Work Able Scotland: privacy impact assessment
Privacy impact assessment for our Work Able Scotland programme, which will provide employability support for people at risk of long term unemployment as a result of a health condition.
6. The Data Protection Act Principles
Principle 1
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met, and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
6.1.1 The purpose of the project has been identified and set out in March 2016 in Creating a Fairer Scotland: A New Future for Employability Support in Scotland ( http://www.gov.scot/Resource/0049/00498123.pdf)
6.1.2 Individuals will be told about how WAS contracted providers will use their data at their initial interview, where they will be provided with WAS referral form and Training Agreement.
6.1.3 The conditions for processing which apply are:
- Condition 5(c) of schedule 2 (that the processing is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department); and
- condition 7(1) (c) of schedule 3 (that the processing is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department, for the processing of any sensitive data).
6.1.4 We are relying on the customer's consent to share information in order to:
- Allow data to be shared with employers
- Allow data to be shared with other training providers, although this is expected to happen rarely.
- Allow the use of case studies and good news stories for marketing purposes
- Allow a Leavers Plan to be shared with DWP
- Enable customers to be invited to take part in evaluation activities (see paragraph 6.1.7.)
6.1.5 Consent will be collected by DWP work coaches when making a referral to the WAS contracted providers and by WAS contracted providers at a later stage if additional consent is required for the purposes set out at paragraph 6.1.4.
6.1.6 The evaluation of transitional services forms an integral part of the service delivery offer for WAS and so all data processing in relation to evaluation activity is covered at sign up to the service. We are commissioning external research consultants to evaluate both service delivery processes and customer outcomes for WFS and WAS. In line with SG Social Research Guidance, this will involve completing a separate Privacy Impact Assessment and Ethics review of the commissioned evaluation activity. We will also seek informed consent from WAS customers to contact them directly (or through contracted researchers acting on our behalf) to participate in specific evaluation activities (e.g. a telephone interview or discussion group).
6.1.7 Participation on the programme is not dependent on giving consent to additional processing, where processing which is not a requirement for delivering the programme. Where the customer withholds or withdraws consent to share information as noted at paragraph 6.1.5, this will not affect their entitlement to access the services provided through Work Able Scotland.
6.1.8 With reference to the Human Rights Act,
- The actions will not interfere with the right to privacy under Article 8.
- The social need and aims of the project have been identified.
- The actions are a proportionate response to the social need.
Principle 2
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
6.2.1 The Employability Programme Plan for 2017 transitional services covers all of the purposes for processing personal data.
6.2.3 No potential new purposes have been identified as the scope of the project expands. Going forward any potential new purposes would be fully considered in line with our Data Protection obligations.
Principle 3
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
6.3.1 The information we are using of good enough quality for the purposes it is used for and is subject to internal DWP and SDS quality control.
6.3.2 All personal data is required to deliver the project.
Principle 4
Personal data shall be accurate and, where necessary, kept up to date.
6.4.1 We are not procuring new software. The software we are using allows data to be amended when necessary.
6.4.2 Personal data is gathered by DWP under their existing processes and subject to DWP internal quality control. Personal data gathered by WAS contracted providers in order to deliver the service and in order to carry out the activities listed at paragraph 6.1.4 will be gathered directly from the customer.
Principle 5
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.
6.5.1 The personal data will be retained in line with current DWP practice. WAS contracted providers will be required to retain personal data for three years following the end of contract period.
6.5.2 Existing software allows deletion of information in line with retention periods.
Principle 6
Personal data shall be processed in accordance with the rights of data subjects under this Act.
6.6.1 Existing systems will allow us to respond to Subject Access Requests, which will be dealt with in line with the arrangements set out in the Service Level Agreement between DWP and SG in respect Of Work Able Scotland.
6.6.2 Participation on the programme is not dependent on the customer giving consent to their personal information being used for marketing purposes – see paragraph 6.1.4.
Principle 7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
6.7.1 The transfer of personal data between DWP, SDS and WAS contracted providers will be managed via an agreed clerical process. The detail of this process is set out at Annex A.
6.7.2 All SG staff, SDS staff are appropriately vetted and are required to complete annual Data Protection Training. WAS contracted providers are required to follow data protection policy as set out in WAS rules.
Principle 8
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
6.8.1 It is not expected that the project will require us to transfer data outside of the EEA.
6.8.2 If DWP identifies any offshoring requests that will affect data that are being processed on behalf of SG, SG will be consulted as a stakeholder in DWP's offshoring approvals process.
Contact
There is a problem
Thanks for your feedback