Redress for Survivors (Historical Child Abuse in Care) (Scotland) Bill: data protection impact assessment
Impact assessment for the Redress for Survivors (Historical Child Abuse in Care) (Scotland) Bill in relation to the use of personal data.
Annex B: Risks and Mitigations
1 Applicants to the scheme may view the information required in relation to their time in care and the abuse suffered as intrusive and distressing.
This information is necessary to determine eligibility to the scheme and to assess payment levels. As provided in part 6 of the DPIA, a wide range of support will be available to all survivors who submit an application to support their mental and emotional wellbeing. We will continue to develop safeguards for applicants in relation to providing and reading distressing information. User-tested application forms and guidance will be provided to help applicants understand why they need to submit this information. Details of this will be included within the operational DPIA. Support will also be put in place for the staff who will need to process this sensitive information.
Likelihood: Medium
Impact: Medium
Overall Risk: Medium
2 The information that survivors will be providing to the scheme as part of their application will be highly sensitive and personal. Failure to secure the data adequately could have devastating impacts.
Some survivors will not have disclosed their abuse to anyone previously so this is an understandable concern. It is important that the information received is treated in a sensitive manner and that communication with the applicant is carried out in as the applicant requests. For example, under the advance payment scheme caseworkers provide options for preferred contact methods and check the ID of the caller with key questions before starting the conversation. Details of such safeguards will be included in the operational DPIA.
Details of the care setting and abuse suffered will not be shared by Scottish Ministers to any person or organisation other than Redress Scotland, which will need this information to assess the application and make a decision, and Police Scotland, if a named perpetrator is included in the statement of abuse. Details on how this information will be shared with Police Scotland will be included within the application form privacy notice.
In light of anecdotal evidence that survivors have been threatened or intimidated by families of perpetrators or former staff of care institutions, data exchange with relevant organisations (contributors and non-contributors) in relation to the waiver will be limited to applicants’ name and date of birth – no contact details will be disclosed.
Guidance and training will be issued to staff about the handling and storage of all applicant information as it is important that survivors know that their information is safe. The operation of the advance payment scheme has allowed appropriate data security measures to be tested within Scottish Government estate and this experience will be transferred to the implementation phase of the scheme.
Likelihood: Low
Impact: High
Overall Risk: Medium
3 There is a risk that the sharing of information for next of kin applications could potentially result in relationship damage
The next of kin application form will require all surviving children applying for redress to confirm to the best of their knowledge if there is a surviving spouse, civil partner or cohabitant of the deceased and if there are any other surviving children of the deceased. Redress Scotland will rely upon these declarations having been made in good faith to allow applications to be processed and the share of the fixed rate payment payable to each surviving child to be calculated. Where there has been an error or a fraudulent declaration in respect of the number of surviving children, which is only discovered when a subsequent application is received from another child of the deceased, that later applicant will not be prejudiced by the earlier mistake. Provided they can satisfy the evidential requirements, they will remain entitled to a share of the next of kin redress payment. Depending on the circumstances, the powers to recover payments made as a result of error or fraud may be used to recover the previous overpayment.
Guidance will be developed for the administrative staff who will have to handle these types of situations. Information sharing in this scenario will be reviewed on a case-by-case basis and further engagement will continue with the ICO on this matter.
Likelihood: Low
Impact: Medium
Overall risk: Medium
4 Scheme contributors may view the publication of their financial contributions as intrusive
Scheme contributors have raised concerns in the consultation around reputational damage and the potential for this information to reflect badly on current service provision.
In the consultation, providers raised concerns that contributing to the redress scheme could give a misleading impression of the quality of current service provision and lead to a downturn in income. The impact on the organisation could be directly proportionate to the value of their contribution as some stakeholders may believe that the greater the sum of money contributed, the greater the cause for concern regarding current services. It may also be that members of the public are less likely to donate to a charity if they believe the donation will not be used to support current service users but instead will be transferred to Scottish Government. Publication of financial information is necessary for the annual accounts and reports of charities. We have engaged with the Freedom of Information team within Scottish Government to better understand what information could be requested to be released to the public. Scheme contributors will need to make a case to the Information Commissioner as to why this information would be detrimental to the commercial interests of the organisation if it was released into the public domain.
Likelihood: Low
Impact: Medium
Overall Risk: Low
5 Members of staff of any of the bodies involved in the contributions or decision making processes could be targeted by members of the public due to the association with matters relating to child abuse.
Appropriate safeguarding policies and procedures will be put in place for Scottish Government and Redress Scotland staff to ensure personal details shared with applicants are kept to a minimum and staff know how to report any concerns regarding harassment. The administrative staff and those employed by Redress Scotland will not share any personal information about individual staff members who are employed by scheme contributors or any other relevant body.
This is a potential risk which will need to be mitigated further by scheme contributors and other relevant bodies themselves as staff members names may already be in the public domain due to the public nature of the organisations. Scottish Government will provide advice and guidance on this to those who may be impacted.
Likelihood: Low
Impact: High
Overall Risk: Medium
6 If personal data is not securely held it will be vulnerable to security breaches leading to loss of data and compromising individuals’ privacy.
Appropriate safeguards will be put in place to mitigate this risk. Access to the scheme case management system will be restricted to only those who need access to the system to ensure greater security of the data. Users will have differing levels of permissions, ensuring that the users have access appropriate to their particular duties and level of seniority. Training and guidance will be provided to staff members as part of their induction process to ensure high standards in relation to the handling and storing of data responsibly and legally. We will continue to engage with the ICO to ensure that best practice in relation to data security is embedded into the case management system and any other IT solutions.
Likelihood: Medium
Impact: High
Overall Risk: Medium
Contact
Email: redress@gov.scot
There is a problem
Thanks for your feedback