The Disability Assistance (Scottish Adult Disability Living Allowance) Regulations 2025: data protection impact assessment

3. Data Controllers

Organisation:

Social Security Scotland

Activities:

Social Security Scotland collects and stores personal data in order to make determinations of entitlement to Scottish Government benefits and for the ongoing management of social security awards. This will include Scottish Adult DLA following the regulations coming into force.

Social Security Scotland will be the Data Controller for all client data in Scotland once the DLA case transfer process has completed.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Article 6(1)(e) – processing is necessary for the performance of a task carried out under the Social Security (Scotland) Act 2018 in the public interest or in the exercise of official authority vested in the controller.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of law which shall be proportionate to the aim of maximising benefit take-up and reducing barriers to accessing social security benefits in Scotland. Processing will respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that processing is necessary for the exercise of a function conferred on Social Security Scotland. An appropriate policy document is held.

Processing of data relating to an individual being held in legal detention will be required for Scottish Adult DLA. To determine eligibility or to process an individual’s change of circumstances, Social Security Scotland will need to know if they have been admitted to or have left legal detention.

Processing does not pertain to the nature of the individual’s conviction and is only in regard to whether they have been legally detained for the purposes of social security. An appropriate policy document is held.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018

Not engaged

Legal gateway for any sharing of personal data between organisations

Existing legal gateways will apply.

In line with ICO Data Sharing Code of Practice, as required by Section 121 of the Data Protection Act 2018.

Organisation:

The Department for Work and Pensions (DWP)

Activities:

DWP collects and stores personal data in order to make decisions on entitlement to DLA and for the ongoing management of DLA awards in Scotland, until Scottish awards have been transferred to Social Security Scotland under case transfer to Scottish Adult DLA.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that processing is necessary for the exercise of a function conferred on the Department for Work and Pensions.

Processing of data relating to legal detention will be transferred to Social Security Scotland for Scottish Adult DLA. To determine eligibility or to process an individual’s change of circumstances Social Security Scotland will need to know if they have been admitted to or have left legal detention during their award of DLA.

Processing does not pertain to the nature of the individual’s conviction and is only in regard to whether they have been legally detained for the purposes of social security. An appropriate policy document is held.

Social Security Scotland will be Data Controller for all client data once the case transfer process is complete.