Children's advocacy in children's hearings: DPIA
Data Protection Impact Assessment (DPIA) in relation to the the provision of an advocacy service for children and young people going to children’s hearings.
6. General Data Protection Regulation (GDPR) Principles
Principle: 6.1 Principle 1 – fair and lawful, and meeting the conditions for processing
Compliant – Yes/No: Yes
Description of how you have complied
Scottish Government are providing the grants to meet the duty under S.122 of the Children’s Hearing (Scotland) Act 2011, and therefore any personal data processed will fall under 6(1)(e) ‘Public Task’
Information only gathered after written consent obtained from data subject or their legal guardian if appropriate. Consent can be withdrawn at any time.
A Privacy Notice will be provided.
Principle: 6.2 Principle 2 – purpose limitation
Compliant – Yes/No: Yes
Description of how you have complied
The information collected by providers will only be that what is necessary to provide the support and advice to that individual with regards to their hearing. The advocacy providers follow the standards for advocacy as detailed in the National Practice Model.
Principle: 6.3 Principle 3 – adequacy, relevance and data minimisation
Compliant – Yes/No: Yes
Description of how you have complied
The information recorded will be obtained from interviews with the child/young person. Any inaccurate information will be corrected or removed at their request. Any electronic files will be based on these interviews.
Principle: 6.4 Principle 4 – accurate, kept up to date, deletion
Compliant – Yes/No: Yes
Description of how you have complied
The information recorded will be obtained from interviews with the child/young person. Any inaccurate information will be corrected or removed on request and will be securely destroyed at the conclusion of the children’s hearing.
Principle: 6.5 Principle 5 – kept for no longer than necessary, anonymization
Compliant – Yes/No: Yes
Description of how you have complied
The data will only be kept for as long as outlined in service providers data retention policies.
Principle: 6.6 GDPR Articles 12-22 – data subject rights
Compliant – Yes/No: Yes
Description of how you have complied
Service providers are required to have processes and procedures in place to ensure data subjects are able to exercise their rights as required under DP legislation. SG receives assurance that this is in place through the application process.
Principle: 6.7 Principle 6 - security
Compliant – Yes/No: Yes
Description of how you have complied
No personal data will be transferred to Scottish Government. Providers are required to provide assurances that they have appropriate security measures in place to protect personal data as required by the legislation. Providers will be required to give assurances to Scottish Government that their practices and processes in relation to security measures are reviewed at least annually. These assurances will be provided in the annual report requirement as part of the grant funding conditions.
Principle: 6.8 GDPR Article 24 - Personal data shall not be transferred to a country or territory outside the European Economic Area.
Compliant – Yes/No: Yes
Description of how you have complied
The information will be stored within service providers’ case management systems and are asked to provide assurances on compliance with the Data Protection legislation.
Contact
Email: CYPAdvocacy@gov.scot
There is a problem
Thanks for your feedback