensure the sharing of high risk medical data and information to assist data controllers to ensure they adhere to the lawful basis for sharing of Special Category (SC) and Criminal Offence (CO) data (high risk data) between various non-statutory third sector organisations using the Police Scotland interim Vulnerable Persons Database (iVPD) to share this SC and CO data with other agencies, organisations that would include local authorities, NHS boards and public health agencies with whom data would be shared with makes such data high risk personal data.
The sharing of such high risk data without an up to date information sharing agreement and/or appropriate policy document including a data protection impact assessment will most definitely effect the rights and freedoms of a natural person including the Human Rights Act which supersedes all domestic legislation, which means any data sharing out-with DPA 2018 and GDPR has a high risk of breaching the data subjects human rights and would be a very serious matter in law indeed.
I trust this is helpful for you, however please do not hesitate to contact the ICO as they being the regular are remunerated to actually provide you with the correct lawful basis and procedures when sharing personal data in a multi agency capacity or indeed any capacity.
This is a very serious role undertaken by the regulator and for Public Health Scotland to be asking a member of the public a lay person, concerning high risk data, appears to be rather disturbing that it may be the case you are not familiar with the seriousness of the lawful basis of sharing such personal high risk data.
To further assist you in clarifying what is termed as High Risk data processing, I respectfully refer you to the following link: https://www.whatdotheyknow.com/request/735000/response/1756758/attach/5/21%200555%20Attachment%202.pdf
Note 6 – High Risk (Question 13 of DPIA template) What is high risk?
The following types of processing will always be high risk:
a) systematic and extensive processing activities, including profiling, and where decisions have legal effects, of similarly significant effects on individuals. This would include profiling and predicting from aspects concerning the data subject’s performance at work.
b) processing on a *large scale of special categories of data referred to in GDPR Article 9(1), or of personal data relating to criminal convictions and offences referred to in GDPR Article 10; In addition, beyond the provisions of the GDPR, some categories of data can be considered as increasing the possible risks to the rights and freedoms of individuals. These personal data are considered as sensitive because they are linked to household and private activities or because they impact the exercise of a fundamental right such as location data whose collection questions the freedom of movement.
c) a systematic monitoring of a publicly accessible area on a *large scale. This is because the personal data may be collected in circumstances where the data subjects may not be aware of who is collecting their data and how they will be used. Additionally it may be impossible for individuals to avoid being subject to such processing in public, (or publicly accessible) space(s).
*When deciding where the proposed processing is carried out on a large scale the following factors in particular should be considered:
a) the number of data subjects concerned, either as a specific number or as a proportion of the relevant population
b) the volume of data, and/or the range of different data items being processed
c) the duration, or permanence of the data processing activity
d) the geographical extent of the processing activity.
In addition, the following must be considered when deciding whether the proposed processing is high risk:
a) matching or combining data sets – e.g. originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way which would exceed the reasonable expectations of the data subject
b) data concerning vulnerable data subjects – the processing of this type of data is a criterion because of the increased power imbalance between data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose the processing of their data or exercise their rights
Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees,