The Disability Assistance (Scottish Adult Disability Living Allowance) Regulations 2025: data protection impact assessment
This impact assessment records how data will be used in relation to the Disability Assistance (Scottish Adult Disability Living Allowance) Regulations 2025 and how that use is compliant with data protection legislation.
6. Risk Assessment
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
6.1.1 Risk to individual rights
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
The personal information to be processed is required to enable Social Security Scotland to meet its statutory requirement in providing Social Security Assistance, the data being processed under public task with the legal basis being GDPR Article 6(1)(e). There is no profiling and the appropriate safeguards for processing using automated decision making will be in place and documented on the Operational DPIA.
Work has been undertaken to ensure only the minimum amount of personal information is gathered and stored only for the appropriate time.
There is a process in place for managing all subject rights requests.
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.2.1 Privacy risks
Purpose limitation
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
Social Security Scotland has a Privacy Notice that is accessible on the mygov.scot website[10].
Outward letters and telephony messaging also advise individuals where to find information regarding the processing of their information.
Data Sharing Agreements will be in place with stakeholders following the ICO Data Sharing code of practice, where clear purpose is document and adhered to.
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.2.2 Privacy risks
Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
Social Security Scotland has a Privacy Notice that is accessible on mygov.scot website.
Outward letters and telephony messaging also advise individuals where to find information regarding processing of their information.
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.2.3 Privacy risks
Minimisation and necessity
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
Necessity of the data to be processed has been determined based on the minimum amount of personal information required for assessing entitlement and ongoing case management.
Likelihood: Low
Severity: Green
Result: Mitigated
6.2.4 Privacy risks
Accuracy of personal data
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
The personal data gathered is from the individual, their representative or an Other Government Department where the individual has an established relationship.
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.3.1 Security risks
Keeping data securely
Retention
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A Digital security risk assessment is completed for all new processes and one will be completed for Scottish Adult DLA. A copy will be retained in the Operational DPIA.
The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision, all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.3.2 Security risks
Transfer – data may be lost in transit
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA.
Established secure transfer routes will be re-used for previous transitions. Data is encrypted at rest and in transit.
Data Sharing Agreements will be in place detailing both parties’ roles and responsibilities in relation to safeguarding individual personal information.
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.3.3 Security risks
Solution or Mitigation
Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A security risk assessment is completed for all new processes and one will be completed for Scottish Adult DLA. This will be contained in the Operational DPIA.
The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision , all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Mitigated
6.4.1 Other risks
Will this impact on children?
Solution or Mitigation
Scottish Adult DLA will not directly impact on children. An individual is only entitled to Scottish Adult DLA if they are 18 or over and receiving an award of DLA, as set out in Regulations. Other impact assessments have been drafted, including an Equalities Impact Assessment, Island Communities Impact Assessment, Fairer Scotland Duty Assessment and a Business and Regulatory Impact Assessment to assess and mitigate other potential impacts or risks.
Likelihood: Low
Severity (Red/Amber/Green): Green
Result: Eliminate
Contact
Email: beth.stanners@gov.scot
There is a problem
Thanks for your feedback