Children's advocacy in children's hearings: DPIA
Data Protection Impact Assessment (DPIA) in relation to the the provision of an advocacy service for children and young people going to children’s hearings.
7. Risks identified and appropriate solutions or mitigation actions proposed
Is the risk eliminated, reduced or accepted?
Risk Scottish Government may not obtain appropriate assurance from service providers that they are aware of and comply with their data protection responsibilities
Ref ADV1
Solution or mitigation Assurances from advocacy organisations their internal training processes include data protection and GDPR rights and responsibilities as outlined in their Expressions of Interest application.
Result Reduce
Risk Scottish Government as a joint controller of the data may not be made aware if a service provider is subject of a significant data breach within 72 hours
Ref ADV2
Solution or mitigation Grant conditions specify providers have to: “The Grantee shall ensure that all requirements of theData Protection Laws are fulfilled in relation to the Project.” Which includes reporting any potential data breach.
Result Reduce
Risk Lack of transparency around the processing of data
Ref ADV3
Solution or mitigation Service providers will provide clients with a privacy notice in hard copy or direct to published version on their website Client consent will be sought for sharing special category data with partner organisations
Result Reduce
Risk Data subjects may not be able to exercise their rights under the GDPR.
Ref ADV5
Solution or mitigation Responsibility for facilitating data subject rights will sit with the service providers. Scottish Government will obtain assurances from the providers that have proper procedures and processes are in place to meet these obligations including all staff receive appropriate training.
Result Reduce
Risk
Scottish Government may receive personal data without legal basis from service providers in their quarterly/annual returns
Ref ADV8
Solution or mitigation As reports from service providers use quantitative information any numbers of less than 5 will not be reported to ensure identification cannot take place. Organisations will illustrate themes by use of anonymised case studies. The potential to receive personal data is minimal but mitigation is in place in the unlikely event of error.
Result Reduce
Contact
Email: CYPAdvocacy@gov.scot
There is a problem
Thanks for your feedback