Redress for Survivors (Historical Child Abuse in Care) (Scotland) Bill: data protection impact assessment
Impact assessment for the Redress for Survivors (Historical Child Abuse in Care) (Scotland) Bill in relation to the use of personal data.
Annex A: General Data Protection Regulation (GDPR) Principles
Principle
6.1 Principle 1 – fair and lawful, and meeting the conditions for processing
Compliant – Yes/No
Yes
Description of how you have complied
There will be full transparency with applicants as to how their data will be processed via a Privacy Notice. Processing the data provided by the data subject and contained in the application form is compliant with Article 6 1 - necessary to undertake a public task. In respect of information relating to the data subjects health this is compliant with Article 9 2 (g).
6.2 Principle 2 – purpose limitation
Compliant – Yes/No
Yes
Description of how you have complied
The data will mainly be used for the purpose of assessing and processing redress applications and payments. Where there is the potential for significant risk of harm to the public from a named perpetrator, information will be disclosed to Police Scotland. Applicants will be informed of this information sharing in the privacy notice of the application form.
Data from scheme contributors will only be used to process payments to Scottish Ministers.
6.3 Principle 3 – adequacy, relevance and data minimisation
Compliant – Yes/No
Yes
Description of how you have complied
As set out in the legislative DPIA, the information required from applicants will be the information that is necessary to allow the redress scheme to function and operate effectively. The information requested will be kept to a minimum and will only be requested if it is relevant to the application process and determination.
6.4 Principle 4 – accurate, kept up to date, deletion
Compliant – Yes/No
Yes
Description of how you have complied
Any information held will be kept up to date and deleted when no longer required. Guidance will be developed to advise staff on appropriate protocols. Further details on this will be included within the operational DPIA.
6.5 Principle 5 – kept for no longer than necessary, anonymization
Compliant – Yes/No
Yes
Description of how you have complied
Data will be retained in line with audit/finance requirements and disposed of in line with SG guidance. Details on how data will be anonymized and minimized will be developed further and reflected in the operational DPIA. Learning from the advance payment scheme will be greatly beneficial in developing our approach to securing and holding data appropriately.
6.6 GDPR Articles 12-22 – data subject rights
Compliant – Yes/No
Yes
All of the processes and systems put in place to store the data will comply with Articles 12 to 22. Full information on how we will process, store and use the applicants data will be outlined in the scheme Privacy Notice. Further details on this will be included within the operational DPIA.
6.7 Principle 6 - security
Compliant – Yes/No
Yes
Description of how you have complied
It is intended that we will hold data securely within a case management system. Further details on this system will be subject to the operational DPIA which will follow in due course. We will explore how data can be securely shared with other organisations and put information sharing agreements in place. Learning from the advance payment scheme will be integral to the development of the statutory scheme’s information management and security.
6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.
Compliant – Yes/No
Yes
Description of how you have complied
There will be no requirement to transfer any of the data collected to a country or territory outside the European Economic Area. Some applicants to the scheme may live outwith the European Economic Area. Guidance will be developed for staff and applicants to ensure data is transmitted securely.
Contact
Email: redress@gov.scot
There is a problem
Thanks for your feedback