Disability Assistance for Older People (Scotland) Regulations 2024: Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) considering the potential impacts of the Disability Assistance for Older People (Scotland) Regulations 2024.


6. Risk Assessment

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Risk

Solution or mitigation

Likelihood

(Low/Med/High)

Severity

(Red/AmberGreen)

Result

6.1.1 Risk to individual rights

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

The personal information to be processed is required to enable Social Security Scotland to meet its statutory requirement in providing Social Security Assistance, the data being processed under public task with the legal basis being GDPR Article 6(1)(e). There is no profiling and the appropriate safeguards for processing using automated decision making will be in place and documented on the Operational DPIA.

Work has been undertaken to ensure only the minimum amount of personal information is gathered and stored only for the appropriate time.

There is a process in place for managing all subject rights requests.

Low

Green

Mitigated

6.2.1 Privacy risks

Purpose limitation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Social Security Scotland has a Privacy Notice that is accessible on the mygov.scot website[13].

Outward letters and telephony messaging also advise individuals where to find information regarding the processing of their information.

Data Sharing Agreements will be in place with stakeholders following the ICO Data Sharing code of practice, where clear purpose is document and adhered to.

Low

Green

Mitigated

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Social Security Scotland has a Privacy Notice that is accessible on mygov.scot website.

Outward letters and telephony messaging also advise individuals where to find information regarding processing of their information.

Low

Green

Mitigated

6.2.3 Privacy risks

Minimisation and necessity

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Necessity of the data to be processed has been determined based on the minimum amount of personal information required for assessing entitlement.

Low

Green

Mitigated

6.2.4 Privacy risks

Accuracy of personal data

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

The personal data gathered is from the individual, their representative or an Other Government Department where the individual has an established relationship.

Low

Green

Mitigated

6.3.1 Security risks

Keeping data securely

Retention

Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A Digital security risk assessment is completed for all new processes and one will be completed for PADP. A copy will be retained in the Operational DPIA.

The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision, all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly

Low

Green

Mitigated

6.3.2 Security risks

Transfer – data may be lost in transit

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Established secure transfer routes will be re-used for previous transitions. Data is encrypted at rest and in transit.

Data Sharing Agreements will be in place detailing both parties’ roles and responsibilities in relation to safeguarding individual personal information.

Low

Green

Mitigated

6.3.3 Security risks

Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A security risk assessment is completed for all new processes and one will be completed for PADP. This will be contained in the Operational DPIA.

The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision , all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly

Low

Green

Mitigated

6.4.1 Other risks

will this impact on children?

PADP will not impact on children. An individual is only entitled to PADP when they are of State Pension age and over, as set out in Regulations. Other impact assessments have been drafted, including an Equalities Impact Assessment, Island Communities Impact Assessment, Fairer Scotland Duty Assessment and a Business and Regulatory Impact Assessment to assess and mitigate other potential impacts or risks.

Low

Green

Eliminated

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

The DPO has been consulted in the development of the Article 36(4) form.

The DPO was provided an opportunity to comment on this DPIA. The DPO suggested continued engagement with Information Governance officials during drafting of the impact assessment.

Action

Policy officials continued engagement with Information Governance officials during the drafting of this impact assessment.

I confirm that the Disability Assistance for Older People (Scotland) Regulations 2024 have been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of an IAO or equivalent

Ian Davidson, Deputy Director

Social Security Policy Division

Date each version authorised

17 April 2024

Contact

Email: Joseph.Scullion@gov.scot

Back to top