Social Security (Amendment) (Scotland) Bill: data protection impact assessment

This data protection impact assessment (DPIA) considers the potential impacts of the Social Security (Amendment) (Scotland) Bill on the use of personal data.


Recovering Scottish social security assistance from awards of compensation

2.2 Description of the personal data involved

In relation to compensation recovery, the Bill specifies that the full name and address of parties who will receive a certificate of recoverable assistance is provided.

Secondary legislation will be required to detail how the compensation recovery scheme will operate. This will include the types of personal data that may be required to generate a certificate of recoverable assistance such as:

  • Full name, address, date of birth and national insurance number of the injured party.
  • Full name and address of liable third party.
  • Rates, types, amounts and dates of benefits paid.
  • Previous health conditions that gave rise to benefit eligibility (special category data)
  • Medical information regarding the illness or injury (special category data).
  • Any changes in the medical diagnosis relating to the condition arising from the accident, injury or disease. (special category data).

At the time of drafting of the necessary secondary legislation, a further legislative DPIA will be carried out to consider these types of personal data.

There will be no requirement to collect data in relation to criminal convictions or offences.

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights, or use of social profiling to inform policy making.

In Scotland, to begin the process of claiming compensation, the data subject or their legal representative must contact the compensator and provide the required personal data otherwise the claim cannot proceed. Personal injury lawyers inform the data subjects that there is a mandatory duty to provide their personal data to the Department for Work and Pensions as part of the claims process in the generation of a certificate, this would be extended to include the administrator of the Scottish compensation recovery scheme once the Bill provisions come into force.

All injured parties must provide permission for their personal data to be used in the process of claiming compensation including both the sharing and receiving of data with and from the administrators of the UK and Scottish compensation recovery schemes. This permission is gained by either the compensator or the data subject's legal representative. If the data subject refuses to agree to the data being shared then this will prevent the case from being settled so no compensation can be awarded. In the UK legislation, compensators have a legal obligation to seek out the amounts owed to the DWP and are liable to pay these amounts back to the DWP before any compensation is paid to the data subject, the Bill provisions will replicate this for the recovery of Scottish assistance.

Once the compensator has provided the personal data to Scottish Ministers and it has been processed, the data subject will be provided with a copy of the certificate of recoverable assistance being provided to the compensator. If the data subject believes that any information on the certificate is incorrect, then they can request a review. Following on from the review, if they are still dissatisfied with the contents of the certificate, they can request a reconsideration of the certificate and then finally they can appeal if appropriate.

Immediately prior to settlement, the compensator will have a legal duty to inform the data subject of the deduction of the amount owed to Scottish Ministers and confirm the date that the compensation payment will be made.

The processing of this personal data will result in decisions made on the sum of money that compensators will be liable to pay back to Scottish Ministers. This may result in the injured party’s compensation payment being reduced.

A similar process using the same information required is already in place, this is detailed in the Personal Injuries (NHS Charges) (Amounts) (Scotland) Regulations 2006. NHS Scotland, through Scottish Ministers and Scottish Government Health Directorates, has a power to recover the cost of ambulance and hospital treatment required by injured parties from payments of compensation when a third party is liable for the accident, injury or disease. This compensation recovery process is currently in place recovering equivalent amounts of benefits paid by the DWP and the Bill provisions aim to provide a consistent approach to compensation across the whole of the UK.

2.4 Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

Scottish Ministers do not currently have powers to recover newly created social security assistance from compensation paid to individuals by liable third parties as a result of accidents, injuries or diseases. The introduction of Adult Disability Payment (ADP) and Child Disability Payment (CDP) have resulted in a discrepancy in that equivalent amounts received in relation to accidents, injuries or disease are not recoverable from the compensator. While provisions were not made within the 2018 Act, it has always been the intention of the Scottish Government that, if possible, a process should be put in place within a reasonable timeframe that allows the recovery of social security assistance as appropriate, preventing the use of public funds being used as additional compensation.

What policy objective is the legislation trying to meet?

The objective of the policy is to address this discrepancy as well as provide a consistent approach to the recovery of compensation UK wide.

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

Due to the nature of the proposal, the objective of the policy could not be achieved without additional data processing. The special category data relates to health conditions and without this key information, the administrators of a Scottish compensation recovery scheme would not be able to calculate the amounts that were received by the data subject in relation to the accident, injury or disease.

Scottish benefits remaining unrecoverable was a less invasive option considered. In this option, equivalent amounts to Scottish benefits such as Adult Disability Payment (ADP), Child Disability Payment (CDP), Pension Age Disability Payment (PADP) and Scottish Child Payment (SCP) received by injured parties would not be recovered from compensation payments. However, the Department for Work and Pensions would continue to recover UK benefits paid to Scottish recipients.

This was rejected as injured parties would receive payments from Scottish Ministers as well as compensation from liable third parties for the same accident, injury or disease, resulting in double compensation. One of the principles laid out in the 2018 Act was that a Scottish social security system should ‘be efficient and deliver value for money’ and this option would not help the Scottish Government to achieve this.

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

We are committed to adhering to the data protection principles and will take a privacy by design approach. No unintended consequences have been identified and a further DPIA will be carried out when secondary legislation specifies the collection of any additional personal data If additional data sharing is required regarding the passporting of related benefits, this will also be explored in more detail within a further legislative DPIA.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

The intended processing will have technical, administrative and physical safeguards in place. This will be fully explored during the design phase. Technical safeguards will be in place through existing system controls and controls that will be developed to ensure the secure transfer and sharing of personal data. For example, Social Security Scotland have robust existing safeguarding measures already in place.

These include:

  • Retention schedule to delete or anonymise personal data where there is no longer purpose to retain.
  • Data minimisation of the information retained.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

All data sharing will adhere to the ICO Data Sharing code of practice.

All Social Security Scotland staff are bound by the Civil Service Code of Conduct, to ensure individual confidentiality, integrity and accuracy of personal data.

If the latter, what will be the status of the Code of Conduct? (statutory or voluntary?)

Voluntary for ICO

Mandatory for Civil Service Code of Conduct

3. Data Controllers

Organisation: Social Security Scotland

Activities: Social Security Scotland acts on behalf of the Scottish Ministers as controller for the personal data processed. Social Security Scotland is an Executive Agency of the Scottish Government. It has the responsibility for managing and administering the benefits that are devolved to Scotland.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, section 7 of the Data Protection Act 2018? : Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing: Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data (Include condition from Schedule 1 or 2 of the Data Protection Act 2018): The Article 9 condition that applies for processing the special category data is (b) Employment, social security and social protection (if authorised by law).

The condition from Schedule 1 of the Data Protection Act 2018 is met if:

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018: Not applicable

Legal gateway for any sharing of personal data between organisations, eg as part of existing common interest investigation processes with DWP: There will be a requirement to share data between Social Security Scotland and the DWP.

Section 34 of the Scotland Act 2016 allows data sharing between the delivery agency and other external partners.

4. Consultation

4.1 Have you consulted with the ICO using the Article 36(4) form?

An Article 36(4) form was sent to the ICO prior to publication of the consultation in 2022 and an updated form was sent in August 2023. The Scottish Government has engaged with the ICO and addressed their feedback.

4.2 Do you need to hold a public consultation and if so has this taken place? What was the result?

The public consultation “Scotland’s social security system: enhanced administration and compensation recovery” was published in August 2022. The question related to compensation recovery proposed the taking of a power to recover Scottish assistance from awards of compensation. After it closed in October 2022, the responses were mixed, 27% of those who responded to the overall consultation agreed with the proposal, 10% disagreed, 27% did not know and 36% did not answer the question. Of those that agreed, the main view was that liable third parties should not be subsidised by Social Security Scotland in their obligation to fully compensate a person for the injury or disease they have contracted.

Among those respondents who disagreed with the proposal, the main point raised was that they considered it important that the proposal did not result in any undue hardship or stress on those who have been harmed by a third party. Some respondents were unsure about the proposal as the subject matter was out with their area of expertise. Furthermore, a large proportion of those who participated in the consultation did not answer the question.

As compensation recovery could be considered a niche subject matter, it was the view of the Scottish Government that further exploration with potentially impacted stakeholders, who may have experience of the UK scheme, will provide feedback that will prove useful in the design of the new scheme. To this end, a targeted engagement event aimed at the insurance and personal injury industry was held in March 2023. The purpose of this event was to communicate the proposal and reassure participants that our aim is to limit the impact on their business and on clients by ensuring a consistent approach to the recovery of social security assistance across both UK and Scottish Governments.

4.3 Were there any Comments/feedback from the public consultation about privacy, information or data protection?

There were no issues or comments raised regarding privacy, information or data protection in the proposed approach to compensation recovery within the public consultation or the targeted engagement event. When representatives of the insurance and personal injury industries were asked about their thoughts on the initial proposal, there was a strong preference expressed for having one unit or platform handling the generation of certificates of recoverable assistance for the whole of the UK. This is because a separate system will require more guidance, training, resources and system log ins for claims handlers.

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

5.2 Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

There are no legislative measures relating to technology. It is expected that there will be a requirement to further develop data processing technology, however this is still to be explored, and any impacts on data will be considered during design.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

There will be no requirement to establish or make a change to the operation of an established public register.

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

Initially, the proposal did not introduce any new requirements regarding investigatory powers; these were already included in the 2018 Act. However, as part of the Business Regulatory Impact Assessment (BRIA), it was identified that further investigatory powers may be required to ensure that compensators are complying with the provisions within the Bill. Within the Bill, a provision has been included to make regulations to detail further investigatory powers. Any further data collection or storage in relation to this will be explored in the DPIA for those regulations.

Social Security Scotland is a competent authority in paragraph 2 of Schedule 7 of the Data Protection Act 2018 (Scottish Ministers devolved through the 2018 Act). Any processing will satisfy the conditions as per The Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, and the Data Protection Act 2018 Part 3 which sets out a separate regime for law enforcement authorities in the UK.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

This proposal relates to the processing of data and information in relation to clients, receiving benefits administered by Social Security Scotland. As such the group may contain children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties and elderly people. As such, the appropriate impact assessments have been carried out.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

It is not anticipated the provisions will be controversial, intrusive or onerous, or will be of significant public interest as it relates to data processing and administrative process.

A security risk assessment is completed for all new processes and one will be completed for compensation recovery. This will be contained in the Operational Data Protection Impact Assessment.

The operational DPIA will consider the data subject rights of individuals associated with the processing and payment of Compensation Recovery and ensure that any risks are mitigated to ensure the rights of data subjects are not impacted.

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

No unintended consequences have been identified in relation to the provisions.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Social Security Scotland already has robust policies and procedures in place for the handling of data, and are well versed in the sensitivities and legal requirements for processing any of the personal data engaged by the measures in the Bill. As now, they will continue to ensure they comply with their statutory duties and have appropriate safeguards in place.

5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

The provisions in the Bill relating to compensation recovery provide Scottish Ministers with the power to recover social security assistance from compensation as well as laying out the parameters of a Scottish compensation recovery scheme. There are also regulation making powers taken within the Bill which will detail how the scheme will operate. A number of further amendments have been identified to be necessary by way of a section 104 Order.

An amendment will however be required to the Sheriff Courts (Scotland) Act 1907 c. 51 (“the 1907 Act”) at appendix 4 (the personal injury pre-action protocol), paragraph 33, so that any deduction from damages in accordance with paragraphs 3.51-3.57 of these instructions will be disregarded, in the same way as deductions under section 7 of the 1997 Act, for the purposes of calculating the payment in respect of liability for the solicitors fees under paragraph 31 of schedule 1 to the 1907 Act.

5.8 Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

There will be no requirement for an associated code of conduct.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards.

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Social Security Scotland has in place the appropriate safeguards in relation to data security, limitation of storage time and anonymisation.

These include:

  • Staff who access personal data must:
    • have appropriate security clearance. 
    • only access personal data if there is a business need to do so. 
    • complete mandatory data protection training.
  • Social Security Scotland has in place a Data Protection Team who are responsible of providing advice, monitoring compliance and is the first point of contact for data protection matters.
  • Retention schedule to minimise personal data where there is no longer purpose to retain.
  • Pseudonymisation of any equalities data.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

There will be no impact on decisions made about individuals as a whole, groups or categories of people as a result of the processing of the personal data.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

In cases where an individual is not in receipt of any recoverable social security assistance, the data provided will be used to generate a nil certificate. This is an automated decision making process.

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

Data will not be processed or sent outside the UK or EEA without suitable safeguards being in place.

6. Risk Assessment

6.1.1 Risk to individual rights

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed.

Yes

Solution or Mitigation: If individuals do not want their personal data processed, this may impede the ability for the compensator to settle the compensation claim with the injured party.

Likelihood: Low

Severity: Amber

Result: Accepted

6.2.1 Privacy risks

Purpose limitation

Solution or Mitigation: The data captured will only be used to identify the injured party and any benefits received within a defined period that was received as a result of an accident, injury or disease caused by a liable third party. This data processing is involved in the generation of the certificate of recoverable assistance which is usually requested by the compensator prior to settlement.

Likelihood: Low

Severity: Amber

Result: Reduced

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or Mitigation: Social Security Scotland provides full details on their privacy notice and there is information provided on the client’s outcome notice directing clients to the privacy notice. The telephony system also provided client with details of how their data is processed.

Likelihood: Low

Severity: Red

Result: Eliminated

6.2.3 Privacy risks

Minimisation and necessity

Solution or Mitigation: The gathering of information from the data subject and other sources is justified on the basis that the subject is required to provide their permission for this information to be gathered.

Likelihood: Low

Severity: Amber

Result: Accepted

6.2.4 Privacy risks

Accuracy of personal data

Solution or Mitigation: The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 provides individuals with rights around the use of their personal data. These rights include:

  • the right to request that Social Security Scotland confirm what personal data is held about the individual and to provide the subject with a copy.
  • the right to request that any inaccuracies in the data is corrected.
  • The client is the data source for the personal application information.
  • The client is responsible for ensuring their personal details are updated when they have a live application.
  • Data is also sourced from other UKG departments to determine entitlement these include: HMRC & DWP. All organisations have a vested interest in ensuring personal data is up-to-date.

The client is responsible for ensuring that their personal details are updated when they have an active application for social security assistance. Guidance and advice is provided to clients to advise what information or changes that need to be reported to Social Security Scotland. Data is also sourced from other government departments to determine entitlement, such as the DWP and His Majesty’s Revenue and Customs (HMRC) with all organisations having a vested interest in ensuring personal data remains accurate and up to date.

Likelihood: Medium

Severity: Amber

Result: Mitigated

6.3.1 Security risks

Keeping data securely

Retention

Solution or Mitigation: The Social Security Scotland Information Handling, Storage and Disposal Policy is in place to mitigate risks to data security and retention. The data will be retained for no longer than is required to meet the purpose for which it was originally obtained.

Likelihood: Low

Severity: Red

Result: Reduced

6.3.2 Security risks

Transfer – data may be lost in transit.

Solution or Mitigation: There are already highly secure and safe data transfer arrangements between Social Security Scotland and the DWP. Data files are encrypted.

At this current time, the process and mechanism of sharing data with the DWP has not been explored, however, a data sharing agreement with the DWP will be required. Further impacting on this will be carried out within the design phase.

Likelihood: Low

Severity: Amber

Result: Reduced

6.4.1 Other risks

Solution or Mitigation: Impact assessments have been drafted, including an Equalities Impact Assessment and Children's Rights and Wellbeing Impact Assessment to take into consideration other impacts or risks.

Likelihood: Low

Severity: Amber

Result: Reduced

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

Advice was sought from DPO in Scottish Government and Social Security Scotland’s information governance team. Advice received was around terminology, roles and responsibilities and engaging with ICO.

Action

Comments from DPO and information governance team were taken on board.

I confirm that the Social Security (Amendment) (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UK GDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent

Ian Davidson, Deputy Director, Social Security Directorate, Scottish Government

Date each version authorised

October 2023

Contact

Email: socialsecurityCI@gov.scot

Back to top