The Disability Assistance (Scottish Adult Disability Living Allowance) Regulations 2025: data protection impact assessment

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

Delivery of the benefit will reuse existing mechanisms introduced for other Scottish social security benefits that will retrieve identifiers for individuals when sharing data with the DWP.

The DWP hold Global Unique Identifiers (GUIDs) for each individual who receives benefits that they administer. If necessary, to obtain a GUID from DWP, SPM will share the individual’s name, date of birth and postcode. If there is a match with information held by DWP, a GUID will be shared and stored within SPM. If there is no match this information will be sought manually from DWP. The GUID is then used to share data on other data necessary to make determinations of entitlement and to maintain entitlement for individuals who receive Scottish Adult DLA.

Delivery of this benefit will reuse existing mechanisms introduced for other Scottish social security benefits that will retrieve Community Health Index (CHI) numbers for individuals when sharing information with health boards and GPs. The re-use of CHI numbers has previously been agreed via the CHI Advisory Board.

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

In practice, as part of the case transfer process, DWP will encrypt data and the Scottish Government will decrypt on arrival. All data will be accessed – identity and access mapping will be completed.

The existing infrastructure and security used by Social Security Scotland to transfer data from DWP will be utilised. There are no legislative measures relating to technology.

Technology already used to provide other Social Security Scotland payments and to manage Social Security Scotland benefits will be used for Scottish Adult DLA. Social Security Scotland have technical and operational controls in place to safeguard individuals.

An IT Health Check that includes penetration testing takes place prior to any system release. Digital Security officials undertake an operational readiness statement prior to any go live decision. All digital security risks are registered and a treatment plan put in place. These plans are reviewed regularly.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

No.

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The proposal does not introduce any new requirements regarding investigatory powers; these are already included in the Social Security (Scotland) Act 2018 and regulations to be made under it.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

This proposal relates to the collection of data and information on adults with an award of DLA in Scotland, whose award will transfer to Scottish Adult DLA. This will have a direct impact on the individual, and where an appointee is in place, to the individual’s appointee.

The main data subject should in the vast majority of cases be a disabled person, many of whom are over pension age. Impact assessments have been drafted, including an Equalities Impact Assessment, with the intention that these are to be published alongside the Regulations in the Scottish Parliament.

Drafts of impact assessments were prepared in relation to the draft Scottish Adult DLA Regulations and shared with SCoSS on 11 March 2024 alongside the draft Regulations. They will be published when the draft Regulations are laid in Scottish Parliament.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

There is nothing potentially controversial or of significant public interest in relation to the processing of data for Scottish Adult DLA.

For case transfer, research has confirmed that the majority of people are supportive of award information being transferred to allow for a safe and secure transfer rather than being required to complete a new application for a replacement Scottish Government benefit. Case transfer utilises automated decision making to enable the automatic creation of an award on a like-for-like basis as the previous award that was administered by the DWP. The use of automated decision making will be highlighted in the privacy notice and an Operational DPIA will risk assess this use of automated decision making.

Social Security Scotland will process Scottish Adult DLA data for the same purpose and in a similar manner to how DLA data is currently processed by DWP. There are no identified potential unintended consequences.

The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications and case transfers.

A security risk assessment is completed for all new processes via IT to ensure sufficient security controls are in place.

An operational DPIA is already being completed and updated as the new system develops to ensure privacy risks are identified and assessed.

The Operational DPIA will consider the data subject rights of individuals associated with the processing and payment of Scottish Adult DLA. Any risks will be mitigated to ensure the rights of data subjects are not impacted.

5.7 Are there consequential changes to other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Provisions consequential to the principal Scottish Adult DLA regulations are being made under:

• consequential amendment regulations to amend devolved secondary legislation
• section 104 orders to amend reserved legislation.

These regulations will not relate to information sharing and/or information processing.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

The implementation of the proposals is principally guided by the Social Security Charter^[7] and the Civil Service Code^[8].

All Social Security Scotland staff are bound by the Civil Service Code, to ensure individual confidentiality, integrity and accuracy of personal data.

Implementation will also be supported by operational and decision-making guidance with input from colleagues with relevant interests across the Social Security Directorate, including policy and legal officials and will be tested before Scottish Adult DLA launches.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications and case transfer, including:

• pseudonymisation of equalities data
• redaction of personal data received on documents during the application process
• retention schedules to minimise personal data where there is no longer purpose for retention
• Social Security Scotland will adhere to a policy of data minimisation in the transfer of information from the DWP.
• Where an individual is terminally ill, relevant ‘harmful information’ indicators will ensure that where harmful information is held, Social Security Scotland will not disclose this to an individual who is unaware of their terminal diagnosis.

An IT Health Check that includes penetration testing takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision, all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly.

The Operational DPIA will consider the data subject rights of individuals associated with the processing and payment of Scottish Adult DLA. Any risks will be mitigated to ensure the rights of data subjects are not impacted.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

Personal data will be used to inform decisions on an individual’s entitlement to disability benefits and make payments to them. All determinations of entitlement will be subject to full re-determination and appeal rights

For case transfer, where ADM processing has taken place, the individual will also have the right of review, including by a person. The individual will be advised of their rights.

There is a risk that individuals will not be fully aware of their right to full re-determination and appeal. This will be mitigated through a communications framework for all individuals whose case is transferred with letters detailing this process. For ADM, details are added to the outcome notice and the Privacy Notice.

We intend to ask individuals to complete a voluntary Equality Monitoring and Feedback form after they transfer, when undergoing a review of their Scottish Adult DLA award, or where they are applying for ADP. The data collected is used to identify who is using the service, to investigate how Social Security Scotland processes work for different groups of people and to understand whether groups with protected characteristics are able to adequately access social security payments. The equalities data is also analysed by outcome of application to assess if there is any variation.

The Scottish Government is are also seeking to receive any relevant equalities data DWP collected for individuals in order to meet the statutory duty to report on outcomes for those with protected characteristics.

For additional protection all equalities data is retained in a separate location to the individual’s record in a pseudonymised state.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

No profiling takes place.

ADM will be used when transferring DLA award data from DWP. Where all the information from DWP passes validation and a like for like award can be made this action will be undertaken without any intervention from an individual.

This relates to a positive award only, where the individual is awarded the same rate of payment as they were previously in receipt of by DWP. If validation fails or the rate differs then the case will be handed to a member of staff to undertake a manual determination.

These decisions have a legal and significant effect on the individual and are deemed as ADM processing.

Article 22(1) does not apply as processing is under Article (22)(2)(b) authorised by law. The Data Protection Act 2018 (Chapter 2, Part 2, Section 14(3)(b) refers only to a decision which is required or authorised by law and that law doesn’t have to explicitly state that solely automated decision making is authorised for a particular purpose.

The use of ADM is justified as there is a statutory power to award social security benefit and Scottish Adult DLA and the use of automated decision-making is the most appropriate way to achieve this purpose.

There will be safeguards in place to ensure the individual is aware that they have been subject to ADM, details will be provided in their outcome notice and on Social Security Scotland’s Privacy Notice^[9].

Additional safeguards, for example, ensuring that the individual is aware and how to have their decision reviewed by a person, checks on the ADM solution to ensure accurate application and staff training to allow an explanation of how the ADM decision was made, will all be in place prior to the use of ADM for case transfer.

Scottish Ministers consider the use of ADM to be lawful and it will not disadvantage individuals. This will be further demonstrated in the Operational DPIA. There is no machine learning therefore no bias will be introduced.

The ADM is based on set factors, the data matches set parameters and formatting, the rate paid and personal details match DWP.

ADM is only used where it creates the positive award, not all cases will be subject to ADM, cases where data doesn’t match will “fall out” to a member of staff. The use of ADM allows the processing of high volumes accurately, allowing time for staff members to deal with the more complex cases, ensuring a seamless transfer for the individual. ADM allows for all cases selected for transfer to be completed within an agreed window, during this time DWP will continue to pay the individual ensuring no break in payment.

The processing of data resulting from these regulations will follow the same high security standards already in place within Social Security Scotland.

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

No – there will be no transfer of personal data to organisations in a third country outside of the United Kingdom.

In limited circumstances, there may be a small number of individuals residing outwith the United Kingdom who will be entitled to Scottish Adult DLA. In these cases, interaction will be with the data subject directly and not with any data controllers or processers within those countries.