Education (Scotland) Bill: data protection impact assessment
Data protection impact assessment (DPIA) for the Education (Reform) Bill.
6. Risk Assessment
6.1.1 Risk to individual rights
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to dataportability
- right to object
- rights in relation to automated decision making and profiling
Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed
Solution or mitigation
The Bill does not create new impacts on individual’s rights. The current data controllers make reference to rights within their privacy policies and this is expected to continue for the new qualifications body and through the delivery of the independent inspectorate by the non-Ministerial office holder (HM Chief Inspector of Education)
Likelihood(Low/Med/High): Low
Result: No new impact
6.2.1 Privacy risks
Purpose limitation
Solution or mitigation
It is not intended that the purposes of the data processing will be changed by the Bill.
Data will continue to be collected and processed by the controllers for the same purposes as currently.
Likelihood(Low/Med/High): Low
Result: No new impact
6.2.2 Privacy risks
Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights
Solution or mitigation
The Bill does not impact on the way data subjects are informed.
Likelihood(Low/Med/High): Low
Result: No new impact
6.2.3 Privacy risks
Minimisation and necessity
Solution or mitigation
The Bill will not impose any requirements to collect new or additional data. The data will continue to be collected as necessary for the purposes/functions undertaken by the controller.
Education Scotland will work closely with the new controller, HM Chief Inspector in the handover period.
Likelihood(Low/Med/High): Low
Result: No new impact
6.2.4 Privacy risks
Accuracy of personal data
Solution or mitigation
Data controllers will continue to be responsible for ensuring that the information they hold about subjects is accurate and up to date. This is not affected by the Bill.
Likelihood(Low/Med/High): Low
Result: No new impact
6.3.1 Security risks
Keeping data securely
Retention
Solution or mitigation
The Bill and Scottish Ministers do not have any impact on the way in which data controllers store or retain data.
Likelihood(Low/Med/High): Low
Result: No new impact
6.3.2 Security risks
Transfer – data may be lost in transit
Solution or mitigation
Risks surrounding loss of data and information transfers occur at an operational level and therefore are not subject to this risk assessment.
In respect of the new qualifications body, whilst there will be a legal transfer of data controller and of data ‘ownership’ there will not be any transfer at a practical level. No data will be merged, it will not be transferred to a new system, and systems will not be integrated. The data will remain where it is, in the same systems and, other than where SQA appropriately/necessarily disposes of data, it will all transfer as it will be needed to carry on providing all of the functions of the organisation. The purposes and lawful basis for processing will all remain the same.
In respect of the creation of the office of HM Chief Inspector of Education in Scotland. The data to be transferred is currently held in the Scottish Government electronic filing system and these will be transferred to the new Information Asset Owner who will have access and be using the same system as at present through shared service arrangements.
Likelihood(Low/Med/High): Low
Result: No new impact
6.3.3 Security risks
Solution or mitigation
Data controllers are responsible for data security and their own risk assessments. The Bill does not directly impact data security or introduce any new security risks.
Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
Advice from DPO
The DPO assisted through the provision of advice during the development of the DPIA.
Action
Advice was addressed through adjustments to the contents.
I confirm that the Education (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018
Name and job title of an IAO or equivalent: Lisa Bird, Deputy Director, Education Reform Division
Date each version authorised: 17/4/2024
Contact
Email: EducationReform@gov.scot
There is a problem
Thanks for your feedback