Carers (Scotland) Act 2016: privacy impact assessment

Updated privacy impact assessment (PIA) conducted for the Carers (Scotland) Act 2016.


Carers (Scotland) Act 2016 Privacy Impact Assessment

Title of Policy

Carers (Scotland) Act 2016 ("the Act")

Summary of aims and desired outcomes of Policy

It is the intention of the Scottish Government that Scotland's estimated 745,000 adult carers and 44,000 young carers [1] [2] should be better supported on a more consistent basis so that they can continue to care, if they so wish, in good health and to have a life alongside caring. In relation to young carers, the intention is similar to that for adult carers but that young carers should have a childhood similar to their non-carer peers.

The Act will realise this ambition by ensuring better and more consistent support for carers and young carers so that they can continue to care, if they so wish, in better health and to have a life alongside caring.

Directors: Division: Team

Directorate for Health and Social Care Integration: Care, Support and Rights Division: Carers Policy Branch.

Information Asset Owner

Jamie MacDougall, Deputy Director, Care, Support and Rights Division

Executive summary

1. The public sector privacy duty requires the Scottish Government to assess the impact of applying a proposed new or revised policy or practice. While this is not a legal requirement to prepare a Privacy Impact Assessment ( PIA) under the Data Protection Act 1998, it is Scottish Government policy to follow the recommendations of the Information Commissioner's Office ( ICO) as being good practice in doing so.

2. This PIA has considered the potential impacts of the Act on the use, sharing and control of personal information. More particularly, this PIA considers the impact of regulation-making powers that Scottish Ministers are using under the Carers (Scotland) Act 2016 ("the Act").

3. This impact assessment is one of a package to accompany the Act. The others are: Childrens Rights and Wellbeing Impact Assessment ( CRWIA); Business and Regulatory Impact Assessment ( BRIA); and Equality Impact Assessment ( EQIA).

4. The original PIA identified possible risks and appropriate solutions or mitigation actions as a result of provisions in the Carers (Scotland) Bill (as it was). This is set out in a table at Annex A with amendments.

5. The Scottish Government has decided to use some of the regulation-making powers in the Act. Where regulation-making powers are not being used the Government may consider these, where appropriate, in the future. Whilst the Act comes into force on 1 st April 2018, certain provisions and regulations have been commenced earlier to enable local authorities to fulfil their duties under the Act. Commencement Orders have been laid in order to enable this to happen.

6. An Implementation Steering Group ( ISG) has been established to help inform successful implementation of the Act and to provide views on draft regulations and guidance. Several other working groups have also been established to help inform implementation of the Act. Further information about membership of the ISG and working groups are described below at Who was involved in this PIA?

Background

Policy Aims

7. It is the intention of the Scottish Government that Scotland's 745,000 adult carers and 44,000 young carers should be better supported on a more consistent basis so that they can continue to care if they so wish, in good health and to have a life alongside caring. In relation to young carers, the intention is similar to that for adult carers, but that young carers should have a childhood similar to their non-carer peers. The objective of the Act is to make real this ambition by furthering the rights of both adult and young carers.

8. The Scottish Government is supporting unpaid adult and young carers through a range of policies as set out in their manifesto and Programme for Government. From 2007/08 to 2016/17 the Scottish Government has invested nearly £136 million towards a range of programmes and initiatives to support these policies.

9. The case for the Act is set out fully in the Policy Memorandum published alongside the Carers Bill [3] on its introduction to the Scottish Parliament on 9 March 2015.

10. The Act provisions closely align with the Healthier, Wealthier and Fairer Strategic Objectives, but also cut across the smarter objective.

11. The Act contributes to the following National Outcomes:

  • We live longer, healthier lives;
  • We have tackled the significant inequalities in Scottish society;
  • We live in well-designed, sustainable places where we are able to access the amenities and services we need;
  • Our children have the best start in life and are ready to succeed
  • We have strong, resilient and supportive communities where people take responsibility for their own actions; and
  • Our public services are high quality, continually improving, efficient and responsive to local people's needs.

Who was involved in this PIA?

12. The implementation of the Act has involved colleagues from within the Scottish Government and a range of external stakeholders.

13. The ISG membership includes carers, carer representatives, local authorities, health boards, COSLA, and other interests including: Care Inspectorate; Healthcare Improvement Scotland ( HIS); and Royal College of General Practitioners Scotland.

14. Stakeholders have had the opportunity to express views about the Act provisions and draft regulations. This includes via:

  • Implementation Steering Group;
  • Working Groups on specific provisions;
  • Monitoring and evaluation Group;
  • Local Carer Leads Group;
  • Stakeholder Development Day and other events;
  • Formal public consultations; and
  • Informal consultations.

15. Some stakeholders have raised concerns about the sharing of personal data across different systems, and consent being given from the care and cared-for person. This is covered at the "General Data Protection Regulation ( GDPR)" section below.

16. The Scottish Government, in partnership with COSLA, have established pilots in nine integration authority areas to test some of the Act provisions before the Act comes into force on 1 April 2018. Pilots focussed on several provisions of the Act including adult carer support plans, young carer statements, local carer strategies and local eligibility criteria. These pilots operated from April to October 2017. An evaluation report was produced which was based on the evidence and data gathered, helping to inform the implementation of the Act, and to encourage sharing of good practice between Health and Social Care Partnerships ( HSPCs).

17. The Scottish Government also invited health boards to submit proposals to test the provision on carer involvement in the hospital discharge of cared-for persons. These pilots have now concluded. Monitoring and evaluation forms to assist with evidence and data gathering have been issued, and an evaluation report will be produced with a view to informing the implementation of the Act.

18. All pilot areas were supported by the Scottish Government. The Scottish Social Services Council ( SSSC) and NHS Education for Scotland ( NES) also supported the relevant pilots.

19. Additionally, the Scottish Government has issued a readiness toolkit in June and November 2017. This is a voluntary framework for: integration authorities; local authorities where children's services aren't delegated; ADES; COSLA and Social Work Scotland to self-evaluate and self-assess local activity and progress which supports implementation of the Act. The aim of the toolkit is to:

  • stimulate strategic discussions, internal challenge and a review of existing plans;
  • map and measure progress leading to commencement;
  • identify areas where more work needs to be done;
  • identify opportunities for sharing learning with other integration authorities;
  • form the basis for further discussion with Chief officers, Directors', health and social care leads, COSLA and Scottish Government.

20. The Scottish Government also published a response to the Carers Bill consultation [4] . This set out a summary of consultation views and shows how those views have informed policy development and the Act provisions.

21. Two public consultations took place in 2017. The first on draft Regulations under sections 10 and 16 of the Act, and on draft Regulations under section 35(4) of the Act. The second consultation invited views on a draft Carers' charter, as provided for under section 36 of the Act. All of the consultation responses received have been analysed and considered to help inform the Regulations to be laid in Parliament, and also statutory guidance.

Scope of the PIA

22. The scope of this PIA is focused on the possible impact on privacy from implementing the provisions in the Act. More particularly, this PIA has been reviewed and updated in readiness of the Act commencing on 1 April 2018.

23. The previous version of the PIA describes all of the provisions which may have an impact on privacy. For the purposes of this review and updated PIA the Regulations (and associated provisions) which have already been laid, and the remaining Regulations laid in February 2018 are included.

24. It is also relevant to consider the context within which the Carers Act will operate and the other policies and strategies underway which aim to ensure safe and appropriate data management, handling and sharing in public services. Information sharing to meet the needs of people, practitioners and organisations, is essential to support Scotland's commitment to integrated, person‑centred care, across health and social care. The Scottish Government's ambition is to drive forward the safe and proportionate use of data for public benefit in which the people of Scotland have trust and confidence.

25. Most of the Act's provisions apply to the public sector. Different organisations have different views and rules to follow on confidentiality and information sharing, and there are differing expectations from the public about how their information is managed. All procedures must comply with the Data Protection Act 1998.

26. To ensure there is a consistent approach to information sharing and management across sectors, the Scottish Government has set a strategic framework, Health and Social Care Information Sharing – A Strategic Framework: 2014‑2020 [5] . Thisprovides a framework of elements and considerations that will guide partnerships in developing their programmes of work within the wider health and social care integration agenda. It sets out a delivery plan of actions and recommendations for the Scottish Government, local partnerships and organisations, as well as for the Information Sharing Board ( ISB), the Local Government ICT Board, and the e-Health Strategy Board with regard to data governance. [6]

27. This strategy sits within the wider Strategic Action Plan for effective and responsible collection, management and use of data across Scottish Public Services [7] , which is governed by the Data Management Board ( DMB). It is aligned with the Scottish Government's digital strategy for Public Services [8] and the DMB's Data Vision for 2020 [9] for Scotland.

28. These strategies and actions are underpinned by common legal, regulatory and guidance frameworks that support the sharing, management and ownership of information, and which provide a consistent level of assurance. This includes:

  • The Data Protection Act 1998 (the DPA) [10] ;
  • The Information Commissioner's Office ( ICO) Data Sharing Code of Practice [11] ;
  • The Public Records (Scotland) Act 2011 [12] – which has specific provisions around data sharing in its model records management plan, so links should be made to local work in compliance with this legislation;
  • The Children and Young People (Scotland) Act 2014 – which makes provision [13] for information sharing by services providers or relevant authorities in relation to the function of the named person and the sharing of a child or young person's information;
  • The Scottish Government's Identity Management and Privacy Principles [14] which provides guidance for all organisations delivering public services in the management of personal data and supports good practice;
  • The promotion of information sharing agreements across health and social care, such as the work undertaken by delivery partners in Fife to develop a Scottish Accord for Sharing Public Information ( SASPI) [15] ; and
  • Work undertaken by the European Union on the new General Data Protection Regulation ( GDPR) [16] , which will also need to be considered.

29. Local authorities, directing authorities, health boards, and Integration Authorities (where delegated) are the Act's primary delivery partners. They are required to have regard to these strategies, as well as to the legal provisions and guidance for data management, when implementing the Act provisions and, for the purposes of this PIA, Regulations as they are currently drafted.

General Data Protection Regulation ( GDPR)

30. The requirement to have a lawful basis in order to process personal data exists under the DPA. The GDPR places more emphasis on being accountable and transparent about an organisation's lawful basis for processing.

31. To process personal data "fairly and lawfully" an organisation needs to identify one condition under Schedule 2 [17] of the DPA, and also Schedule 3 [18] if the data is sensitive (for example health data). From 25 May 2018, Article 6 [19] and Article 9 [20] the GDPR apply accordingly.

32. Under the GDPR, it is mandatory for all public authorities and bodies to designate a Data Protection Officer ( DPO) responsible for ensuring compliance with the data protection law. Consideration should be given to the role and responsibilities of any third sector organisation commissioned to undertake duties under the Carers Act. For example, where they are the data processor acting on behalf of local authorities or the data controller. This is likely to be the case where, for example, a local carers centre completes the adult carer support plan ( ACSP) and young carer statement ( YCS).

33. Under the GDPR an organisation can process personal data without consent if it's necessary for:

  • a contract with the individual: for example, to supply goods or services they have requested, or to fulfil obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
  • compliance with a legal obligation: if the organisation is required by UK or EU law to process the data for a particular purpose, then they can.
  • vital interests: organisations can process personal data if it's necessary to protect someone's life. This could be the life of the data subject or someone else.
  • a public task: if the organisation needs to process personal data to carry out official functions or a task in the public interest – and have a legal basis for the processing under UK law – then they can. If the organisation is a UK public authority, the ICO view is that this is likely to give them a lawful basis for many if not all of their activities.
  • legitimate interests: for a private-sector organisation, they can process personal data without consent if they have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual's rights and interests.

34. The GDPR is covered in the statutory guidance to accompany the Act.

Regulations and possible impacts on privacy

The Carers (Scotland) Act 2016 (Agreements of a Specified Kind) Regulations 2017

Regulations

35. These Regulations provided for under section 1(3)(a) were made on 25 th July 2017, and came into force on 1 October 2017.

36. This is because clear definitions under the Act, including for kinship carers, had to be in place in order for local authorities to undertake their duties under section 22(2) of the Act - 1October 2017 being the start of the 6 month period during which local authorities must set their first local eligibility criteria.

Provision

37. Section 1 describes the key definitions of "carer", "young carer" and "adult carer" for the purposes of the Act.

Possible impact of regulations under section 1(3)(a)

38. The Regulations under section 1(3)(a) specifies that a kinship care agreement under regulation 12 of the Looked After Children (Scotland) Regulations 2009 cannot be viewed as a "contract" for the purposes of the Act.No impact on privacy is expected, as no personal data will be collected specifically for this regulation to be implemented.

The Carers (Scotland) Act 2016 (Prescribed Days) Regulations 2017

Regulations

39. These Regulations provided for under section 22(2) were laid on 16 June 2017, and came into force on 1October 2017.

Provision

40. Section 21 provides that each local authority must set local eligibility criteria to apply in its area. The local eligibility criteria is the criteria by which the local authority determines whether it is required to provide support to meet the identified needs of carers.

41. Section 22 provides that each local authority must publish its local eligibility criteria.

Possible impact of regulations under section 22(2)

42. The intention of this regulation is to prescribe to local authorities (a) that local eligibility criteria should be published within 6 months from 1 October 2017 and (b) that the first review of these criteria should be within three years. No impact on privacy is expected, as no personal data will be collected or shared specifically for this to take place.

The Carers (Scotland) Act 2016 (Adult Carers and Young Carers: Identification of Outcomes and Needs for Support) Regulations 2018

Regulations

43. These Regulations provided for under sections 8 and 14 were laid on 2 February 2018, and will come into force on 1 April 2018.

Provision

44. These Regulations provide for further clarity about the identification of an adult carer's or young carer's personal outcomes and needs for support to be undertaken by the responsible (local) authority.

45. An adult carer's or young carer's personal outcomes and needs for support must be identified through conversation between the responsible (local) authority and the carer. An adult carer's or young carer's personal outcomes and needs for support must be reviewed when the adult carer support plan or young carer statement is reviewed.

Possible impact of regulations under sections 8 and 14

46. The identification of personal outcomes and needs for support are integral to the duty to prepare the adult carer support plan and young carer statement. As well as provision of information to the carer under sections 11 and 17 of the Act, each responsible local authority is required to comply with the Data Protection Act 1998 and the General Data Protection Regulation ( GDPR) from May 2018. Solutions and mitigation set out at Annex A will reduce any adverse impact on privacy as a result of these provisions.

The Carers (Scotland) Act 2016 (Review of Adult Carer Support Plans and Young Carer Statements) Regulations 2018

Regulations

47. These Regulations provided for under sections 10 and 16 were laid on 2 February 2018, and will come into force on 1 April 2018.

Provision

48. These Regulations provide for the "trigger" circumstances in which an adult carer support plan or young carer statement must be reviewed outwith planned review times.

Possible impact of regulations under sections 10 and 16

49. Each responsible local authority is required to comply with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) from May 2018. Solutions and mitigation set out at Annex A, although no impact on privacy is expected as a result of these provisions.

The Carers (Scotland) Act 2016 (Short Breaks Services Statements) Regulations 2018

Regulations

50. These Regulations provided for under section 35(4) were laid on 2 February 2018, and will come into force on 1 April 2018.

Provision

51. These Regulations make provision about the preparation, publication and review of short breaks services statements.

Possible impact of regulations under section 35(4)

52. No impact on privacy is expected, as no personal data will be collected or shared specifically for this to take place.

The Carers (Scotland) Act 2016 (Transitional Provisions) Regulations 2018

Regulations

53. These Regulations provided for under section 43 were laid on 2 February 2018, and will come into force on 1 April 2018.

Provision

54. These Regulations provide for the transition from the provision of support to carers under existing legislation to support provided under the Carers Act.

55. These Regulations provide that existing support to the adult carer or young carer must continue until "trigger" circumstances require an adult carer support plan ( ACSP) or young carer statement ( YCS) to be prepared, as well as the periods within which an ACSP or YCS must be offered to the carer.

Possible impact of regulations under section 43

56. Each responsible local authority is required to comply with the Data Protection Act 1998 and the General Data Protection Regulation ( GDPR) from May 2018. Solutions and mitigation set out at Annex A will reduce any adverse impact on privacy as a result of these provisions.

The Carers (Waiving of Charges for Support) (Scotland) (Amendment) Regulations 2018

Regulations

57. These Regulations provided for under section 87(5) were laid on 2 February 2018, and will come into force on 1 April 2018.

Provision

58. These Regulations ensure that costs incurred by a local authority in the provision of support to a carer are not charged to that carer.

Possible impact of regulations under section 87(5)

59. No impact on privacy is expected, as no personal data will be collected or shared specifically for this to take place.

The Self-directed Support (Direct Payments) (Scotland) Amendment Regulations 2018

Regulations

60. These Regulations provided for under sections 15 and 22(1) of the Social Care (Self-directed Support) (Scotland) Act 2013 were laid on 2 February 2018, and are due to come into force on 1 April 2018.

Provision

61. These Regulations to maintain the requirement that local authorities cannot means test or require a contribution from a carer where carer support is being delivered by way of a direct payment.

Possible impact of regulations under section 87(5)

62. The Scottish Government believes there is no adverse impact on privacy as a result of these provisions.

The Public Bodies (Joint Working) (Prescribed Local Authority Functions etc.) (Scotland) Amendment (No. 2) Regulations 2017

Regulations

63. These amending Regulations were laid on 7 November 2017, and will come into force on 1 April 2018.

Provision

64. These Regulations remove section 3 from the entry for the Social Care (Self-directed support) (Scotland) Act 2013 from the list of enactments in the schedule of the Public Bodies (Joint Working) (Scotland) Act 2014, as this provision is repealed by the Carers Act. It also provides that the functions conferred on a local authority under sections 6, 24, 25, 31, 34 and 35 of the Carers Act are ones which must be delegated to Integration Authorities. This amendment ensures that provisions in the Carers Act are consistent with the way other social care functions have been delegated to Integration Authorities.

Possible impact of regulations under section 87(5)

65. These amending Regulations allow responsibility for a number of local authority related functions for carers to be passed to Integrated Authorities so that they can direct their the way they are carried out, updating existing legislation in order for the Carers Act to function as intended. No impact on privacy is expected, as no personal data will be collected or shared specifically for this to take place.

Further consideration of the Carers (Scotland) Act 2016 and possible impacts to privacy

66. Annex A separately describes the risks identified and appropriate solutions or mitigation actions proposed, updated from the original publication of the PIA.

Processing of data

67. This section refers to the process for data access, storage, transmission, disposal, ownership, management and checking for accuracy. Personal data on adult and young carers as collected as part of existing carers assessment procedures is currently owned and held by individual local authorities and NHS Boards, which have their own data management procedures in place. The responsible authorities' existing procedures for access, storage, transmission, disposal, ownership, management and checking for accuracy will be continued under this legislation.

68. Since the Act's provisions, in general, place no new process requirements on responsible authorities over and above those already in place for data access, storage, transmission, ownership, management and checking for accuracy, it is not expected that new data collection process will be required.

Carer involvement in hospital discharge of cared-for persons

69. Under section 28 of the Act, health boards and relevant partners will need to give regard to the legal requirements (as described below) where there is carer involvement in hospital discharge of the cared-for person.

70. In cases where hospital admission is planned, such as pre-planned operations, the involvement of the carer in hospital discharge may begin before the cared-for person is even admitted to hospital. Discussions with GPs and other professionals in order to plan for the hospital visit should include the carer where appropriate (and where there is the consent of the cared-for person to do so) and any views sought and recorded in relation to hospital discharge, so that the information can be shared at a later date if necessary.

71. There will be unplanned admissions of the cared-for person to hospital. The statutory guidance will make clear that it is good practice for the health board to keep a record of how and when they inform the carer of the intention to discharge the cared-for person.

72. It is good practice for health boards to keep a record of the views of the carer in relation to the hospital discharge of the cared-for person. This might be recorded, for example, as part of the cared-for person's notes.Professionals will need to be aware of the various legal requirements around confidentiality and the sharing of patient information in cases where the patient (the cared-for person) refuses to give consent to have a carer informed of the intention to discharge.

Legal basis for data sharing with partners

73. Implementation of provisions in this Act will involve the collection, retention, and sharing of personal data. As discussed above, the responsible authorities will be required to carry out their functions under the Act in a manner that respects both the common law duty of confidentiality, the requirements of the DPA and the right to respect for private and family life under Article 8 of the ECHR.The table at Annex A consolidates the potential risks posed to privacy under the Act provisions and summaries the proposed actions to mitigate any possible risk.

74. An independent analysis of consultation responses undertaken by Why Research [21] and the Scottish Government's response [22] to the Carers (Scotland) Bill consultation were published on 4 March 2015.

75. Only two respondents, both local authorities, commented on the risk to privacy for the proposed provision relating to the identification of carers and young carers and possible provisions in relation to a GP Register. One respondent suggested that data protection should be carefully considered if this proposal were to be included in legislation. There was also a suggestion that the integration of Health and Social Care would cover any issues arising from the sharing of personal information as part of the management of GP Registers. It is right that the Scottish Government notes the responses received to the public consultation, but as this proposal was not included as a provision within the Act, no further action is required.

Authorisation and publication

The PIA report should be signed by your Information Asset Owner ( IAO). The IAO will be the Deputy Director or Head of Division.

Before signing the PIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust, has addressed all the relevant issues and that appropriate actions have been taken.

By signing the PIA report, the IAO is confirming that the impact of applying the policy has been sufficiently assessed against the individuals' right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase "Privacy Impact Assessment ( PIA) report" and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a PIA has been conducted.

I confirm that the impact of the Carers (Scotland) Act has been sufficiently assessed against the needs of the privacy duty:

Name and job title of a Deputy Director or equivalent:

Jamie MacDougall

Deputy Director

Care Support and Rights Division

Date this version authorised:

20 March 2018

Contact

Back to top