Analysis of written responses to the consultation on social security in Scotland

19. Protecting your information

Identifying Management and Privacy Principles

19.1 The Scottish Government set out its proposals on identifying management and privacy principle in Part 3 of the consultation document.

Question - Should the existing Scottish Government approach to Identity Management and Privacy Principles be adopted for use in our social security system? Please explain your answer.

Table 19.1 Should the existing Scottish Government approach to Identity Management and Privacy Principles be adopted for use in our social security system?
	Yes		No
Respondent group	Number	%	Number	%	Total
Individuals	46	87%	7	13%	53
Organisations	46	96%	2	4%	48
All respondents answering	92	91%	9	9%	101

Note: A full breakdown of responses by respondent group is included in Annex 2 (available to download separately as part of this publication).

19.2 In total, 101 respondents answered the question. The majority (91%) agreed that the Scottish Government's existing approach to Identity Management and Privacy Principles should be adopted. There was overall support from across respondent groups.

19.3 There were 65 respondents who provided an explanation for their answer (38 organisations and 27 individuals). Comments were mostly made by those who answered 'yes'.

Reasons for supporting the existing approach

19.4 Some said that the approach should be used because it was appropriate, sensible, proportionate, consistent, efficient, robust, balanced, low risk and good practice. Some felt it was cost effective, represented best use of resources and minimised duplication.

19.5 Some were happy the approach was used, but gave further advice including:

• recognition that it is impossible to fully guarantee security of data held;
• continuing to hold data in different systems, to provide a degree of privacy;
• providing reassurances about how data will be used by different agencies;
• building confidence in procedures for sharing data, for example, working with GPs around informed consent for data sharing; and
• allowing people to see the data held about them.

Reasons for not supporting the existing approach

19.6 Some felt that the current approach should not be used. The reasons were varied, including:

• the approach is not stringent enough;
• the approach needs to balance data protection with delivery of service, and some people don't receive a good quality service because they need to complete additional forms due to lack of data sharing; and
• the need to recognise that it is hard for non-government agencies to meet the standards needed to communicate securely, as this was expensive.

19.7 Mydex Data Services Community Interest Company provided a very detailed response, suggesting that:

• the approach needs to be extended to comply with GDPR;
• the approach should fit with the Scottish Government's Data Vision for 2020;
• new digital and technical solutions need to be explored, such as personal data stores;
• there is a person-centred approach with personal control over personal data; and
• there is a focus on rebuilding trust around use of personal data, including a transparent debate involving a range of expertise.

Question - If yes, should our existing Identity Management and Privacy Principles be adapted in any way? Please explain how.

Table 19.2 If yes, should our existing Identity Management and Privacy Principles be adapted in any way?
	Yes		No
Respondent group	Number	%	Number	%	Total
Individuals	17	47%	19	53%	36
Organisations	23	77%	7	23%	30
All respondents answering	40	61%	26	39%	66

Note: A full breakdown of responses by respondent group is included in Annex 2.

19.8 In total, 66 respondents answered this question. Most (61%) of those responding thought that the existing Identity Management and Privacy Principles should be adapted. Organisations were more likely to support adaptations than individuals.

19.9 There were 44 respondents who commented on their answer (27 organisations and 17 individuals).

19.10 A few simply explained that they did not feel there was any need to adapt the principles. Those who did feel the Identity Management and Privacy Principles should be adapted gave wide ranging suggestions, including:

• improving information sharing (or considering a central database) to enhance service provision and reduce potential for errors;
• sharing information between Scottish and UK systems, particularly around devolved and reserved benefits;
• balancing controls on access with flow of data;
• putting procedures in place to ensure that carers and advisors can speak on a disabled person's behalf (where this is the wish of the disabled person);
• always offering alternatives to online submission of information, which a few individuals felt presented security issues;
• providing public reassurances regarding information sharing;
• ensuring only senior staff have access to sensitive information;
• prohibiting access to data by any not for profit organisation;
• including a principle of 'personal control over personal data';
• ensuring that informed consent is received before data sharing;
• ensuring that infrastructure supports effective data sharing;
• taking account of other approaches such as Privacy by Design, EU requirements, Digital First, the ICO Privacy Notice, the General Data Protection Regulator, the European Data Protection Supervisor and the MyAccount identity check; and
• recognising the need to eradicate racism and considering equality issues in relation to information sharing.

"The technical architecture of LA's systems and networks may not support the principles and difficulties may arise which could negatively impact on public perception leading to a lack of trust or confidence."
North Ayrshire Council

" CAS supports controlled sharing of information, such as a 'Tell Us Once' system to avoid delays and people being required to give the same information multiple times to the same Agency, or other public sector organisations."
Citizens Advice Scotland

19.11 While some sought to reduce barriers to people speaking on behalf of a disabled person (where desired) the Information Commissioner's Office provided detailed advice on the importance of taking reasonable steps to ensure that any mandate or authority for another specific person or organisation to discuss a particular matter on an individual's behalf is valid, clearly described what can be discussed and there are checks to ensure that the individuals are who they say they are.

"The Scottish Public Service Ombudsman's Office have procedures in place which enable carers, advice and advocacy workers to speak on the disabled person's behalf. The Scottish Government should adopt similar procedures to remove unnecessary barriers being placed on those attempting to advocate on disabled people's behalf."
Inclusion Scotland

"Failure to do so presents a risk of unlawful disclosure of personal information, which would be a breach of the seventh data protection principle."
Information Commissioner's Office

Question - Who do you consider should be consulted in regard to the Privacy Impact Assessment and what form should this take?

19.12 There were 59 responses to this question (33 organisations and 26 individuals). Most respondents gave ideas about who should be consulted including:

• public sector bodies - including local authorities, NHS, community planning partners, health and social care organisations, housing organisations, JobCentres, the DWP, Scottish Government, Child Poverty Action Group and others who may be involved in data sharing;
• members of the public - including claimants, patient groups, equalities groups, Disabled People's Organisations, religious and community groups, carers organisations and citizens more generally, with a few respondents emphasising the need to proactively engage with those who may be disadvantaged or excluded;
• advice and advocacy organisations - including Citizens Advice Bureaux, advocacy organisations and human rights charities;
• legal and data experts - including lawyers, the Information Commissioner, the European Data Protection Supervisor, IT providers and other experts in privacy or data security; and
• others including the media and academics.

"It is important that the Scottish Government particularly consult those most likely to experience prejudice and discrimination in information sharing, including minority ethnic groups."
Coalition for Racial Equality and Rights

19.13 A few respondents indicated that they would welcome a public consultation on the Privacy Impact Assessment.

Question - What are your views on privacy issues that may affect the new agency?

19.14 There were 54 responses to this question (29 organisations and 25 individuals). The views emerging were varied, and included:

• safeguarding personal details - including meeting Data Protection requirements, secure; systematic and robust data sharing; taking a 'Privacy by Design' approach; using data independence and data portability approaches; and making no attempt to create a single database;
• access on a 'need to know' basis - balancing data protection and principle of dignity and respect; gathering minimum data necessary; procedures built in to limit the effects of racism or prejudice; clear guidelines on information sharing between DWP and SSSA; and adopting best practice and learning from others;
• customer service - ensuring that data is available to meet needs and to improve delivery of services;
• accountability and skills - tracking who has access to data; and providing training in principles and boundaries of information sharing; and
• personal control over personal data - ability to see own personal data and challenge what is held; ensuring informed consent procedures are clear; and building public support and trust.

"A person's privacy should be sacrosanct and protected at all times. Staff must be trained to understand this and to conduct themselves in such a way as to respect the individual at all stages of the process."
Individual

"Confidentiality - information should only be seen by people who are authorised to access it.

Integrity - information should only be modified by people who are authorised to do so. Availability - information should be available when needed (problems or attacks shouldn't stop information being retrieved from the system).

Non-repudiation - nothing should happen in a system that can't be traced back to a responsible person."
Midlothian Community Planning Partnership/ Midlothian Council

19.15 A few respondents highlighted the potential impact of EU regulations.

"The General Data Protection Regulation (Regulation EU 2016/679) which aims to strengthen and unify data protection for individuals within the EU may have an impact depending on the terms under which the UK leaves the EU."
Aberdeenshire Council

19.16 A few highlighted the importance of effective data sharing, to ensure a smooth transition to the new social security system and minimise delays and hardship experienced by individuals. A few individuals expressed particular concern about the potential for online theft of personal details, or the selling of personal data to private companies.

Questions - Do you perceive any risks to the individual? What solutions might be considered to mitigate against these?

19.17 There were 60 responses to this question (34 organisations and 26 individuals). The main concern was about the risk of data being lost, illegally accessed or accidentally shared and being used for the purposes of fraud, scams or theft. A few individuals were very worried about the potential for identity fraud, other theft, vendettas or harassment as a result of personal data not being secure. A few respondents highlighted particular concern about potential experiences of bigotry, racial discrimination and personal vendettas. There was also some concern that agencies could use data beyond the purposes it was intended for.

19.18 A few respondents felt that with data being shared across agencies there was the potential for it to be wrong, out of date or for mistakes to be made.

19.19 The main solutions suggested to mitigate against these were:

• limiting access to data through security privileges and network controls;
• clear data sharing guidance, systems and checks;
• taking a Privacy by Design approach;
• informed consent, with individuals fully aware of the implications of sharing data and not being required to do so if they do not wish to;
• only keeping data as long as it is needed;
• giving people access to the data held about them;
• de-identification of data where possible; and
• accredited data safe havens.

Better information sharing

19.20 The Scottish Government set out its proposals on better information sharing in Part 3 of the consultation document.

Question - Would you support strictly controlled sharing of information between public sector bodies and the agency, where legislation allowed, to make the application process easier for claimants? Please explain your answer.

Table 19.3 Would you support strictly controlled sharing of information between public sector bodies and the agency, where legislation allowed, to make the application process easier for claimants?
	Yes		No
Respondent group	Number	%	Number	%	Total
Individuals	42	82%	9	18%	51
Organisations	55	96%	2	4%	57
All respondents answering	97	90%	11	10%	108

Note: A full breakdown of responses by respondent group is included in Annex 2 (available to download separately as part of this publication).

19.21 In total, 108 respondents answered this question. Most respondents (90%) said they would support strictly controlled sharing of information between public sector bodies, where legislation allowed, to make the process easier for claimants. Organisations were slightly more supportive of this than individuals. There was overall support from across respondent groups.

19.22 Further explanation for their answer was provided by 84 respondents (51 organisations and 33 individuals).

19.23 Many felt that data sharing would make the process easier through:

• making the application process simpler - reducing the number of forms to complete, encouraging more comprehensive responses through a single form and through this maximising access to benefits;
• enhancing the user experience - reducing stress and frustration, reducing the need for people to repeat their circumstances which can be difficult and may result in errors or inconsistencies as people forget; and
• making the process faster and saving time and money.

"Applicants have highlighted the need to make the Scottish social security system easier to access and use - sharing data across public sector bodies is one way in which this can be realised."
COSLA

"Anything that could take the application process down from tortuous to manageable would be worthwhile."
Individual

19.24 Many respondents also highlighted the importance of informed consent, and being able to choose whether data is shared about you or if you take control over sharing your own information. A few respondents felt that it was vital that sensitive data could be protected and not shared - for example, about domestic abuse or HIV status.

"Sharing medical records means that very sensitive personal information, including experience of rape and sexual assault, female genital mutilation, domestic abuse, child sexual abuse, and that of terminating one or more pregnancies will be accessed by more people. This has the potential to function as a significant breach of privacy, dignity, and wellbeing of survivors. Organisations such as Rape Crisis Scotland and Scottish Women's Aid should be consulted during the design of information sharing systems."
Engender

Question - Would you support strictly controlled sharing of information between a Scottish social security agency and other public sector organisations (for example local authorities) to support service improvements and deliver value for money? Please explain your answer.

Table 19.4 Would you support strictly controlled sharing of information between a Scottish social security agency and other public sector organisations (for example local authorities) to support service improvements and deliver value for money?
	Yes		No
Respondent group	Number	%	Number	%	Total
Individuals	34	69%	15	31%	49
Organisations	49	91%	5	9%	54
All respondents answering	83	81%	20	19%	103

Note: A full breakdown of responses by respondent group is included in Annex 2 (available to download separately as part of this publication).

19.25 In total, 103 respondents answered this question. The majority of respondents (81%) said they would support strictly controlled sharing of information between a Scottish social security agency and other public sector organisations to support service improvements and deliver value for money. Organisations were more supportive of this than individuals. There was broad support from across respondent groups.

19.26 Further explanation was provided by 83 respondents (51 organisations and 32 individuals).

19.27 Respondents largely reiterated their responses to the previous question, emphasising that sharing of information had the potential to enhance the user experience, provided it is undertaken with clear consent and strong safeguards.

"Yes - data sharing will become increasingly important as we move towards not only the Scottish social security system but across public sector organisations more generally as Public Service Reform continues in years to come."
COSLA

"Only in certain circumstances and always with the full consent of the claimant."
Individual

19.28 Some new issues arose, particularly in relation to information sharing with local authorities. A few individuals had particular concern about privacy if their information was shared with their local authority, with some concerns about trust and competence. A few respondents suggested sharing information with a small number of trusted individuals.

"A suggestion would be to expand the "Apollo list" whereby an agreed list of advisors can access information. The Apollo list has to be updated and accurate to allow this to happen."
NHS Lanarkshire

"Whilst we recognise the value of sharing information that has already been collected and recorded, there are serious issues around confidentiality and consent that must be taken into account. Patients must feel able to speak to their doctor or any other health professional without concern that this information will be shared without their consent."
British Medical Association Scotland

Digital First

19.29 The Scottish Government set out its proposals on Digital First in Part 3 of the consultation document.

Question - What are your views on having the option to complete social security application forms online? Can you foresee any disadvantages?

19.30 In total, 109 respondents gave their views (67 organisations and 42 individuals).

19.31 A large number of respondents were supportive of the option to complete social security application forms online, provided this was an option and not a requirement. Some emphasised that online application should be one of a range of options - and that it should not be the main or default option. However, a few felt that it could be the main option, with support for those who experienced barriers or challenges to online application.

"I would be happy to do this at present but feel options should be available for those who either cannot physically do this or merely dislike this process."
Individual

"The Scottish Government should make any changes it can to the Universal Credit process and not choose the "digital by default" option for the new Scottish social security system."
Disability Agenda Scotland ( DAS)

19.32 The main disadvantage that respondents identified related to access to the internet. There were concerns about:

• access requirements and costs for disabled people;
• digital access in rural areas;
• publicly accessible internet having time limits in place;
• online security for women experiencing domestic abuse;
• IT skills and anxiety when using IT; and
• exacerbating a divide, with those less likely to have the access, skills and support for using online systems then less likely to access benefits.

19.33 A few respondents felt that there would need to be investment in internet access and support in order to support this approach.

"Having the ability to complete application online is critical if social security in Scotland is to keep pace with other parts of both public/private service provision. However, resources will need to be made available to local authorities and advocacy groups to support vulnerable people and the digitally excluded to access online services."
East Lothian Council

19.34 Some respondents had concerns about technical and security issues, including:

• practical issues like being able to save the document, print it, re-access a copy of it online, and provide supporting documentation;
• people being subject to fraud and theft;
• personal information being disclosed by accident or security breach; and
• the social security system being more subject to fraud - with less checking of information in person.

"Any such solution would have to be fully secure and we would expect the Scottish Public Sector Information Security Group to have been consulted in the process to provide us with the required assurances."
North Ayrshire Council

Question - What are your views on the new agency providing a secure email account or other electronic access to check and correct information for the purposes of assessing applications (noting that any such provision would need to be audited and regulated so that the security and accuracy of the information would not be compromised)?

19.35 There were 85 responses to this question (50 organisations and 35 individuals).

19.36 Many respondents felt that this approach would be effective, and could speed up decision making, reduce paperwork and enable a quick check of information to ensure it was accurate. These respondents supported a secure email account (or similar) provided it was secure and was provided as an option rather than a requirement.

19.37 Many respondents had concerns about this approach, and reiterated concerns about digital access and support requirements for many. There were also concerns about security and fraud; lack of personal contact; a high potential for error; difficulties remembering passwords; nervousness about a 'state email'; and examples of previous negative experiences of similar situations.

"You need to use secure email alongside other non-digital material. Learn from the errors made in Universal Credit and how uncomfortable many clients feel with the over reliance on IT - do not make these same mistakes, otherwise you will lose the trust of the Scottish people."
Individual

19.38 Some respondents, mainly local authority respondents and COSLA, pointed to the range of approaches being piloted by local authorities which could be learned from. Others pointed to existing approaches like MyAccount, the Universal Credit email system, the Gov.uk verification system and local CRM accounts which they felt could be used or linked. A few cautioned that it was important that individuals were not required to maintain multiple secure email accounts and passwords, for example, to access devolved and reserved benefits.

19.39 Some respondents said that they were not clear what was meant and that they would need more information to be able to comment.