The Disability Assistance (Scottish Adult Disability Living Allowance) Regulations 2025: data protection impact assessment

6. Risk Assessment

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

The personal information to be processed is required to enable Social Security Scotland to meet its statutory requirement in providing Social Security Assistance, the data being processed under public task with the legal basis being GDPR Article 6(1)(e). There is no profiling and the appropriate safeguards for processing using automated decision making will be in place and documented on the Operational DPIA.

Work has been undertaken to ensure only the minimum amount of personal information is gathered and stored only for the appropriate time.

There is a process in place for managing all subject rights requests.

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.1 Privacy risks

Purpose limitation

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Social Security Scotland has a Privacy Notice that is accessible on the mygov.scot website^[10].

Outward letters and telephony messaging also advise individuals where to find information regarding the processing of their information.

Data Sharing Agreements will be in place with stakeholders following the ICO Data Sharing code of practice, where clear purpose is document and adhered to.

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Social Security Scotland has a Privacy Notice that is accessible on mygov.scot website.

Outward letters and telephony messaging also advise individuals where to find information regarding processing of their information.

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.2.3 Privacy risks

Minimisation and necessity

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Necessity of the data to be processed has been determined based on the minimum amount of personal information required for assessing entitlement and ongoing case management.

Likelihood: Low

Severity: Green

Result: Mitigated

6.2.4 Privacy risks

Accuracy of personal data

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

The personal data gathered is from the individual, their representative or an Other Government Department where the individual has an established relationship.

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.3.1 Security risks

Keeping data securely

Retention

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A Digital security risk assessment is completed for all new processes and one will be completed for Scottish Adult DLA. A copy will be retained in the Operational DPIA.

The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision, all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA.

Established secure transfer routes will be re-used for previous transitions. Data is encrypted at rest and in transit.

Data Sharing Agreements will be in place detailing both parties’ roles and responsibilities in relation to safeguarding individual personal information.

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.3.3 Security risks

Solution or Mitigation

Detailed discussion of risks and mitigations will be set out in the Operational DPIA. A security risk assessment is completed for all new processes and one will be completed for Scottish Adult DLA. This will be contained in the Operational DPIA.

The IT Health Check includes penetration testing and the health check takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision , all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Mitigated

6.4.1 Other risks

Will this impact on children?

Solution or Mitigation

Scottish Adult DLA will not directly impact on children. An individual is only entitled to Scottish Adult DLA if they are 18 or over and receiving an award of DLA, as set out in Regulations. Other impact assessments have been drafted, including an Equalities Impact Assessment, Island Communities Impact Assessment, Fairer Scotland Duty Assessment and a Business and Regulatory Impact Assessment to assess and mitigate other potential impacts or risks.

Likelihood: Low

Severity (Red/Amber/Green): Green

Result: Eliminate