Disability Assistance for Working Age People (Transitional Provisions and Miscellaneous Amendment) (Scotland) Regulations 2022: data protection impact assessment
Data protection impact assessment to consider the impacts of the Disability Assistance for Working Age People (Transitional Provisions and Miscellaneous Amendment) (Scotland) Regulations 2022.
Data Protection Impact Assessment of The Disability Assistance for Working Age People (Transitional Provisions and Miscellaneous Amendment) (Scotland) Regulations 2022
Introductory information
DPIA for legislation for the Disability Assistance for Working Age People (Transitional Provisions and Miscellaneous Amendment) (Scotland) Regulations 2022
Summary of proposal:
Regulations to make provision to:
- enable the transfer of entitlement for individuals currently in receipt of Working Age Disability Living Allowance, which is currently delivered by the Department for Work and Pensions (DWP) on to Adult Disability Payment to be delivered by Social Security Scotland on behalf of Scottish Ministers.
Your department: Social Security Policy Division, Scottish Government
Contact email: Mhairi.Wilson@gov.scot
Data protection support email: dataprotectionofficer@gov.scot
Data protection officer: Stuart Gardner
Is your proposal primary legislation, secondary legislation or other form of statutory measure?
The provisions are being made through secondary legislation. Draft Regulations will be laid before the Scottish Parliament under sections 31, 36, 43(5), 52 and 95 of the Social Security (Scotland) Act 2018. The instrument will be subject to the affirmative procedure.
What stage is the legislative process at? Please indicate any relevant timescales and deadlines.
Assuming coming in to force on 29 August 2022, then making and laying dates would need to be 54 days prior (not including periods of recess), as it has been agreed by convention with Parliament that instruments subject to the affirmative procedure should be laid for 54 sitting days. We envisage laying the regulations in Parliament on 6 May 2022
Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)? For this secondary legislation there has been no consultation with the ICO.
This decision is based on the fact that as part of the previous consultation for Disability Assistance for Working Age People (Scotland) Regulations 2022 undertaken on 22 October 2021, it had been assumed that the transfer of Working Age Disability Living Allowance from Department for Work and Pension to Social Security Scotland would have been included in that instrument. It was not considered that a separate consultation was required due to the decision to take forward these provisions in a separate instrument given it does not introduce new processing of personal information not already considered as part of the previous consultation. Article 36(4)
If the ICO has provided feedback, please include this.
No specific consultation undertaken for this secondary legislation.
Consultation was completed on 22 October 2021 for Disability Assistance for Working Age People (Scotland) Regulations 2022 and this included consideration of the transfer of individuals on Working Age Disability Living Allowance. ICO Feedback
Do you need to hold a public consultation and if so has this taken place?
There was no public consultation for this secondary legislation, however, previous consultation was undertaken in relation to the development of policy on case transfer and on Adult Disability Payment.
A public consultation on the draft Disability Assistance for Working Age People (Scotland) Regulations 2022 was held between 20 December 2020 and 15 March 2021. A total of 127 consultation responses were received overall - 78 from individuals and 49 from organisations (including Disabled People's Organisations, Deaf People's Organisations, local authorities, third sector charities/groups and others). To support the online consultation, the Scottish Government also ran a series of stakeholder engagement events attended by a broad range of organisations and individuals with lived experience of disability. Full analysis of the consultation was published in June 2021: Adult Disability Payment: consultation analysis - gov.scot (www.gov.scot)
The consultation on the Adult Disability Payment Regulations was preceded by a broader consultation on Disability Assistance. The Consultation on Disability Assistance built on work with people with lived experience of benefits ('the Experience Panels') and was published on 5 March 2019. In line with the principles of dignity, fairness and respect, the Scottish Government sought the views of the people of Scotland on the proposed disability assistance benefits, including Disability Assistance for Working Age People (now known as Adult Disability Payment). The consultation closed on 28 May 2019, having received 263 replies, of which 74 were from stakeholder organisations and 189 were from individuals. Full analysis report of the Consultation on Disability Assistance in Scotland was published in October 2019: Disability Assistance in Scotland: analysis of consultation responses
Two surveys of experience panel members[1] and a series of individual and group interviews focused on the case transfer process itself, including when clients should be notified, what information they should be given, what order clients should be transferred in, and what information should be transferred, These were carried out in Spring 2019 and the results published:
- DWP benefits case transfers: survey findings - gov.scot (www.gov.scot)
- Social Security Experience Panels: designing the benefits case transfer process - gov.scot (www.gov.scot)
Due to the technical nature of the provisions and the engagement on the process to date, it was not considered necessary to undertake a formal consultation on the draft regulatory provisions for case transfer. We continue to engage with stakeholders and learn from previous case transfer whilst we design the processes for Working Age Disability Living Allowance case transfer.
Were there any comments/feedback from the public consultation about privacy, information or data protection?
During the ADP consultation, respondents and those attending stakeholder events welcomed the use of existing data, and information which already exists in the public sector, to inform decisions.
Respondents welcomed the change to gather information from a broad range of sources, as well as accepting input from informal sources. It was suggested that this would help to shift the burden from the individual and allow those who knew them best to provide information on the real impact that their condition has on their abilities. It was felt that this would make the process less stressful for the applicant.
Some organisations did, however, seek clarity on how any data-sharing process would work and the point at which the applicant would give request for help to seek supporting information. Another organisation cautioned that it would be important for Social Security Scotland to consider health inequalities in access to primary care which may affect the quality and availability of information about the person.
Both case transfer surveys sought feedback from experience panel members on the processes for transfer. Responses to the first survey showed a strong preference that no client should have to reapply for their benefit as part of the case transfer process. In the second set of interviews with experience panel members participants were presented with the different types of information that Social Security Scotland may take over as part of a client's case transfer. Participants were asked how they felt about Social Security Scotland taking over the different information types. It was explained that some information is essential for Social Security Scotland to take over as part of a client's case, including payment information, personal information (such as a client's address and contact information) and award information. All participants asked agreed that this information should be transferred as part of a client's case. Nearly all those asked were happy with Social Security Scotland taking over application information. Again, the majority of participants were happy for information submitted for evidence to be taken over. Views were mixed on taking over assessment information and case management information.
Some participants saw no problems with Social Security Scotland taking over assessment information and thought it would be better for Social Security Scotland to have all the information that DWP currently hold as part of a client's case. Some participants requested that Social Security Scotland staff view the contents of previous assessments with a critical eye if the information is to be transferred. However, some participants thought that assessment information should not be taken over. The most common reason for this was that participants did not feel the information from their assessment was accurate or correct. Participants spoke of their previous experience of assessments with DWP and some said they would like a fresh start with Social Security Scotland.
Some participants wanted case management information to be transferred so that there was a fully comprehensive record of a client's circumstances. However, many participants saw this information as irrelevant and questioned whether it would be needed. Similarly, to assessment information, some participants also spoke of wanting a fresh start with Social Security Scotland and therefore didn't want this information transferred.
The Working Age Disability Living Allowance cohort are clients that have not had a change in circumstance that has instigated the transfer to Personal Independent Payment by DWP. None of these clients will have engaged with DWP for a considerable time.
Article 35(7)(a) - "purposes of the processing, including, where applicable, the legitimate interest pursued by the controller"
Question 1: What issue/public need is the proposal seeking to address? What policy objective is the legislation trying to meet?
Comments
The Scotland Act 2016 made provision to devolve limited aspects of social security powers to Scottish Ministers, including 11 social security benefits:
- Benefits for carers, disabled people and those who are ill: Attendance Allowance, Carer's Allowance, DLA, PIP, Industrial Injuries Scheme Benefits and Severe Disablement Allowance.
- Benefits which currently comprise the Regulated Social Fund: Cold Weather Payment, Funeral Payment, Sure Start Maternity Grant and Winter Fuel Payment.
- Discretionary Housing Payments.
The Social Security (Scotland) Act 2018 received Royal Assent on 1 June 2018 and sets out the overarching legislative framework for the delivery of devolved forms of social security assistance.
Scottish Ministers through a series of regulations, make provision for new benefits to replace some current UK benefits for clients in Scotland.
In addition, Scottish Ministers can use transitional powers under the 2018 Act to make provision for the transfer of clients resident in Scotland currently in receipt of the UK disability and carer benefits, that are currently being administered and paid by the DWP for clients in Scotland under agency agreements, onto these new Scottish benefits.
Over 700,000 people are currently in receipt of UK disability and carer benefits that will be replaced by Scottish forms of assistance and responsibility for delivering benefits for these people will require to be transferred from the DWP to Social Security Scotland as the new forms of Scottish disability and carers assistance 'go live'.
These regulations will make provision for the transfer of entitlement for working age adults in Scotland currently in receipt of Working Age Disability Living Allowance, where these individuals would otherwise be required to apply for Personal Independence Payment. Based on DWP data, in Scotland in there are approximately 37,000 people receiving Working Age Disability Living Allowance and around 100 of these individuals are likely to transfer every month from the national launch of Adult Disability Payment.
Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects" and Article 35(7)(b) "...necessity and proportionality of the processing operations"
Question 2: Does your proposal relate to the processing of personal data? If so, please provide a brief explanation of the intended processing and what kind of personal data it might involve. Who might be affected by the proposed processing?
Is the processing considered necessary to meet a policy aim? Is there a less invasive way to meet the objective (for example, anonymising data, processing less data).
Please also specify if this personal data will be sensitive or special category data or relate to criminal convictions or offences.
(Note: 'special categories' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person's sex life or sexual orientation and sensitive personal data means criminal information or history).
Comments
Intended processing and how it meets the policy aim
For the transfer of entitlement for adults currently in receipt of Working Age Disability Living Allowance from the DWP to Social Security Scotland, both organisations will work together to securely transfer data and information held by DWP that is necessary to: create a client file within Social Security Scotland's case management system; to make a determination of entitlement to Adult Disability Payment; to support the future management of the award and to put the award into payment. This is to ensure that adults in receipt of Working Age Disability Living Allowance are not required to re-apply for the replacement benefit and to ensure they are not disadvantaged or face any interruption to receipt of their benefits.
Information transfer will also ensure that Social Security Scotland does not have to duplicate requests for relevant information that has already been supplied. Otherwise there would be additional and unnecessary burdens on the individual, other government departments, or other third parties, such as health care providers, who would be required to re-provide supporting information.
The data and information transferred will, therefore, include much of the same data and information on the individual or appointee that receives payment on the persons behalf, as is required for a new application and for managing the award for the individual once a determination of entitlement has been made.
This will include information on the individual's disability and data necessary to effect payment of the benefit such as address and bank details. To have information to communicate effectively with clients, information such as accessibility requirements and language preferences will be also being transferred.
The volume of data transferred will vary on a benefit by benefit basis, and also by client e.g. not all clients will have an appointee. The data being transferred will be defined and agreed with DWP, and included within the relevant benefit appendix in the Case Transfer Data Sharing Agreement.
The volume of supporting information transferred will also vary by client. Based on a response from DWP we estimate that the volumes of forms and supporting information received will be 20-30 pages per client, with an average size of 50kb per page.
Given the age of these awards and the fact that the forms and evidence held are paper based, then we are for this cohort offering clients the choice in the first instance as to whether forms and evidence are transferred. If a client does not wish the forms and evidence to be transferred then this will not affect a client's initial transfer determination award which will be based on client data, but will mean the client will be asked and supported to source relevant supporting information as part of the review of the clients Adult Disability Payment award post review.
In any circumstance where a client seeks a re-determination or appeals the transfer or review determination, then Social Security Scotland will request the client's Disability Living Allowance forms and evidence are transferred from DWP to ensure we are taking all relevant information into account and to ensure this information can be available to the Tribunal and Courts in considering any appeal.
Where the documentation is requested from DWP the documents although currently held in paper format will be reviewed and scanned by DWP. This will allow the sharing of the relevant documents to be completed electronically using an established sharing mechanism utilised for transfer of electronic format documentation from DWP to Scottish Government for Personal Independent Payment to Adult Disability Payment.
Special category, sensitive information and data relating to criminal convictions or offences
For both new applications and case transfer, data and information regarding the impact of a client's disability will be processed, and this may include details of their health and social care requirements, and also whether they have a terminal illness. For case transfer, data on the clients' care and mobility award components for their award will be transferred, together with any supporting records supplied in connection with the original application to the DWP, where the client request this or subsequently requests a re-determination or appeal of the transfer or review determination following transfer.
In some cases, this data may also be sensitive, for example DWP will transfer details of clients with a terminal illness and from the records supplied Social Security Scotland will determine and record if the client is aware or not of their terminal illness.
No data on the criminal convictions or offences will be transferred. However, if the client is in legal detention this data will be transferred as this impacts on the client's benefit entitlements. An appropriate Policy document is in place.
There is a risk (Transparency) that clients who have their records transferred from the DWP will not understand the changes to how they can exercise their data subject rights. This has been mitigated by a number of communications including:
Letter from DWP notifying the client of the transfer
Letter and leaflet from Social Security Scotland welcoming the client, detailing their rights for re-determination and appeal and providing information on the privacy notice and how to exercise their data subject rights. This letter will also highlight that the client has the choice on whether supporting information is transferred, in the first instance, in addition to the necessary data transfer.
Equalities Data
All new clients are asked to complete an Equality Monitoring and Feedback form along with the application form for each benefit delivered by Social Security Scotland. The data collected is used to identify who is using the service, to investigate how Social Security Scotland processes work for different groups of people and to understand whether groups with protected characteristics are able to adequately access social security payments. The equalities data is also analysed by outcome of application to assess if there is any variation.
Any data related to protected characteristics and held on existing client's files by the DWP will also be transferred and be used for similar purposes and in line with how it was originally collected.
For additional protection all equalities data is retained in a separate location to the client record in a pseudonymised state.
Processing of such data already occurs as part of Social Security Scotland administering devolved benefits but this will increase the volume of special category information being processed as it relates to a new form of disability assistance being administered by Social Security Scotland.
Health Data
In some cases, a consultation will be part of the decision making process for the review, or any re-determination of the transfer determination, that will be carried out once the client's award has transferred. As part of this process a Health or Social Care Practitioner will gather more information on the impact of a client's disability or illness. Information collected during this process will be shared with the individual in a detailed document for them to check accuracy.
Part of your consideration in relation to Article 35(7)(a) and (b) should be in respect of ECHR.
Question 3: Will your proposal engage any rights under ECHR, in particular Article 8 ECHR? How will the proposal ensure a balance with Article 8 rights? If the proposal interferes with Article 8 rights, what is your justification for doing so - why is it necessary?
Article 8 ECHR:
Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
You may also wish to consider
Article 6 right to a fair trial (and rights of the accused)
Article 10 right to freedom of expression
Article 14 rights prohibiting discrimination
Or any other convention or treaty rights?
Comments
Yes.
We anticipate in some cases that case transferees will have an existing appointee for their Disability Living Allowance award. Under the 2018 Act, Social Security Scotland can appoint a person, or organisation, to act on behalf of a client under section 85B(1)&(7) of the Social Security (Scotland) Act 2018(the 2018 Act). This is where on the balance of probabilities the client meets the definition of 'incapable' set out in section 1(6) of the Adults with Incapacity (Scotland) Act 2000 (the 2000 Act) and there is no-one else with legal authority to manage their benefits for them.
In such cases, we have made provision to ensure the client's current appointee can continue to act as their appointee throughout the transfer and review process until such times as Social Security Scotland can review the appointee. This will be done as soon as reasonably practicable after the client has been selected to transfer. As with the process for new applications, Social Security Scotland will seek the views of the client (where possible), anyone with legal rights on behalf of the client, and others with an interest in their welfare or financial affairs before appointing a third party to act on the individual's behalf.
There will also be a legal right to dispute a decision to appoint someone without legal rights to the First-Tier Tribunal for Scotland, to ensure that there is a sufficiently fair and robust process to resolve any disputes.
Article 35(7)(b) "...necessity and proportionality of the processing operations"
Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"
Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [UK GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"
Note Article 32 UK GDPR for s.4 also
Question 4: Will the proposal require regulation of:
- technology relating to processing
- behaviour of individuals using technology
- technology suppliers
- technology infrastructure
- information security
(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)
Comments
In practice, DWP will encrypt the data and the Scottish Government will decrypt on arrival. All data will be accessed - identity and access mapping will be completed.
The existing infrastructure and security used by Social Security Scotland to transfer data from DWP will be utilised. There are no legislative measures relating to technology.
Technology already used to provide other Social Security Scotland payments will be used to support the payment of ADP.
Question 4a: Please explain if the proposal will have an impact on the use of technology and what that impact will be.
Please consider/address any issues involving:
- Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals, such as email addresses or postcodes);
- Surveillance (necessary or unintended);
- Tracking of individuals online, including tracking behaviour online;
- Profiling;
- Collection of 'online' or other technology-based evidence
- Artificial intelligence (AI);
- Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals
(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people's information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)
Comments
No.
Question 4b: Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?
Comments
No.
Article 35(7)(b) "...necessity and proportionality of the processing operations"
Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"
*Note exemptions from UK GDPR principles where applicable
Question 5: Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)
Comments
The proposal does not introduce any new requirements regarding investigatory powers; these are already included in the Social Security (Scotland) Act 2018 and regulations made under it.
Article 35(7)(b) "...necessity and proportionality of the processing operations"
Article 35(7)(c) "assessment of the risks to the rights and freedoms of data subjects"
Article 35(7)(d) "measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [UK GDPR] taking into account the rights and legitimate interests of data subjects and other persons concerned"
Question 6: Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?
Comments
This proposal relates to the collection of data and information in relation to the transfer of data and information on adults in Scotland in receipt of Working Age Disability Living Allowance so will have a direct impact on the client and the individual to whom the benefit is paid (in the case of an appointee). The main data subject should in the vast majority of cases be a disabled adult and may also have other protected characteristics. The individual to whom the benefit is paid may also in some cases be a member of a specific group, for example they may be disabled or be elderly.
Impact assessments have been drafted, including an Equalities Impact Assessment and Children's Rights and Wellbeing Impact Assessment, with the intention that these are laid alongside the draft regulations in the Scottish Parliament in May 2022.
Question 7: Will the Bill necessitate the sharing of personal data to meet the policy objectives? For example
- From one public sector organisation to another public sector organisation;
- From a public sector organisation to a private sector organisation, charity, etc.;
- Between public sector organisations;
- Between individuals (e.g. practitioners/ service users/sole traders etc.);
- Upon request from a nominated (or specified) organisation?
If so, does the Bill make appropriate provision to establish a legal gateway to allow for sharing personal data Please briefly explain what the gateway will be and how this then helps meet one of the legal basis under Article 6 of the UK GDPR.
(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s. State what is the purpose of the sharing and why it is considered to be necessary to achieve the policy aims. )
Comments
Yes.
Personal data will be transferred from the DWP to Social Security Scotland in order for clients to be moved on to a devolved Scottish benefit without completing a new Adult Disability Payment application. In order to make a determination on a client's entitlement to Adult Disability Payment, and to carry out the subsequent review and any re-determinations, appeals and further subsequent reviews of entitlement, personal data will also be sought from and shared with other public sector organisations and third parties.
There are already legal gateways in place to enable the sharing of data with the DWP.
Sharing of personal data with a number of other government departments and third parties already occurs as part of Social Security Scotland administering devolved forms of assistance and benefits, but there will be some l increase to the volume of data being shared as individuals in receipt of Working Age Disability Living Allowance begin to transfer from the DWP to Social Security Scotland.
Provision has already been made under section 85 of the Social Security (Scotland) Act 2018 for the sharing of information between certain public bodies to Scottish Ministers for the purpose of a social security functions, or other functions prescribed in legislation. Data sharing already exists for Adult Disability Payment including the following organisations:
The Ministry of Defence for Armed Forces Independence Payment checks, Scottish Local Authorities for blue badges, and providers of Assisted Vehicles (for Assisted Vehicle Entitlement, 'AVE').
As recommended work is planned to undertake data flow mapping for the 2 pathways, the first being the transfer from DWP and the second being the new applicants to Social Security Scotland to allow the Scottish Government to identify any legal gateways that maybe missing and to determine whether further regulations are needed to include new powers or obligations. This work will also provide visibility of the controllership though the process.
Question 8: Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to view the measures as intrusive or onerous?
Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.
Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.
Comments
There is nothing potentially controversial or of significant public interest. For case transfer, client research has confirmed that the majority of clients are supportive of transfer of information to allow the new benefit to be set up rather than being required to complete a new application for a benefit they consider they are already entitled to. There are no identified potential unintended consequences.
The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications.
A security risk assessment is completed for all new processes and one will be completed for transfer of Working Age Disability Living Allowance to Adult Disability Payment. This will be contained in the Operational Data Protection Impact Assessment.
The operational Data Protection Impact Assessment will consider the data subject rights of individuals associated with the transfer from DWP, processing and payment of Adult Disability Payment and ensure that any risks are mitigated to ensure the rights of data subjects are not impacted.
Question 9: Are there consequential changes in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?
(This might include, for example, regulation or order making powers; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).
Comments
Provisions consequential to the regulations establishing Child Disability Payment and Adult Disability Payment and for Working Age Disability Living Allowance case transfer for Scottish cases are being made within these regulations, and it is not considered that any further consequential changes will be required.
Question 10: Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
Comments
No
Summary - Data Protection Impact Assessment
Question 11: Do you need to specify a Data Controller/s?
Comments
Joint Data Controller for client data held by Department for Work and Pensions (DWP) from the first file transfer up to the agreed end date on the DWP award: the period of joint controllership relates to the period where DWP continue to administer the payment.
Social Security Scotland will be Data Controller for all electronic client data once the case transfer process is complete with the exception of paper based forms and evidence.
DWP will continue to hold and be joint data controller for paper based forms and evidence that the client does not request transferred up until the point these are subsequently requested and transferred to Social Security Scotland or for the duration of the agreed retention period. The retention period will be 24 months from the data of transfer.
Question 12: Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards
Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.
Comments
Social Security Scotland are not proposing to use anything over and above the existing safeguarding measures which are in place for new cases which include:
- Pseudonymisation of equalities data
- Data will be encrypted in transit
- Redaction of personal data received on documents during the application process
- Retention schedule to minimise personal data where there is no longer purpose to retain.
- Appropriate Policy is in place
Question 13: Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.
Comments
Personal data will be used to inform decisions on a client's entitlement to disability benefits and make payments to them. For the case transfers, decisions on entitlement will be subject to full re-determination and appeal rights.
There is a risk that clients will not be fully aware of their right to full re-determination and appeal.
This will be mitigated through a communications framework for all clients whose case is transferred with letters detailing this process.
Any equalities data held on existing client's Disability Assistance files will also be transferred and used for similar purposes and in line with how it was originally collected.
For additional protection all equalities data is retained in a separate location to the client record in a pseudonymised state.
Question 14: If the proposal involves processing, do you or stakeholders have any relevant comments about mitigating any risks identified in the DPIA including any costs or options, such as alternative measures.
Comments
No.
Authorisation
The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.
Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.
By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals' right to privacy.
The results of the impact assessment must be published in the eRDM with the phrase "Legislative DPIA" and the name of the project or initiative in the title.
Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.
I confirm that the impact of Disability Assistance for Working Age People (Transitional Provisions and Miscellaneous Amendment) (Scotland) Regulations 2022 has been sufficiently assessed in compliance with the requirements of the UK GDPR
Name and job title of a IAO or equivalent:
Ian Davidson, Deputy Director of Social Security Policy Division
Date each version authorised
Final version: 06 May 2022
Contact
Email: Mhairi.Wilson@gov.scot
There is a problem
Thanks for your feedback