Social Security (Amendment) (Scotland) Bill: data protection impact assessment

2. Introductory information

2.1 Summary of proposal

An overview of the proposals included in the Bill and the specific aim of each policy is set out below.

Taking a regulation-making power for childhood assistance

New enabling powers are provided within the Bill, allowing the Scottish Ministers to make regulations for childhood assistance, which will help towards meeting some of the costs associated with having a child in the family. Scottish Ministers intend to use the new powers for childhood assistance in due course as a new legislative footing for Scottish Child Payment (SCP) to allow better alignment of Social Security Scotland benefits.

SCP is currently delivered under s79 of the 2018 Act^[5] as a ‘top-up’ where an individual is receiving a qualifying UK Government benefit.^[6] Placing the payment on a new legislative footing will offer the opportunity for greater alignment across the five family payments (including the Best Start Grants and Best Start Foods) and will afford flexibility in the way the payment is delivered in the future.

This proposal will be used in future to change the legislative footing on which the payment is based, but will not result in any change to the data collected, which was previously consulted on with ICO. Regulations resulting from this provision in the Bill could in future lead to the collection of some additional data relating to clients’ personal circumstances which goes beyond the data currently gathered by Social Security Scotland. Further consideration will be given to the impact on data protection in future during the development of regulations.

Financial support for people with care experience

A provision will be included in the Bill allowing Scottish Ministers to create, by way of regulations, financial support for people with care experience. The current intention is that these powers will be used initially for a payment called the Care Leaver Payment (CLP).

The CLP will fulfil the commitment made in the Promise Implementation Plan published in March 2022 to ‘provide some additional financial security for young people with care experience and will help reduce some of the financial barriers that young people face whilst moving on from care and into adulthood and more independent living’.

The delivery of this assistance will involve the collection and processing of applicants’ personal information. Information will be gathered relating to people’s care experience. It is proposed that this information will be gathered through an application process but data sharing with local authorities could also be involved.

A 12 week public consultation will be held in late 2023 covering the policy intent and eligibility criteria of a care leaver payment and the broader package of support for people who have experience of being in care, which is separate to the provision included in the Bill.

Secondary legislation will be required to set out the eligibility criteria, the application process and the delivery body for this assistance. The impacts on data protection will be further considered during the development of those regulations.

Making amendments to coronavirus (COVID-19) measures introduced in 2020

In 2020, due to the coronavirus (COVID-19) pandemic, sections 52A and 52B were amended into the 2018 Act by the Coronavirus (Scotland) Act 2020.

Section 52A means requests for re-determinations must be considered valid beyond the maximum period of one year prescribed by the 2018 Act, where the reason for delay was related to COVID-19. Section 52A also allows for appeals to be brought beyond the maximum prescribed period of one year, where the Tribunal gives permission on the basis of being satisfied that the reason for the delay was related to COVID-19. Section 52B allows a late application to be treated as being made within the prescribed period for a given benefit under Chapter 2 of the 2018 Act, where the reason for delay was related to COVID-19.

The provisions in the Bill will give Social Security Scotland discretion to accept late requests for re-determination beyond the one-year prescribed period on the basis of ‘exceptional circumstances’, rather than only COVID-19. The provisions in the Bill will repeal section 52A of the 2018 Act and allow appeals to be brought, with the permission of the Tribunal, beyond the one-year prescribed period on the basis of ‘exceptional circumstances’, rather than only COVID-19. Provisions in the Bill will remove section 52B from the 2018 Act and revert application periods to existing pre-COVID deadlines.

The proposal allowing Social Security Scotland to give permission for re-determination requests beyond a year in exceptional circumstances builds on existing processes and does not have implications for data protection.

The reason for the lateness of the re-determination request could involve medical or personal data about the exceptional circumstances. If the exceptional circumstances are accepted, processing the late re-determination may also involve the processing of new supporting information provided by the client or a third party.

This introduces no new processing of personal data; existing Social Security Scotland systems and processes will be used to handle this type of processing.

There are no implications for data protection arising from the provision to repeal section 52B.

Withdrawing a request for re-determination

Under the 2018 Act, where a determination of entitlement to assistance is made, an individual has a right to a re-determination. If a client asks for a re-determination, the Scottish Ministers are under a statutory duty to make a new determination. A client cannot subsequently withdraw their request for re-determination, even if their circumstances have changed since making their request, or if they have otherwise changed their mind.

The Bill includes provision enabling clients to withdraw a re-determination request if they no longer wish to challenge the decision. This policy builds on the person-centred, rights-based approach already adopted for challenge rights in line with the Scottish social security principles and the Social Security Charter (‘the Charter’).^[7]

Completing re-determinations beyond the period allowed

Where a re-determination is not completed by the Scottish Ministers in the timescales set out in the relevant regulations, the re-determination becomes out-of-time and the client is notified that they have a right to appeal to the First-tier Tribunal (Social Security Chamber) without waiting for the re-determination to be made. The Scottish Ministers are, at that point, no longer under a duty to make the re-determination. However, in practice, they continue to consider the re-determination request.

Provisions are included in the Bill so that the Scottish Ministers remain under the duty to make the re-determination beyond the period allowed, unless the client opts to exercise their right to appeal. This will offer legal clarity in terms of what happens in practice when a re-determination runs late.

These provisions relating to re-determinations may involve the processing of supporting information provided by the client. However, this type of personal information is data that Social Security Scotland already routinely processes in current re-determinations procedures. There will be no new or additional processing of personal information. As these provisions build on procedures which currently take place there are no implications for data protection.

Making a new determination of entitlement whilst there is an ongoing appeal

Under the 2018 Act, Scottish Ministers cannot make a new determination after a valid appeal has been brought, even if an error has been identified, or new evidence received, which shows that a client has been underpaid, or not received an award that they were entitled to. The appeal must continue unless it is withdrawn by the client.

In instances where the Scottish Ministers recognise that an individual should have received a higher, or more advantageous, award, the provisions in the Bill allow a new determination to be made after an appeal has been lodged and the appeal to stop as a result. The new determination can only be made if the client agreed, and will come with challenge rights.

These provisions build on existing processes utilising current systems and technology. Clients (or third parties) may provide additional supporting information but this personal data is already routinely processed by Social Security Scotland on behalf of Scottish Ministers during current re-determinations processes and shared with Scottish Courts and Tribunals Service during current appeal procedures. This process has been privacy and risk assessed when first introduced. Relevant operational DPIA and data sharing agreements are in place in line with ICO data sharing code of practice.

Appeal to First-tier Tribunal against process decisions

The 2018 Act provides at section 61 that individuals can appeal to the First-tier Tribunal for Scotland against certain decisions made by the Scottish Ministers on the process of applying for benefits, or the process of challenging determinations.

The provisions in the Bill set out the powers of the Tribunal to uphold or set aside decisions in process appeals, and the effect of a Tribunal decision in a process appeal. The Bill also sets out further circumstances in which a process appeal may be raised, to include the new types of process introduced by the Bill.

The provisions about process appeals serve to clarify current processes and do not have any implications for data protection. There is no new processing of personal information, the current Redetermination and Appeal process has been assessed and an operational DPIA is held. This is a living document and is reviewed regularly.

Overpayment liability and challenge rights

Under the 2018 Act, a client has a statutory liability to repay any overpayment made in error, except where they did not cause or contribute to that error, and if it was the sort of error a person could not reasonably be expected to have noticed.

Liability of individual/individual’s representative for assistance given in error

The provisions in the Bill set out that liability extends to clients who have a representative acting on their behalf, except where the representative uses the assistance for a purpose which is a breach of their duties or responsibilities, in which case the representative will be personally liable.

Where an overpayment is made in respect of a person who has a representative acting on their behalf, Scottish Ministers’ policy is that it should be repaid by the person who benefitted from it. That could be the entitled individual or their representative , if they have not acted in good faith. This policy is not yet on a statutory footing and a contractual liability has been imposed for representatives through use of declarations and letters.

The provisions in the Bill will broaden statutory liability to entitled individuals who have benefitted from an overpayment, even where it was the fault of their representative. Where a representative has acted in bad faith and/or used the money for their own personal gain, liability will fall to them instead. As this is merely a change of legal basis, the personal data handled by Social Security Scotland will remain the same.

Challenging decisions about liability

Currently, where Social Security Scotland determines that an overpayment has occurred, it makes a new determination on a client’s entitlement to benefit. Although this new determination will bring re-determination and appeal rights if the client wants to challenge the decision, there is not any formal right to challenge the decision that an individual is liable to repay the overpayment.

The provisions in the Bill also introduce a right to a review (followed by a right to appeal to the First-tier Tribunal for Scotland (Social Security Chamber)) against a finding of liability for an overpayment. The further review and appeal provisions in part 6 of the Tribunals (Scotland) Act 2014 will also be available.

These provisions improve existing processes. Currently where a person is found liable for an overpayment they can ask Social Security Scotland, acting on behalf of Scottish Ministers, to review that decision. If, following the review, the decision remains unchanged and the person still disagrees that they are liable for the overpayment, they would currently need wait for Social Security Scotland to enforce the recovery and raise a defence to a Sheriff Court recovery action or deduction determination raised by Social Security Scotland.

The provisions in the Bill seek to create a new statutory right to proactively challenge the liability decision mirroring the process for other challenges against Social Security Scotland determinations (redetermination and appeal), and avoids the delay and expense of potentially lengthy and stressful Sheriff court proceedings.

Personal data collected by Social Security Scotland on behalf of the Scottish Ministers is already routinely shared with the Scottish Courts and Tribunal Service for the purposes of processing appeals of entitlement. These new challenges will include largely include the same types of information.

When the provisions are commenced the sharing of data will be necessary for the performance of a task carried out in the public interest and in the exercise of official authority vested in the controller in terms of Article 6(1)(e) of the GDPR. Where special category data is processed, this will only be where necessary for the establishment, exercise or defence of legal claims and/or whenever the tribunal is acting in a judicial capacity in terms of Article 9(f) of the GDPR. A Data Sharing Agreement in respect of appeals is already in place and it is expected this new challenge right could either be added or a broadly similar agreement be reached.

Recognising Appointments made by a Minister of the Crown

Where a person lacks capacity to manage their own financial affairs, the Department for Work and Pensions (DWP) and Scottish Ministers both have provisions that allow them to appoint a person or organisation, known as an appointee, to act on that person’s behalf.

Due to differences in the law and the processes that govern appointments in Scotland and the rest of the United Kingdom, a DWP appointee – which is an appointment made by a Minister of the Crown – cannot automatically be treated as equivalent to an appointee under the 2018 Act.

The Bill will introduce powers for Scottish Ministers to make provision in regulations prescribing circumstances in which a DWP appointee may be treated as though they had been appointed by Scottish Ministers to act on a client’s behalf, pending an assessment by Social Security Scotland.

DWP currently share appointee information with Social Security Scotland who act on behalf of Scottish Ministers. Secondary legislation will set out the circumstances where Social Security Scotland may accept a DWP appointee. Further consideration will be given to the impact on data protection in future during the development of these regulations.

Liability of appointees

Currently, there is no provision within the 2018 Act with the effect that an appointee will be liable to account to the individual for any mismanagement of the individual’s property (either in relation to children or adults). There are provisions respectively, in terms of the Children (Scotland) Act 1995 and the Adults with Incapacity (Scotland) Act 2000, which make other types of representatives liable to the individual for mismanagement of their property.

The Bill provides that an appointee will be liable to account to the individual for whom they were appointed, for their use of the individual’s funds outwith their authority or power, or after having received intimation of the termination or suspension of their authority or power to intervene. They are to be liable to repay the funds to the account of the individual. No liability will be incurred where the appointee acted reasonably and in good faith in their use of the individual’s funds.

Any dispute arising under these provisions would be a private dispute between the individual and their representative and as such no personal data would be handled by Scottish Ministers or Social Security Scotland on their behalf.

Information for audit of the social security system

Social Security Scotland need to produce effective measurements and estimates of the extent of client error, official error, and fraud as assurance that the social security system is efficient and delivering value for money in line with the Scottish social security principles.

Currently Scottish Ministers can only request that people provide information for the specific purpose of determining an individual’s entitlement to social security assistance, where :

• a person applies for assistance for the first time;
• a person reports a change in their circumstances;
• a review of entitlement has been scheduled by Scottish Ministers; or
• a review of entitlement is needed because new information has come to light that may indicate there has been change of circumstances.

Provisions in the Bill will give Scottish Ministers powers to require individuals to provide information when reasonably requested to do so, in order to review their entitlement for the purposes of audit. Safeguards will be built in to ensure that where a person has good reason they might be exempted from the process.

This proposal will initially use personal data already held by Social Security Scotland to select cases for review. Once selected any new information gathered will be of the same type as that collected routinely when deciding a person’s entitlement to the benefit in question. Each form of assistance has a separate DPIA which is regularly reviewed and the DPIA will be updated to reflect any new processing.

The outcomes of these exercises will be recorded and anonymised for use in statistics. For transparency the Social Security Scotland privacy notice does advise data subjects that data is processed for statistical purposes and to carry out quality and compliance monitoring.

Where anomalies are discovered in individual cases such as overpayments, underpayments or fraudulent activity, Social Security Scotland will follow business as usual procedures which are already subject to their own DPIA. Existing DPIAs are reviewed regularly as are all data sharing agreements. If as part of the audit processes, further information is required to determine whether an individual's entitlement is still correct.

Recovering Scottish social security assistance from awards of compensation

A person affected by accident, injury, or disease due to the fault of a third party may be entitled to compensation. Depending on the nature of their accident, injury, or disease they may also be entitled to social security assistance. The Scottish Government believes that a third party’s legal obligation to fully compensate those they have harmed should not be subsidised by Scotland’s social security system.

The provisions in the Bill allow the Scottish Government to recover relevant forms of Scottish assistance from awards of compensation, avoiding the risk of a person being ‘doubly compensated’ for the same incident. The policy on compensation recovery is consistent with the responsibilities in the Scottish Public Finance Manual^[8], and aligns with the Scottish social security principle that the Scottish social security system is to be efficient and deliver value for money.^[9]

As a result of the provisions in the Bill compensators will be required to collect data regarding the injured party with the data subject’s permission and submit this to the administrator of the Scottish compensation recovery scheme. Once this information has been submitted, Social Security Scotland will be required to share data with the scheme administrator. This data will include Special Category data - health. There will be no requirement to process any criminal offence data.

The scheme administrator will use this data to generate a certificate of recoverable assistance and a copy of this will be provided to both the compensator and the data subject or their legal representative. The legal gateway for this data being shared with compensators will involve utilising section 85 of the 2018 Act, where at subsection (5) the Scottish Ministers can supply information held for a social security purpose to persons specified at section 85(2), which does not currently include compensators. In order to use this, there will be a requirement to make regulations to add compensators to the list of persons at section 85(2) to whom information can be given under section 85(5). This will likely be by amendment of the Social Security Information-sharing (Scotland) Regulations 2021/178.

The new provisions within the Bill will not require any new personal data collection from the clients by Social Security Scotland as the data to be shared was previously collected to determine the clients award of assistance. Social Security Scotland are developing an operational data protection Impact Assessment, this will provide low level process and impacts all data processing, including the data sharing mechanism.

Making changes to the remit and status of the Scottish Commission on Social Security

The Scottish Commission on Social Security (SCoSS) reviews certain social security policies, by way of consideration of draft regulations, and provides the Government and the Scottish Parliament with scrutiny reports on each piece of legislation it reviews.

The provisions in the Bill expand the types of regulations that SCoSS is able to review, and replace the requirement for SCoSS to prepare accounts for external audit, with a requirement to submit an annual report on their work to Scottish Ministers. The Scottish Ministers will then share this report with the Scottish Parliament.

The Bill also removes the status of SCoSS as a body corporate. SCoSS will continue to be recognised as an advisory non-departmental public body which better reflects how it operates in practice.

The proposed changes relating to SCoSS will not have an impact on data protection.

Consideration has been given to each proposal in the Bill and further data protection analysis is required for the proposals intended to: introduce challenge rights for overpayment liability; allow Scottish Ministers to request information for the purpose of audit and recover Scottish social security assistance from awards of compensation.

Each discrete proposal requiring relevant data protection analysis has been analysed individually below.