The Police Act 1997 (Criminal Records) (Homes for Ukraine Sponsorship Scheme) (Scotland) Amendment Regulations 2022

6. Risk Assessment

Risk

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Solution or mitigation

The Homes for Ukraine scheme (including the 'Warm Scots Welcome' programme which enables displaced Ukrainian persons, when applying for a visa under the scheme, to select the Scottish Government as their super sponsor) is a voluntary scheme whereby members of the public throughout a UK Government portal can note their interest to become sponsor and provide accommodation. The guidance that is currently available on the UK Government website clearly states that disclosure checks will be undertaken in relation to those volunteering to be sponsors; where those volunteering are offering to provide accommodation within the same premises that they also reside in, other adult members of their household will also be subject to disclosure checks.

Disclosure Scotland collects, holds and processes personal information because the processing is necessary for the exercise of our functions as an Executive Agency as outlined in legislation that governs criminal records checks. This is a legitimate condition of processing as outlined under the DPA. Individuals are made aware on the "declaration" section of the application of how their personal data will be used.

When Disclosure Scotland has completed its checks, it will issue an enhanced disclosure certificate to both the countersignatory and the individual applicant.

Disclosure Scotland will uphold individual rights as stated in Disclosure Scotland's Privacy Statement.

6.2.1 Privacy risks

Purpose limitation

Solution or mitigation

Data will only be gathered for the purposes covered under the Police Act 1997 and secondary legislation made under it.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or Mitigation

As stated within the Disclosure Scotland Privacy Statement, individuals have the right to access the information held about them by Disclosure Scotland and can ask for any data to be amended if it is incorrect. Individuals can ask Disclosure Scotland not to process information used for the disclosure certificate if it would cause substantial unwarranted damage or distress. Individuals can request that non-automated decisions are made regarding their data.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.2.3 Privacy risks

Minimisation and necessity

Solution and Mitigation

Disclosure Scotland gathers and processes data under the Police Act 1997, in line with the DPA. Disclosure Scotland ensures all information gathered is adequate, relevant and not excessive. Information is processed in accordance with the individual's rights and is not kept for longer than is necessary.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.2.4 Privacy risks

Accuracy of personal data

Solution and Mitigation

Disclosure Scotland processes, gathers, retains and securely destroys data under the Police Act 1997, and in compliance with DPA. Information is processed in accordance with the individual's rights and is not kept for longer than is necessary.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.3.1 Security risks

Keeping data securely

Retention

Solution and Mitigation

Disclosure Scotland processes, gathers, retains and securely destroys data under the Police Act 1997, and in compliance with DPA.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.3.2 Security risks

Transfer – data may be lost in transit

Solution and Mitigation

All data is stored on secure servers which have extensive IT security measures in place in line with Scottish Government IT standards.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.3.3 Security risks

Processing activities

Solution and Mitigation

No new processing activities need developed to conduct these checks as the processes and procedures required are already embedded in business as usual.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

Green

Result

Accepted

6.4.1 Other risks

16 and 17 year old children living in the sponsoring household will also be eligible for checks.

Solution and Mitigation

The Scottish Government has carried out the CWRIA in relation to this policy and it will be published on the gov.scot website.

Checks on 16 and 17 year olds living in the sponsoring household balanced against the risk to individuals and families being placed in a sponsor home where they would be at risk. 16 and 17 year old children will need to agree to have the criminal record check carried out.

Disclosure Scotland Privacy Statements are written in plain language and direct to further information sources.

Likelihood (Low/Med/High)

Medium

Severity (Red/Amber/Green)

Orange

Result

Reduced