Tertiary Education and Training (Funding and Governance) (Scotland) Bill - Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment (DPIA) for the Tertiary Education and Training (Funding and Governance) Bill
6. Risk Assessment
The Bill is expected to enable significant positive changes to the efficiency and effectiveness of the delivery of NTPs, apprenticeships and work-based learning. Work-based learning, as defined in the Bill, is capable of including school pupils attending college and workplaces in order to gain experience and qualifications. There is no requirement that the individual is paid, unlike an apprentice.
The Bill, of itself, does not have an impact on those who engage with and form part of the post-school education and skills system such as learners, employers, institutions, and other training providers. It will be how the functions are exercised (which will be the subject of future impact assessments) which will be significant.
It has not been possible to carry out a comprehensive risk assessment on the relevant information sharing provision of the Bill. This DPIA will be reviewed and updated as the Bill is implemented.
Once the Bill has completed its Parliamentary passage and the provision is implemented, it will be for the SFC to review the impact of their new or revised policies and approaches to ensure they meet the legislative requirements on privacy and information and data protection. It will be for Scottish Ministers to scrutinise the performance of the SFC in relation to how they have delivered their expanded functions, and therefore how the delivery of the these functions is in compliance with the requirements of the UK GDPR and Data Protection Act 2018.
Risk |
Solution or mitigation |
Likelihood (Low/Med/High) |
Severity (Red/Amber/Green) |
Result |
|---|---|---|---|---|
6.1.1 Risk to individual rights
Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed |
The Bill does not impact on individual rights. The SFC as the data controllers will need to consider these rights in their privacy policies and process data transparently in accordance with the law. The SFC will be able to draw on systems and processes developed by SDS (who currently carry out similar functions to those the Bill will give to the SFC) to protect these individual rights. |
Low |
No new impact |
|
6.2.1 Privacy risks Purpose limitation |
The data will only be processed for the purposes of the SFC carrying out its statutory functions around securing the provision of, and funding, tertiary education and training (including new functions in respect of NTPs, apprenticeships and work-based learning). |
Low |
No new impact |
|
6.2.2 Privacy risks Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights |
The SFC will need to handle personal data in ways which are compliant with data protection laws. It is anticipated that some staff with knowledge and experience of apprenticeship programme delivery are likely to transfer from SDS to the SFC and this will help with establishing proper processes. |
Low |
No new impact |
|
6.2.3 Privacy risks Minimisation and necessity |
The Bill makes provision that will require persons receiving SFC funding, under the new functions of NTPs, apprenticeships and work-based learning, to provide the SFC with such information as they may reasonably require for the purposes of, or in connection with, the exercise of any of the SFC’s functions. This is considered adequate and relevant to the new functions of the SFC. |
Medium |
Accepted |
|
6.2.4 Privacy risks Accuracy of personal data |
The SFC, as the data controller, will be responsible for ensuring that the information they hold about subjects is accurate and up to date. |
Low |
No new impact |
|
6.3.1 Security risks Keeping data securely Retention |
The Bill does not have any impact on the way in which the SFC as data controller stores or retains data. |
Low |
No new impact |
|
6.3.2 Security risks Transfer – data may be lost in transit |
The SFC has powers in the Bill to require data from the persons it funds. The SFC will be expected to advise any persons asked to provide personal data on how that data is to be transmitted to them securely, whether physically or electronically. The Bill gives the SFC the power to issue guidance and this could be used to set out more information on how information is to be provided to them securely. |
Low |
No new impact |
|
6.3.3 Security risks |
The SFC, as the data controller, is responsible for data security and their own risk assessments. The Bill does not directly impact data security or introduce any new security risks. |
Low |
No new impact |
|
6.4.1 Other risks Will this impact on children? |
The Bill is not expected to have any adverse impact on children. Some of the data that the SFC will collect under its new functions in respect of apprenticeships and work-based learning will include data concerning 16 and 17 year olds, and possibly younger children in some circumstances. That depends on the detail of what constitutes work-based learning and what year groups in secondary school are offered it. SDS has experience in securing the delivery of foundation apprenticeships for senior phase (S4 to S6) school pupils. This will form a part of work-based learning. SDS’s experience will help to inform the development of appropriate safeguards. |
Low |
No new impact |
Contact
Email: TETBill@gov.scot
There is a problem
Thanks for your feedback