Redress for Survivors (Historical Child Abuse in Care) (Scotland) Act 2021 and relevant secondary legislation: data protection impact assessment - legislative
Data Protection Impact Assessment (DPIA) for the Redress for Survivors (Historical Child Abuse in Care) (Scotland) Act 2021 and relevant secondary legislation.
Annex B: Summary of Risks and Mitigations
Risk No. 1
Risk
Applicants to the scheme may view the information required in relation to their time in care and the abuse suffered as intrusive and distressing.
Mitigation
This information is necessary to determine eligibility to the scheme and to assess payment levels. As provided in part 6 of the DPIA, a wide range of support will be available to all survivors who submit an application to support their mental and emotional wellbeing. We will continue to develop safeguards for applicants in relation to providing and reading distressing information. User-tested application forms and guidance will be provided to help applicants understand why they need to submit this information. Details of this will be included within the operational DPIA. Support will also be put in place for the staff who will need to process this sensitive information.
Risk Status
Likelihood: Medium
Impact: Medium
Overall Risk: Medium
Risk No. 2
Risk
The information that survivors will be providing to the scheme as part of their application will be highly sensitive and personal. Failure to secure the data adequately could have devastating impacts.
Mitigation
Some survivors will not have disclosed their abuse to anyone previously so this is an understandable concern. It is important that the information received is treated in a sensitive manner and that communication with the applicant is carried out in as the applicant requests. For example, under the advance payment scheme caseworkers provide options for preferred contact methods and check the ID of the caller with key questions before starting the conversation. Details of such safeguards will be included in the operational DPIA.
Details of the care setting and abuse suffered will not be shared by Scottish Ministers to any person or organisation other than Redress Scotland, which will need this information to assess the application and make a decision, and Police Scotland, if a named perpetrator is included in the statement of abuse. Details on how this information will be shared with Police Scotland will be included within the application form privacy notice.
In light of anecdotal evidence that survivors have been threatened or intimidated by families of perpetrators or former staff of care institutions, data exchange with relevant organisations (contributors and non-contributors) in relation to the waiver will be limited to applicants’ name, and address.
Guidance and training will be issued to staff about the handling and storage of all applicant information as it is important that survivors know that their information is safe. The operation of the advance payment scheme has allowed appropriate data security measures to be tested within Scottish Government estate and this experience will be transferred to the implementation phase of the scheme.
Risk Status
Likelihood: Low
Impact: High
Overall Risk: Medium
Risk No. 3
Risk
There is a risk that the sharing of information for next of kin applications could potentially result in relationship damage.
Mitigation
The next of kin application form will require all surviving children applying for redress to confirm to the best of their knowledge if there is a surviving spouse, civil partner or cohabitant of the deceased and if there are any other surviving children of the deceased. Redress Scotland will rely upon these declarations having been made in good faith to allow applications to be processed and the share of the fixed rate payment payable to each surviving child to be calculated. Where there has been an error or a fraudulent declaration in respect of the number of surviving children, which is only discovered when a subsequent application is received from another child of the deceased, that later applicant will not be prejudiced by the earlier mistake. Provided they can satisfy the evidential requirements, they will remain entitled to a share of the next of kin redress payment. Depending on the circumstances, the powers to recover payments made as a result of error or fraud may be used to recover the previous overpayment.
Guidance will be developed for the administrative staff who will have to handle these types of situations. Information sharing in this scenario will be reviewed on a case-by-case basis and further engagement will continue with the ICO on this matter.
Risk Status
Likelihood: Low
Impact: Medium
Overall risk: Medium
Risk No. 4
Risk
Scheme contributors may view the publication of their financial contributions as intrusive
Scheme contributors have raised concerns in the consultation around reputational damage and the potential for this information to reflect badly on current service provision.
Mitigation
In the pre-legislative consultation, providers raised concerns that contributing to the redress scheme could give a misleading impression of the quality of current service provision and lead to a downturn in income. The impact on the organisation could be directly proportionate to the value of their contribution as some stakeholders may believe that the greater the sum of money contributed, the greater the cause for concern regarding current services. It may also be that members of the public are less likely to donate to a charity if they believe the donation will not be used to support current service users but instead will be transferred to Scottish Government.
The Act requires that financial contribution amounts committed to and paid by each scheme contributor will be published on the scheme contributor list. It is also worth noting that the publication of financial information is necessary for the annual accounts and reports of charities. We feel it is proportionate for reasons of transparency and accountability, to survivors and the public, that these contribution amounts are published.
We have engaged with the Freedom of Information team within Scottish Government to better understand what information could be requested to be released to the public. Scheme contributors will need to make a case to the Information Commissioner as to why this information would be detrimental to the commercial interests of the organisation if it was released into the public domain.
Risk Status
Likelihood: Low
Impact: Medium
Overall Risk: Low
Risk No. 5
Risk
Members of staff of any of the bodies involved in the contributions or decision making processes could be targeted by members of the public due to the association with matters relating to child abuse.
Mitigation
Appropriate safeguarding policies and procedures will be put in place for Scottish Government and Redress Scotland staff to ensure personal details shared with applicants are kept to a minimum and staff know how to report any concerns regarding harassment. The administrative staff and those employed by Redress Scotland will not share any personal information about individual staff members who are employed by scheme contributors or any other relevant body.
This is a potential risk which will need to be mitigated further by scheme contributors and other relevant bodies themselves as staff members names may already be in the public domain due to the public nature of the organisations. Scottish Government will provide advice and guidance on this to those who may be impacted.
Risk Status
Likelihood: Low
Impact: High
Overall Risk: Medium
Risk No. 6
Risk
If personal data is not securely held it will be vulnerable to security breaches leading to loss of data and compromising individuals’ privacy.
Mitigation
Appropriate safeguards will be put in place to mitigate this risk. Access to the scheme case management system will be restricted to only those who need access to the system to ensure greater security of the data. Users will have differing levels of permissions, ensuring that the users have access appropriate to their particular duties and level of seniority. Training and guidance will be provided to staff members as part of their induction process to ensure high standards in relation to the handling and storing of data responsibly and legally. We will continue to engage with the ICO to ensure that best practice in relation to data security is embedded into the case management system and any other IT solutions.
Risk Status
Likelihood: Medium
Impact: High
Overall Risk: Medium
Contact
Email: redress@gov.scot
There is a problem
Thanks for your feedback