We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Children's advocacy in children's hearings: DPIA

Published
11 September 2020
Directorate
Children and Families Directorate
Part of
Children and families, Communities and third sector, Law and order
ISBN
9781800040366

Data Protection Impact Assessment (DPIA) in relation to the the provision of an advocacy service for children and young people going to children’s hearings.

View supporting documents Supporting documents

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Scottish Government may not obtain appropriate assurance from service providers that they are aware of and comply with their data protection responsibilities 

Ref ADV1

Solution or mitigation Assurances from advocacy organisations their internal training processes include data protection and GDPR rights and responsibilities as outlined in their Expressions of Interest application.

Result Reduce

Risk Scottish Government as a joint controller of the data may not be made aware if a service provider is subject of a significant data breach within 72 hours

Ref ADV2

Solution or mitigation Grant conditions specify providers have to: “The Grantee shall ensure that all requirements of theData Protection Laws are fulfilled in relation to the Project.” Which includes reporting any potential data breach.  

Result Reduce

Risk Lack of transparency around the processing of data 

Ref ADV3

Solution or mitigation Service providers will provide clients with a privacy notice in hard copy or direct to published version on their website  Client consent will be sought for sharing special category data with partner organisations 

Result Reduce

Risk  Data subjects may not be able to exercise their rights under the GDPR

Ref ADV5

Solution or mitigation Responsibility for facilitating data subject rights will sit with the service providers. Scottish Government will obtain assurances from the providers that have proper procedures and processes are in place to meet these obligations including all staff receive appropriate training. 

Result Reduce

Risk

Scottish Government may receive personal data without legal basis from service providers in their quarterly/annual returns 

Ref ADV8

Solution or mitigation As reports from service providers use quantitative information any numbers of less than 5 will not be reported to ensure identification cannot take place.  Organisations will illustrate themes by use of anonymised case studies.  The potential to receive personal data is minimal but mitigation is in place in the unlikely event of error.

Result Reduce

Contact

Email: CYPAdvocacy@gov.scot

Back to top