Disability Assistance for Older People (Scotland) Regulations 2024: Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) considering the potential impacts of the Disability Assistance for Older People (Scotland) Regulations 2024.
6. Risk Assessment
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
Risk |
Solution or mitigation |
Likelihood (Low/Med/High) |
Severity (Red/AmberGreen) |
Result |
---|---|---|---|---|
6.1.1 Risk to individual rights
Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. The personal information to be processed is required to enable Social Security Scotland to meet its statutory requirement in providing Social Security Assistance, the data being processed under public task with the legal basis being GDPR Article 6(1)(e). There is no profiling and the appropriate safeguards for processing using automated decision making will be in place and documented on the Operational DPIA. Work has been undertaken to ensure only the minimum amount of personal information is gathered and stored only for the appropriate time. There is a process in place for managing all subject rights requests. |
Low |
Green |
Mitigated |
6.2.1 Privacy risks Purpose limitation |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. Social Security Scotland has a Privacy Notice that is accessible on the mygov.scot website[13]. Outward letters and telephony messaging also advise individuals where to find information regarding the processing of their information. Data Sharing Agreements will be in place with stakeholders following the ICO Data Sharing code of practice, where clear purpose is document and adhered to. |
Low |
Green |
Mitigated |
6.2.2 Privacy risks Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. Social Security Scotland has a Privacy Notice that is accessible on mygov.scot website. Outward letters and telephony messaging also advise individuals where to find information regarding processing of their information. |
Low |
Green |
Mitigated |
6.2.3 Privacy risks Minimisation and necessity |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. Necessity of the data to be processed has been determined based on the minimum amount of personal information required for assessing entitlement. |
Low |
Green |
Mitigated |
6.2.4 Privacy risks Accuracy of personal data |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. The personal data gathered is from the individual, their representative or an Other Government Department where the individual has an established relationship. |
Low |
Green |
Mitigated |
6.3.1 Security risks Keeping data securely Retention |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A Digital security risk assessment is completed for all new processes and one will be completed for PADP. A copy will be retained in the Operational DPIA. The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision, all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly |
Low |
Green |
Mitigated |
6.3.2 Security risks Transfer – data may be lost in transit |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. Established secure transfer routes will be re-used for previous transitions. Data is encrypted at rest and in transit. Data Sharing Agreements will be in place detailing both parties’ roles and responsibilities in relation to safeguarding individual personal information. |
Low |
Green |
Mitigated |
6.3.3 Security risks |
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A security risk assessment is completed for all new processes and one will be completed for PADP. This will be contained in the Operational DPIA. The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision , all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly |
Low |
Green |
Mitigated |
6.4.1 Other risks will this impact on children? |
PADP will not impact on children. An individual is only entitled to PADP when they are of State Pension age and over, as set out in Regulations. Other impact assessments have been drafted, including an Equalities Impact Assessment, Island Communities Impact Assessment, Fairer Scotland Duty Assessment and a Business and Regulatory Impact Assessment to assess and mitigate other potential impacts or risks. |
Low |
Green |
Eliminated |
Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
Advice from DPO
The DPO has been consulted in the development of the Article 36(4) form.
The DPO was provided an opportunity to comment on this DPIA. The DPO suggested continued engagement with Information Governance officials during drafting of the impact assessment.
Action
Policy officials continued engagement with Information Governance officials during the drafting of this impact assessment.
I confirm that the Disability Assistance for Older People (Scotland) Regulations 2024 have been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018
Name and job title of an IAO or equivalent
Ian Davidson, Deputy Director
Social Security Policy Division
Date each version authorised
17 April 2024
Contact
Email: Joseph.Scullion@gov.scot
There is a problem
Thanks for your feedback