Early learning and childcare - 2 year old project: data protection impact assessment

The Data Protection Impact Assessment (DPIA) for the the regulations which will allow for a data sharing agreement in regards to funded ELC provision for 2 year-olds, between the UK Government, Scottish Government, and Scottish local authorities.


Data Protection Impact Assessment

Early Learning and Childcare 2 Year Old Project

UK Legislation - The Digital Government (Disclosure of Information) (Amendment) Regulations 2022

Version date: 19 July 2022

UK Digital Economy Act 2017

The data sharing provisions in Chapter 1 of Part 5 of the UK Digital Economy Act 2017 (the Act) provide a legal gateway for specified public authorities to share data in relation to specified objectives to support the more effective delivery of public services. These information sharing powers are permissive, and are subject to additional safeguards. It is for the public authorities specified in relation to an objective to choose whether to make use of the powers and to enter into information sharing agreements with other such bodies prior to sharing data. Any proposed data sharing must also comply with the requirements of the data protection legislation. Those sharing information must also have regard to the principles and good practice to follow set out in the Code of Practice when doing so.

No data may be processed or shared automatically as a result of the Regulations being made. The Regulations allow the powers in the Act to be used as the necessary legal gateway, for data sharing between the public bodies specified in relation to the Scottish early learning and childcare objective, provided that the data is shared for the purposes of that objective. However, additional procedural steps are required, and other safeguards and controls apply before data can be shared.

The UK Government, in partnership with the Scottish Government, is proposing to create a new public service delivery objective to enable data sharing between HMRC, DWP, the Scottish Government and Scottish local authorities to help identify and contact households that are eligible for funded early learning and childcare (ELC) for 2 year olds in Scotland. This is referred to as "the Scottish early learning and childcare objective".

The UK Digital Government (Disclosure of Information) (Amendment) Regulations 2022 amend the Digital Government (Disclosure of Information) Regulations 2018 to add this new Scottish early learning and childcare objective to the Digital Economy Act 2017. They also set out who can share information for the purposes of the Scottish early learning and childcare objective, namely the public bodies mentioned above.

The Regulations are affirmative and require parliamentary approval. They are being taken through the UK Parliament by the UK Government. The Regulations are made by the UK Government using powers in the Digital Economy Act 2017 because the information sharing intended to help deliver funded early learning and childcare involves disclosure and processing of data held by UK Government departments - HMRC and DWP.

We all want to be confident that our rights to privacy are protected, that there are adequate protections against exploitation of our personal information, and that it is held securely and used effectively for public benefit. Robust safe guards and controls on the sharing and use of data by public authorities using the public service delivery powers are in place, to prevent unlawful disclosure of information:

  • The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data, and public authorities will need to demonstrate that they are complying with the requirements of that legislation.
  • Public authorities must ensure that data sharing is compliant with the Human Rights Act 1998 and they must not act in a way that would be incompatible with rights under the European Convention on Human Rights.
  • Public authorities must have regard to a Code of Practice when sharing data, which provides details on how the powers should operate.
  • Data sharing between public bodies using the new early learning and childcare objective will need to be agreed in an information sharing agreement.
  • The Digital Economy Act creates criminal offences for unauthorised disclosure of personal information received under the public service delivery powers.

Legal gateways already exist in England and Wales to enable data sharing to support delivery of ELC, which are not available in Scotland. The Regulations create equivalent gateways to bring parity of service provision that families in England and Wales already enjoy.

The text of the Regulations can be found on the UK Government website: Digital Economy Act 2017: Scottish Early Learning and Childcare - GOV.UK (www.gov.uk)

Benefits of the new objective

We know that high quality ELC enriches children with skills and confidence to carry throughout their lives, and is a cornerstone for closing the poverty-related attainment gap between the most and least advantaged children. Evidence from both UK and international evaluations and studies of ELC programmes shows that all children, especially those from disadvantaged backgrounds, can benefit in terms of social, emotional and educational outcomes from attending high quality ELC.

To support this vision, in 2014 the Scottish Government committed to almost doubling the funded entitlement to early learning and childcare from 600 to 1140 hours for all 3- and 4-year-olds and eligible 2-year-olds. Our transformative ELC expansion programme was realised in August 2021, with all eligible children and families across Scotland now being able to access up to 1,140 hours funded ELC – underpinned by ensuring that provision is of high quality, flexible, accessible and affordable.

There is a joint commitment between the Scottish Government and Scottish local authorities to maximise uptake of funded ELC to ensure we realise the benefits of the investment. Uptake of the targeted offer to some 2-year olds has consistently remained low and we must do all we can to remove barriers for families. This proposed objective will ensure Scottish local authorities are able to target the entitlement to funded ELC for certain 2 year olds more effectively, ensuring that those children and families facing the most socio-economic disadvantage are made aware and are able to access their full entitlement.

The expansion of funded ELC will deliver three main benefits for children and families:

  • Children's development improves and the attainment gap narrows
  • Parents opportunities to be in work, training or study increase
  • Family well-being improves through enhanced nurture and support

This project is dedicated to pulling the minimum amount of data required from both HMRC and DWP to enable the Scottish Local Authorities to write to the parents of the eligible children to encourage them to take up the childcare offer.

This Data Protection Impact Assessment (DPIA) works in conjunction with the Article 36(4) ICO consultation form submitted in advance of this, as the proposal requires consultation with the Information Commissioner's Office (ICO). The UK Government undertook the consultation with the ICO about the Regulations.

This DPIA is undertaken on behalf of the Scottish Government, who are listed in Schedule 4 of the Digital Economy Act 2017, and are a specified body in relation to the new early learning and childcare objective. This allows the Scottish Government to share data with the other public bodies listed on schedule 4 who are also specified bodies for the purposes of the new early learning and childcare objective (Scottish Local Authorities, HMRC and DWP) – subject to the safeguards and protections noted above. Accordingly, the Scottish Government are prospective data controllers under the intended data sharing that will be facilitated by the Regulations to improve uptake of funded ELC.

1. Contact and schedule information

1.1 SG department: Targeted Childcare, Family & Wellbeing: Education & Justice

1.2 Contact email:joanna.mackenzie2@gov.scot

1.3 Data protection support email: dpa@gov.scot

Data protection officer: dataprotectionofficer@gov.scot

1.4 Is your proposal primary legislation, secondary legislation or other form of statutory measure?: UK Government secondary legislation

1.5 What stage is the legislative process at? Please indicate any relevant timescales and deadlines: UK Government published the consultation response on 7 June 2022. The UK statutory instrument was laid at Westminster on 15 July 2022.

2. Introductory information

Questions/Comments

2.1 Summary of proposal

Comments:

The UK Digital Government (Disclosure of Information) (Amendment) Regulations 2022 amend the Digital Government (Disclosure of Information) Regulations 2018 to add a new public service delivery objective to the Digital Economy Act 2017 and set out which public authorities have the power to disclose information for the objective.

The UK Government, in partnership with the Scottish Government, is proposing to create a new public service delivery objective to enable data sharing between HMRC, DWP, the Scottish Government and Scottish local authorities to help identify and contact households that are eligible for funded early learning and childcare (ELC) for 2 year olds in Scotland.

As noted above, no data may be processed or shared automatically as a result of the Regulations being made.

2.2 Description of the personal data involved

Please also specify if this personal data will be special category data, or relate to criminal convictions or offences

Comments:

The relevant data required by Scottish local authorities to enable them to write to the parents of eligible children (to encourage them to take up the childcare offer) sits with DWP and HMRC.

We have agreed a robust set of business requirements to ensure they need only share the minimum amount of data required.

This does not include any special category of data.

The data are:

  • The customer name and address; a benefit flag; and child(ren) indicator.
  • The National Insurance number will be shared with the Scottish Government only for unique identification to de-duplicate records. It will not be shared with local authorities.

The majority of respondents to the consultation on the Regulations agreed or strongly agreed that the personal data items to be shared to confirm the existence of a child, or children, is consistent with the delivery of the objective (87%).

The outcomes of the consultation can be found at:
Digital Economy Act 2017: Scottish Early Learning and Childcare

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights, or use of social profiling to inform policy making.

Comments:

The proposed objective will ensure Scottish local authorities are able to target information on the entitlement to funded ELC for certain 2 year olds more effectively, ensuring that those children and families facing the most socio-economic disadvantage are made aware and are able to access their full entitlement.

There will not be specific groups of people that are adversely affected more than others.

In accordance with the criteria in section 35(9) – (11) of the Digital Economy Act 2017, public service delivery objectives must be aimed at supporting the provision of a benefit, or improvement or targeting of public services to individuals or households to improve their wellbeing. Public service delivery objectives which do not meet these criteria cannot be specified.

2.4 Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

What policy objective is the legislation trying to meet?

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments:

Legislating is a well-considered, necessary and proportionate measure supported by evidence. The Scottish Government, HMRC and DWP agree that no other legal gateway exists to enable data sharing between HMRC, DWP, the Scottish Government and Scottish local authorities to help identify and contact households that are eligible for funded early learning and childcare (ELC) for 2 year olds in Scotland.

High quality ELC enriches children with skills and confidence to carry throughout their lives, and is a cornerstone for closing the poverty-related attainment gap between the most and least advantaged children. Evidence from both UK and international evaluations and studies of ELC programmes shows that all children, especially those from disadvantaged backgrounds, can benefit in terms of social, emotional and educational outcomes from attending high quality ELC.

To support this vision, in 2014 the Scottish Government committed to almost doubling the funded entitlement to early learning and childcare from 600 to 1140 hours for all 3- and 4-year-olds and eligible 2-year-olds. Our transformative ELC expansion programme was realised in August 2021, with all eligible children and families across Scotland now being able to access up to 1,140 hours funded ELC – underpinned by ensuring that provision is of high quality, flexible, accessible and affordable.

Uptake of the targeted offer to some 2-year olds has consistently remained low and we must do all we can to remove barriers for families. Research commissioned by the Scottish Government in 2017, "Drivers and barriers to uptake of early learning and childcare among 2-year-olds" published March 2017, indicated that many eligible families are likely to take up the 2-year-old offer if they are aware of it, although we know that not all families will take up their entitlement even when they are aware. The research identified that one of the key barriers to raising awareness amongst eligible families is that the Scottish Government and Scottish Local Authorities do not have access to household level information about those families who are likely to be eligible. That report included a recommendation that "as a priority, the Scottish Government should work with DWP (and HMRC if required) to allow data on eligibility to be shared with local authorities".

There are safeguards in place for the sharing of information under the public service delivery powers as noted above.

The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data using the debt and fraud powers. The Digital Economy Act creates criminal offences for unauthorised disclosure of personal information received under the public service delivery powers. Additionally, public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998 and they must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

Public authorities must have regard to the Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017 (the Code). The Code is required to be consistent with the Information Commissioner's data sharing code of practice. The Digital Economy Act requires all persons who are involved in disclosing information under the public service delivery powers to have regard to codes issued by the Information Commissioner, in so far as they are relevant, when they disclose information under the Act.

The process for using the public service delivery powers is outlined in the Code. It provides that prior to sharing any data, all parties to the data share complete an agreed business case, information sharing agreement, data protection impact assessment and security plan in line with the Code.

The Code provides that all bodies are required to apply a set of data sharing principles when they do so. These include that data protection impact assessments are carried out before any data sharing takes place, reviewed at critical milestones and made available to the public in line with the Information Commissioner's guidance. They must also ensure that suitably worded privacy notices are published and made available to the public in line with the fairness and transparency principles in the Information Commissioner's Privacy notices, transparency and control code of practice and the Information Commissioner's data sharing code.

Before the public bodies in question were added to Schedule 4 of the Digital Economy Act 2017, the person making the Regulations which added the bodies was required to take into account the systems and procedures for the secure handling of information each of those public authorities had in place. This provides an assurance that all parties who might use the Scottish early learning and childcare objective will ensure that data is held securely, to the appropriate security and information management standards, maintained to the appropriate quality, used only for the specified purpose of ELC, kept only as long as necessary and then securely deleted.

Any and all data shares under the proposed objective will be included in the Register of information sharing agreements established under chapters 1, 2, 3 and 4 of part 5 of the Digital Economy Act 2017.

The UK Government has established a review board to oversee reserved and England-only data sharing under the public service delivery powers. The board reviews proposed data sharing objectives and makes recommendations to the relevant Cabinet Office Minister. The Scottish Government and Information Commissioner's Office are represented on the Board.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

If the latter, what will be the status of the Code of Conduct? (statutory or voluntary?)

Comments:

A Code of Practice (as referred to in 2.4) was issued by the Secretary of State under section 43 of the Digital Economy Act 2017 and by the Minister for the Cabinet Office under sections 52 and 60 of that Act. It was developed in consultation with the Information Commissioner's Office, the Commissioners for Her Majesty's Revenue and Customs, the devolved administrations, and other interested persons. It has been laid before the UK Parliament and the devolved legislatures in Scotland and Wales, in accordance with the Digital Economy Act 2017.

This Code will be reviewed periodically. Any changes resulting from the review are to be made in consultation with the parties named above, and revised copies laid before Parliament and the devolved legislatures in Scotland, Wales and Northern Ireland in accordance with sections 43, 52 and 60 of the Digital Economy Act 2016.

The Code does not itself impose additional legal obligations on parties seeking to make use of the powers, nor is it an authoritative statement of the law. It sets out principles and good practice to follow when exercising the powers set out in the Digital Economy Act 2017. Anyone sharing information under the relevant parts of the Digital Economy Act 2017 is required to have regard to the Code when doing so.

The Code notes that Government departments will expect public authorities and other participants in an information sharing arrangement to agree to have regard to the Code before any information is shared and that failure to have regard to the Code may result in a public authority losing the ability to disclose, receive and use information under the powers.

Implementation will be accompanied by guidance for Scottish local authorities.

3. Data Controllers

Organisation

For the data share which the Regulations are intended to facilitate, HMRC, DWP, Scottish Government and Scottish Local Authorities will be data controllers as defined by UK GDPR whilst data is processed on their own IT estates. There will be no joint controller relationship.

Activities

Data controllers may engage data processors or sub processors in the delivery of their obligations and in doing so, are responsible for ensuring that all legal and regulatory compliance steps are taken. This detail will be agreed and included in the business case, information sharing agreement, data protection impact assessment and security plan.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

The lawful basis for processing is Article 6(e) public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

N/A

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018

N/A

Legal gateway for any sharing of personal data between organisations

The Digital Economy Act 2017, Part 5, Chapter 1, Section 35.

4. Consultation

Questions/Comments

4.1 Have you consulted with the ICO using the Article 36(4) form?

If the ICO has provided feedback, please include this.

Comments:

The UK Government consulted with the ICO.

ICO comments and advice to Scottish Government:

  • If the Scottish Government prepares more than one DPIA, they should cross refer to ensure the DPIAs are coordinated.
  • There is a need for all parties, including Scottish Government, DWP and HMRC, to be mindful of the need for transparency and to make sure that the information they provide to individuals (including privacy notices) about how they process their data, are updated to take account of this data sharing. This will also apply to HMRC as the existing data set is to be used for a new purpose.
  • Scottish Government and local authorities will need to work through issues about retention of personal data and address them potentially in policies and guidance to accompany the new objective.
  • Importance of entering into and/or reviewing data sharing agreements or MoUs to take account of this data sharing – the ICO's data sharing code has useful guidance about what they should contain.
  • Importance of entering into/reviewing contracts with processors in compliance with article 28 UK GDPR.
  • The marketing rules in the Privacy and Electronic Communications Regulations (PECR) do not apply to letters sent by post. Electronic communications sent by public authorities to individuals are also unlikely to constitute direct marketing under PECR. If SG or LAs consider the possibility of electronic communication, it will be useful to consider our guidance on direct marketing and the public sector.

The Scottish Government agreed to the following actions:

  • The Scottish Government to follow up on security arrangements with relevant stakeholders.
  • The Scottish Government to develop thinking on the need for follow up with certain families and the impact on retention schedules.
  • The Scottish Government to consider development of DPIAs for these proposals.

4.2 Do you need to hold a public consultation and if so has this taken place? What was the result?

Comments:

The consultation on the Regulations and UK Government response can be found at Digital Economy Act 2017: Scottish Early Learning and Childcare

69 responses to the consultation paper were received. A clear majority of respondents agreed that the proposed data share would improve and target a service to eligible households (94%) and thereby improve their wellbeing (88%). Respondents also agreed (86%) that the data sharing would deliver tangible benefits to households, including early stage support to promote education, health and social equalities.

4.3 Were there any Comments/feedback from the public consultation about privacy, information or data protection?

Comments:

A small number of respondents raised potential privacy and confidentiality issues which may arise as a result of the data sharing activity, for example, ensuring that the data to be collected is used for the purposes of the targeting the ELC offer only. As noted above, section 40(1) of the Digital Economy Act 2017 provides that personal information disclosed using the public service delivery powers may only be used by the person to whom it is disclosed for the purposes for which it was disclosed, subject to the limited exceptions that are detailed in section 40(2) of the Act.

Data sharing under the Digital Economy Act 2017 must comply with the accompanying Code of Practice, data protection legislation, the Commissioners for Revenue and Customs Act 2005 and the Information Commissioner's Office Data Sharing Code of Practice. All parties to the data share will ensure that data is held securely, to the appropriate security and information management standards, maintained to the appropriate quality, used only for the specified purpose of ELC, kept only as long as necessary and then securely deleted. Any and all data shares under the proposed objective will be included in the Register of information sharing agreements.

5. Further assessment and risk identification

Question/Comments

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

Comments:

Existing identifiers will be used – National Insurance numbers – for de-duplication purposes only. Its use for this purpose was cleared by the DWP/HMRC National Insurance Number board.

5.2 Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

Comments:

The Digital Economy Act 2017 section 35(6) requires the appropriate national authority (for example, UK Government or the Scottish Ministers) to have had regard to the systems and procedures for the secure handling of information by persons whom they add to schedule 4.

Public authorities must ensure information is retained securely and deleted once it has been used for the purpose for which it was provided. The Code of Practice provides that bodies have regard to specific security standards outlined in the Code. The Code provides that bodies must have a security plan for the data share.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

Comments:

The Code of Practice sets out that, unless there are particular national security of other sensitives which would outweigh the public interest in disclosure, "information about information sharing agreements should be published in a searchable electronic public register".

Data shares under the proposed objective will be included in the Register of information sharing agreements established under chapters 1, 2, 3 and 4 of part 5 of the Digital Economy Act 2017.

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

Comments:

For information to be disclosed lawfully under the public service delivery powers, public authorities must operate according to the Digital Economy Act 2017 and comply with relevant legal requirements including Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016 (and, until that Act comes fully into force, Part 1 of the Regulation of Investigatory Powers Act 2000).

Unlawful disclosure of personal information by HMRC is subject to criminal sanctions set out in section 19 of the Commissioners for Revenue and Customs Act 2005. The Digital Economy Act 2017 extends that sanctions regime to offences under the Digital Economy Act 2017 which involve the unlawful disclosure of information received contrary to section 41 of the Digital Economy Act 2017 or received from HM Revenue and Customs (see section 42).

See para 1.3 of the Code of Practice

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

Comments:

The proposed objective will ensure Scottish local authorities are able to target the entitlement to funded ELC for certain 2 year olds more effectively, ensuring that those children and families facing the most socio-economic disadvantage are made aware and are able to access their full entitlement.

The Scottish Government published an Equality Impact Assessment in January 2021 on the policy framework for ELC in Scotland. It did not identify any direct or indirect unlawful discrimination.

In accordance with the criteria in section 35 of the Digital Economy Act 2017, public service delivery objectives must be aimed at supporting the improvement or targeting of public services to individuals or households to improve their wellbeing.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments:

A clear majority of the 69 respondents to the consultation agreed that the proposed data share would improve and target a service to eligible households (94%) and thereby improve their wellbeing (88%). Respondents also agreed (86%) that the data sharing would deliver tangible benefits to households, including early stage support to promote education, health and social equalities.

There are safeguards in place for the sharing of information under the public service delivery powers.

The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data using the debt and fraud powers. The Digital Economy Act creates criminal offences for unauthorised disclosure of personal information received under the debt and fraud powers. Additionally, public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998 and they must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

Public authorities must have regard to the Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017 (the Code). The Code is required to be consistent with the Information Commissioner's data sharing code of practice. The Act requires all persons who are involved in disclosing information under the public service delivery powers to have regard to codes issued by the Information Commissioner, in so far as they are relevant, when they disclose information under the Digital Economy Act 2017. Data sharing takes place in accordance the Commissioners for Revenue and Customs Act 2005.

The process for using the public service delivery powers is outlined in the Code. It provides that prior to sharing any data, all parties to the data share complete an agreed business case, information sharing agreement, data protection impact assessment and security plan in line with the Code.

The Code provides that all bodies are required to apply a set of data sharing principles when they do so. These include that data protection impact assessments are carried out before any data sharing takes place, reviewed at critical milestones and made available to the public in line with the Information Commissioner's guidance. They must also ensure that suitably worded privacy notices are published and made available to the public in line with the fairness and transparency principles in the Information Commissioner's Privacy notices, transparency and control code of practice and the Information Commissioner's data sharing code.

All parties to the data share will ensure that data is held securely, to the appropriate security and information management standards, maintained to the appropriate quality, used only for the specified purpose of ELC, kept only as long as necessary and then securely deleted.

Any and all data shares under the proposed objective will be included in the Register of information sharing agreements established under chapters 1, 2, 3 and 4 of part 5 of the Digital Economy Act 2017.

The UK Government has established a review board to oversee reserved and England-only data sharing under the public service delivery powers. The board reviews proposed data sharing objectives and makes recommendations to the relevant Cabinet Office Minister. The Scottish Government and Information Commissioner's Office are represented on the Board

5.7 Are there consequential changes to other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Comments:

The UK Digital Government (Disclosure of Information) (Amendment) Regulations 2022 amend the Digital Government (Disclosure of Information) Regulations 2018 to add a new public service delivery objective to the Digital Economy Act 2017 and set out which public bodies have the power to disclose information for the objective.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

Comments:

A Code of Practice (as referred to in 2.4) was issued by the Secretary of State under section 43 of the Digital Economy Act 2017 and by the Minister for the Cabinet Office under sections 52 and 60 of that Act. It was developed in consultation with the Information Commissioner's Office, the Commissioners for Her Majesty's Revenue and Customs, the devolved administrations, and other interested persons. It has been laid before the UK Parliament and the devolved legislatures in Scotland and Wales, in accordance with the Digital Economy Act 2017.

This Code will be reviewed periodically. Any changes resulting from the review are to be made in consultation with the parties named above, and revised copies laid before Parliament and the devolved legislatures in Scotland, Wales and Northern Ireland in accordance with sections 43, 52 and 60 of the Digital Economy Act 2016.

The Code does not itself impose additional legal obligations on parties seeking to make use of the powers, nor is it an authoritative statement of the law. It sets out principles and good practice to follow when exercising the powers set out in the Digital Economy Act 2017. Anyone sharing information under the relevant parts of the Digital Economy Act 2017 is required to have regard to the Code when doing so.

The Code notes that Government departments will expect public authorities and other participants in an information sharing arrangement to agree to have regard to the Code before any information is shared and that failure to have regard to the Code may result in a public authority losing the ability to disclose, receive and use information under the powers.

Implementation will be accompanied by guidance for Scottish local authorities.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards.

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments:

The Digital Economy Act 2017 section 35(6) requires the appropriate national authority (for example, UK Government or the Scottish Ministers) to have had regard to the systems and procedures for the secure handling of information by persons whom they add to schedule 4.

Public authorities must ensure information is retained securely and deleted once it has been used for the purpose for which it was provided. The Code of Practice provides that bodies have regard to specific security standards outlined in the Code.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.

Comments:

The proposed objective will ensure Scottish local authorities are able to target the entitlement to funded ELC for certain 2 year olds more effectively, ensuring that those children and families facing the most socio-economic disadvantage are made aware and are able to access their full entitlement.

The Scottish Government published an Equality Impact Assessment in January 2021 on the policy framework for ELC in Scotland. It did not identify any direct or indirect unlawful discrimination.

In accordance with the criteria in section 35 of the Digital Economy Act 2017, public service delivery objectives must be aimed at supporting the improvement or targeting of public services to individuals or households to improve their well-being. The power cannot be used for purposes which are detrimental to individuals or households (such as the withdrawal of a service or support).

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

Comments:

The proposed objective will ensure Scottish local authorities are able to target the entitlement to funded ELC for certain 2 year olds more effectively, ensuring that those children and families facing the most socio-economic disadvantage are made aware and are able to access their full entitlement.

5.12 Will the proposal require the transfer of personal data to a 'third country'? (Under UK GDPR this is defined as country outside the UK.)

Comments:

No

6. Risk Assessment

Risk

Solution or mitigation

Likelihood

(Low/Med/High)

Severity

(Red/Amber/Green)

Result

6.1.1 Risk to individual rights

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data using the public service delivery powers. They provide a framework of rules to ensure fair and lawful processing of data of which consent is one that can be applied, but is not always required.

There are safeguards attached to data protection law. For example data protection law requires data subjects to be provided with privacy notices which, among other things, explain individual's rights.

The Code of Practice includes data sharing principles which all bodies using the public service delivery powers are required to apply.

Where the public service delivery power is used, a data protection impact assessments will be required which will involve a consideration of the privacy risks.

In accordance with the criteria in section 35 of the Digital Economy Act 2017, public service delivery objectives must be aimed at supporting the improvement or targeting of public services to individuals or households to improve their well-being. The power cannot be used for purposes which are detrimental to individuals or households (such as the withdrawal of a service or support).

Low

Green

Accepted

6.2.1 Privacy risks

Purpose limitation

The Digital Economy Act 2017 regulates what data can be shared and for what purposes. Data can be shared only for the specific ELC purpose described in the new objective and not to achieve other aims.

This is in line with the principles in the Code of Practice which all bodies using the public service delivery powers are required to apply.

Low

Green

Accepted

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

The Data Protection Act 2018 and UK General Data Protection Regulation apply to the processing of all personal data using the public service delivery powers.

There are safeguards attached to data protection law. For example data protection law requires data subjects to be provided with privacy notices which, among other things, set out why the information is needed and how it will be used, the lawful basis for processing and individual rights.

Data shares under the proposed objective will be included in the Register of information sharing agreements.

Low

Green

Accepted

6.2.3 Privacy risks

Minimisation and necessity

HMRC and DWP will share only the minimum amount of data required to enable the Scottish Local Authorities to write to the parents of the eligible children to encourage them to take up the childcare offer.

This is in line with the principles in the Code of Practice which all bodies using the public service delivery powers are required to apply.

Low

Green

Accepted

6.2.4 Privacy risks

Accuracy of personal data

The Code of Practice includes data sharing principles which all bodies using the public service delivery powers are required to apply.

These include that data held is maintained to the appropriate quality and where appropriate citizens can view, correct and delete data held about them.

Low

Green

Accepted

6.3.1 Security risks

Keeping data securely

Retention

Public authorities must ensure information is retained securely and deleted once it has been used for the purpose for which it was provided. The Code of Practice provides that bodies have regard to specific security standards outlined in the Code. The Code provides that bodies must have a security plan for the data share.

Low

Green

Accepted

6.3.2 Security risks

Transfer – data may be lost in transit

The Digital Economy Act 2017 section 35(6) requires the appropriate national authority (for example, UK Government or the Scottish Ministers) to have had regard to the systems and procedures for the secure handling of information by persons whom they add to schedule 4.

Low

Green

Accepted

6.3.3 Security risks

Everyone who is involved in information sharing arrangements under powers in the Digital Economy Act 2017 is required to have regard to specific security standards. The Code sets out three specific requirements:

1. Public authorities and receiving parties should consider the standards and protocols that apply to their organisation when providing or receiving information before agreeing appropriate standards and protocols; all parties should be satisfied that they provide a level of security that is both appropriate and meets or exceeds their own standards and protocols.

2. Each party involved in the data share must make sure effective measures are in place to manage potential or actual incidents relating to the potential loss of information; and

3. Public authorities and data processors, together with any third parties must be fully engaged in the resolution of a potential or actual data incident.

As part of any formal data sharing agreement, security plans will need to be evidenced and documented to include; secure storage arrangements, protective marking; assurance around process for restricted access by individuals; notification protocol in the event of a breach; procedures to investigate cause of any breach.

Low

Green

Accepted

6.4.1 Other risks

Impact on children and families

The proposed objective will ensure Scottish local authorities are able to target the entitlement to funded ELC for certain 2 year olds more effectively, ensuring that those children and families facing the most socio-economic disadvantage are made aware and are able to access their full entitlement.

The Scottish Government published an Equality Impact Assessment in January 2021 on the policy framework for ELC in Scotland. It did not identify any direct or indirect unlawful discrimination.

Low

Green

Accepted

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

Action

No comment

 

I confirm that the The Digital Government (Disclosure of Information) (Amendment) Regulations 2022 have been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent: Eleanor Passmore, Deputy Director, Early Learning and Childcare Division

Date each version authorised: 12 July 2022

Contact

Email: David.Taggart@gov.scot

Back to top