Education (Scotland) Bill: data protection impact assessment

6. Risk Assessment

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to dataportability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Solution or mitigation

The Bill does not create new impacts on individual’s rights. The current data controllers make reference to rights within their privacy policies and this is expected to continue for the new qualifications body and through the delivery of the independent inspectorate by the non-Ministerial office holder (HM Chief Inspector of Education)

Likelihood(Low/Med/High): Low

Result: No new impact

6.2.1 Privacy risks

Purpose limitation

Solution or mitigation

It is not intended that the purposes of the data processing will be changed by the Bill.

Data will continue to be collected and processed by the controllers for the same purposes as currently.

Likelihood(Low/Med/High): Low

Result: No new impact

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation

The Bill does not impact on the way data subjects are informed.

Likelihood(Low/Med/High): Low

Result: No new impact

6.2.3 Privacy risks

Minimisation and necessity

Solution or mitigation

The Bill will not impose any requirements to collect new or additional data. The data will continue to be collected as necessary for the purposes/functions undertaken by the controller.

Education Scotland will work closely with the new controller, HM Chief Inspector in the handover period.

Likelihood(Low/Med/High): Low

Result: No new impact

6.2.4 Privacy risks

Accuracy of personal data

Solution or mitigation

Data controllers will continue to be responsible for ensuring that the information they hold about subjects is accurate and up to date. This is not affected by the Bill.

Likelihood(Low/Med/High): Low

Result: No new impact

6.3.1 Security risks

Keeping data securely

Retention

Solution or mitigation

The Bill and Scottish Ministers do not have any impact on the way in which data controllers store or retain data.

Likelihood(Low/Med/High): Low

Result: No new impact

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or mitigation

Risks surrounding loss of data and information transfers occur at an operational level and therefore are not subject to this risk assessment.

In respect of the new qualifications body, whilst there will be a legal transfer of data controller and of data ‘ownership’ there will not be any transfer at a practical level. No data will be merged, it will not be transferred to a new system, and systems will not be integrated. The data will remain where it is, in the same systems and, other than where SQA appropriately/necessarily disposes of data, it will all transfer as it will be needed to carry on providing all of the functions of the organisation. The purposes and lawful basis for processing will all remain the same.

In respect of the creation of the office of HM Chief Inspector of Education in Scotland. The data to be transferred is currently held in the Scottish Government electronic filing system and these will be transferred to the new Information Asset Owner who will have access and be using the same system as at present through shared service arrangements.

Likelihood(Low/Med/High): Low

Result: No new impact

6.3.3 Security risks

Solution or mitigation

Data controllers are responsible for data security and their own risk assessments. The Bill does not directly impact data security or introduce any new security risks.

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

The DPO assisted through the provision of advice during the development of the DPIA.

Action

Advice was addressed through adjustments to the contents.

I confirm that the Education (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of an IAO or equivalent: Lisa Bird, Deputy Director, Education Reform Division

Date each version authorised: 17/4/2024