Redress for Survivors (Historical Child Abuse in Care) (Scotland) Act 2021 and relevant secondary legislation: data protection impact assessment - legislative

Annex A: General Data Protection Regulation (GDPR) Principles

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Compliant: Yes

Description of how you have complied

There will be full transparency with applicants as to how their data will be processed via a Privacy Notice. Processing the data provided by the data subject and contained in the application form is compliant with Article 6 1 - necessary to undertake a public task. In respect of information relating to the data subjects health this is compliant with Article 9 2 (g).

6.2 Principle 2 – purpose limitation

Compliant: Yes

Description of how you have complied

The data will mainly be used for the purpose of assessing and processing redress applications and payments. Where there is the potential for significant risk of harm to the public from a named perpetrator, information will be disclosed to Police Scotland. Applicants will be informed of this information sharing in the privacy notice of the application form.

Data from scheme contributors will only be used to process payments to Scottish Ministers.

6.3 Principle 3 – adequacy, relevance and data minimisation

Compliant: Yes

Description of how you have complied

As set out in the legislative DPIA, the information required from applicants will be the information that is necessary to allow the redress scheme to function and operate effectively. The information requested will be kept to a minimum and will only be requested if it is relevant to the application process and determination.

6.4 Principle 4 – accurate, kept up to date, deletion

Compliant: Yes

Description of how you have complied

Any information held will be kept up to date and deleted when no longer required. Guidance will be developed to advise staff on appropriate protocols. Further details on this will be included within the operational DPIA.

6.5 Principle 5 – kept for no longer than necessary, anonymization

Compliant: Yes

Description of how you have complied

Data will be retained in line with audit/finance requirements and disposed of in line with SG guidance. Details on how data will be anonymized and minimized will be developed further and reflected in the operational DPIA. Learning from the advance payment scheme will be greatly beneficial in developing our approach to securing and holding data appropriately.

6.6 GDPR Articles 12-22 – data subject rights

Compliant: Yes

Description of how you have complied

All of the processes and systems put in place to store the data will comply with Articles 12 to 22. Full information on how we will process, store and use the applicants data will be outlined in the scheme Privacy Notice. Further details on this will be included within the operational DPIA.

6.7 Principle 6 - security

Compliant: Yes

Description of how you have complied

It is intended that we will hold data securely within a case management system. Further details on this system will be subject to the operational DPIA which will follow in due course. We will explore how data can be securely shared with other organisations and put information sharing agreements in place. Learning from the advance payment scheme will be integral to the development of the statutory scheme’s information management and security.

6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

Compliant: Yes

Description of how you have complied

There will be no requirement to transfer any of the data collected to a country or territory outside the European Economic Area. Some applicants to the scheme may live outwith the European Economic Area. Guidance will be developed for staff and applicants to ensure data is transmitted securely.