Social Security (Amendment) (Scotland) Bill: data protection impact assessment

Information for audit of the social security system

2.2 Description of the personal data involved

Please also specify if this personal data will be special category data, or relate to criminal convictions or offences

This proposal will use personal data already held by Social Security Scotland for the alternative purpose of selecting a subset of cases for review for audit. Once selected most new information gathered will be of the same type as that collected routinely when deciding a person’s entitlement to the benefit in question.

However, the Bill makes provision that where a person has been selected for audit, and they have good reason, they may request that Scottish Ministers deselect them from further participation in the exercise. The reasons provided are likely to be about their personal circumstances and will not necessarily be the type of information routinely held in processing of that benefit. A formal decision about this would be made and the person advised on whether they had been removed from the sample or not. This particular data is only likely to be needed temporarily until the person is either exempted or the audit exercise concludes.

The Bill also provides that Scottish Ministers can prescribe in regulations categories of people who will be automatically exempted entirely from this process, in which case they would be deselected as soon as it was known that particular conditions were met. Those regulations will be subject to their own DPIA in due course.

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights, or use of social profiling to inform policy making.

Provision in the Bill gives Scottish Ministers the power to require that individuals receiving benefits co-operate with requests for information in relation to the their award, payment, or entitlement for the purposes of audit. Where they unreasonably fail to do so, their entitlement may be suspended.

If they continue to refuse to provide the information without good reason an unscheduled review of their entitlement, which is a routine activity of Social Security Scotland, may be triggered. This could result in reinstatement at the same rate, an increase, decrease or end to benefit entitlement. Individuals will have re-determination and appeal rights as per current processes if any change is made to entitlement. The re-determination and appeal processes in Social Security Scotland follow established and fully compliant procedures where data-sharing takes place.

Where the person provides the information required and anomalies are discovered such as overpayments, underpayments or fraudulent activity, Social Security Scotland will follow business-as-usual procedures to correct them. Robust existing processes and systems are already in place to manage personal data and mitigate any associated risks within these processes, which are subject to their own DPIA.

The outcomes of audit exercises will be recorded and anonymised for use in statistics, reporting and estimates relating to the regularity of payments in the social security system and the monetary value of error and fraud. These will help Social Security Scotland to identify trends and areas for improvement, ensure individuals are receiving the benefit they are entitled to, and prevent financial losses through prevention and detection of error and crime.

2.4 Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

Estimating the extent to which error and fraud are present within the caseload of Social Security Scotland is a critical tool in preventing loss to the public finances. Measuring the propriety and regularity of payments in the Social Security System allows Social Security Scotland’s accountable officer to discharge obligations under sections 15(6) and s15(7) Public Finance and Accountability Act 2000.

Audit Scotland has highlighted a need for Social Security Scotland to measure and report as accurately as possible on overall error levels and to take steps to manage them. However, Scottish Ministers and Social Security Scotland have a wider duty to be accountable to the Scottish Parliament and the people of Scotland for the regulatory of expenditure. The proposed powers mandate participation with audit to ensure estimates are robust and reliable, particularly where a person may be acting in bad faith.

What policy objective is the legislation trying to meet?

The 2018 Act is underpinned by the principles that the Scottish social security system is to be designed on the basis of evidence, it should be efficient and deliver value for money, and that opportunities are to be sought to continuously improve.

In addition the Scottish Government believe that the Scottish Social Security benefits should be paid to the right person, at the right amount, and at the right time. All of these require regular estimates to be made of the amount of underpayment, overpayment and fraud, and analysis of underlying the causes.

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

An alternative option considered was to request that information is provided voluntarily to support the audit of entitlement. This option was rejected as the sample would be self-selecting rather than a random statistical sample. In addition it is unlikely that individuals acting in bad faith would willingly participate in any process that is likely to scrutinise their entitlement, defeating the purpose of the audit. Without mandatory participation on the part of the individuals selected in a sample, it would not be possible to provide reliable estimates.

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

Data already gathered by Social Security Scotland for their public task to administer the assistance would be used to select participants according to selection criteria devised by statisticians to produce as close to a representative sample of the benefit caseload as possible. The methodology used would in itself be subject to equalities impact assessment as is it further developed.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Legislating to require individuals to provide information to review their entitlement for the purposes of audit is a necessary and proportionate measure.

The sole purpose of the provision is to allow Scottish Ministers to confirm that individuals are receiving the correct amounts and produce reliable estimates of overpayments, underpayments and fraud along with an analysis of the causes. It is therefore in also Scottish Ministers interests that they are supported in as far as possible to provide that information. Entitlement will never be ended without Social Security Scotland having gone to some lengths to secure their cooperation, or without the person having had ample the opportunity to provide a good reason that they should be exempted from the review of their entitlement.

The Bill provides that anyone selected for audit will in addition have access to the same support they would have had in applying for the benefit in question i.e. they will be entitled to have a supporter present during any discussion or assessment, and right of access to independent advocacy where required.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

The implementation of these provisions will be accompanied by internal Social Security Scotland process maps and guidance. Their staff will use these powers on behalf of Scottish Ministers, to select participants and make the request that they provide information for the purpose of audit.

3. Data Controllers

Organisation: Social Security Scotland

Activities: Social Security Scotland acts on behalf of the Scottish Ministers as controller for the personal data processed. Social Security Scotland is an Executive Agency of the Scottish Government. It has the responsibility for managing and administering the benefits that are devolved to Scotland.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, section 7 of the Data Protection Act 2018? : Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing: Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data (Include condition from Schedule 1 or 2 of the Data Protection Act 2018): The Article 9 condition that applies for processing the special category data is (b) Employment, social security and social protection (if authorised by law).

The condition from Schedule 1 of the Data Protection Act 2018 is met if:

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018: Not applicable

Legal gateway for any sharing of personal data between organisations, eg as part of existing common interest investigation processes with DWP: Not applicable

4. Consultation

4.1 Have you consulted with the ICO using the Article 36(4) form?

An Article 36(4) form was sent to the ICO prior to publication of the consultation in 2022 and an updated form was sent in August 2023. The Scottish Government has engaged with the ICO and addressed their feedback.

4.2 Do you need to hold a public consultation and if so has this taken place? What was the result?

The Scottish Government is clear that requiring information be provided for the purposes of audit is high priority, fundamental to the functioning of the Scottish social security system and aligns with the practice of other government departments. Stakeholder engagement will take place around the processes put in place by Social Security Scotland when implementing reviews for audit purposes.

4.3 Were there any Comments/feedback from the public consultation about privacy, information or data protection?

As above the Scottish Government has not consulted in relation this power which is necessary to allow Social Security Scotland to fulfil its duties under the Public Finance and Accountability (Scotland) Act 2000.

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

The proposal will not require the creation of new identifiers but will require the use of existing identifiers held by Social Security Scotland such as National Insurance Number, name or date of birth to select individuals for the purpose of audit.

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

There are no legislative measures relating to technology.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

No

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The proposal does not introduce any new requirements regarding the collection or storage of data to be used as evidence or use of investigatory powers. Where the use of this power uncovered information that suggested any illegal or irregular activity Social Security Scotland’s existing investigatory powers under the 2018 Act and associated regulations and processes would be engaged which are subject to their own DPIA and the Social Security Code of Practice for Investigations^[10].

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

The proposal will have an impact on people who are receiving assistance from Social Security Scotland. Scottish Ministers may request that they provide information when reasonably requested in order to review their entitlement for the purposes of audit. No additional data over and above the types of data already used by Social Security Scotland for the purpose of determining a person’s entitlement would be gathered or processed.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

No

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

No

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Ministers requesting information for the purposes of audit in particular for undertaking exercises to estimate the monetary value of error and fraud is already a standard feature of the reserved benefit system and affects very small numbers of people. It is unlikely, as a result, that the public should view the measures included in the Bill as intrusive or onerous.

The Bill makes provision that where a person has good reason they might be exempted from the process and also provides that Scottish Ministers can, by way of regulations, prescribe categories of people who will be exempted entirely from this process. It also ensures that anyone selected has the right to access the same support measures as they would when making their original application for Scottish benefits i.e. a supporter and/or access to independent advocacy services.

These safeguards ensure that people will not be required to participate in this process where they have a good reason while supporting them to do so, and balancing the need for a sample to be randomly selected in order to produce robust estimates.

No unintended consequences have been identified and this will continue to be reviewed during parliamentary passage. A full operational data protection impact assessment will be undertaken prior to implementation.

5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Provision has been made in the Bill for Scottish Ministers to make secondary regulations in respect of those who might be exempt from the audit process , and the form in which information might be sought and required.

5.8 Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

No

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Social Security Scotland on behalf of Scottish Ministers will handle personal data for the purpose of selecting participants at random for the purpose of requesting information for audit.

Social Security Scotland holds and processes personal data in compliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Social Security Scotland’s privacy notice details their robust measures to handle and store personal data.

The measures included in the Bill to request information for audit will usually ask individuals to share information of a type already listed in the examples of personal data that Social Security Scotland might collect. They will also have access to the same support as any other person applying for Scottish social security benefits, throughout the audit process.

In exceptional circumstances where a person refuses to comply with requests for information or with the unscheduled review process that is triggered as a result, they will have full redetermination and appeal rights to any new determination of their entitlement.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

The Bill gives Scottish Ministers the power to require that individuals receiving assistance co-operate with requests for information in relation to the individual’s payment or entitlement for the purposes of auditing the monetary value of fraud and error and associated or carrying out corrections of apparent errors and investigations into potential fraud (and other activities connected to auditing). Where they unreasonably fail to do so, their entitlement may be suspended.

Where, following suspension, they still fail to provide the requested information by the end of the further specified period for a response, an unscheduled review of their entitlement may be triggered, which could ultimately lead to an increase, reduction or termination of the benefit in question.

If an individual provides the information requested by the Scottish Ministers and anomalies are discovered such as overpayments, underpayments or fraudulent activity, Social Security Scotland will follow business-as usual procedures to correct them, which are already subject to their own DPIA.

Data collected from audit exercises will be usually be recorded and anonymised for use in statistics, reporting and estimates relating to the regularity of payments in the social security system.

Social Security Scotland has robust existing processes and systems in place to manage clients’ personal data and mitigate any associated risks.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

No

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

The proposal will not require the transfer of personal data to a ‘third country'.

6. Risk Assessment

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Personal data of individuals who are entitled to assistance is already handled by Social Security Scotland, on behalf of Scottish Ministers, for the purposes of making a determination of entitlement.

The data will be used for the alternative purpose of selecting participants to provide information for the purpose of audit. For transparency, processing personal data for this purpose is already documented in the Privacy Notice.

Where an individual fails to provide updated or new information necessary for audit purposes this may trigger an unscheduled review of their ongoing entitlement. Section 54(1) of the Act would apply to this review and places an obligation on the individual to provide information they require in order to satisfy Scottish Ministers about any matter material to the making of a determination. A failure to cooperate with requests for information could ultimately lead to the ending of entitlement under section 54(2).

Solution or Mitigation:

Likelihood: Low

Severity: Amber

Result: Accepted

6.2.1 Privacy risks

Purpose limitation

Solution or Mitigation:

Likelihood: Low

Severity: Green

Result: Accepted

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or Mitigation: Data Subjects are advised of how their data is processed, details are on the privacy notice, data subject is also advised on outcome letter or supporting evidence requests.

Likelihood: Low

Severity: Green

Result: Accepted

6.2.3 Privacy risks

Minimisation and necessity

Solution or Mitigation: Only the minimum of data is processed where there is a legitimate purpose. The data is minimised by ensuring only the least amount of information is requested to enable an assessment to be undertaken. This includes where data is sourced from a third party like Medical practitioners (in agreement with data subject) or other Government Departments. ICO data-sharing code of practice is followed and data-sharing agreements are in place with external stakeholders.

Likelihood: Low

Severity: Green

Result: Accepted

6.2.4 Privacy risks

Accuracy of personal data

Solution or Mitigation: In the scenario where further information is requested for audit this data is supplied by the data subject, there is an expectation that the data subject provides the most up to date information. If third party details are required see note above if medical practitioner or OGD. However this is not a new process and will re-use existing established processes and data sharing mechanisms.

Likelihood: Low

Severity: Green

Result: Accepted

6.3.1 Security risks

Keeping data securely

Retention

Solution or Mitigation: Uses established system and sharing mechanism. No new processes being introduced.

Likelihood: Low

Severity: Green

Result: Accepted

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or Mitigation: No new data sharing, established methods used.

Likelihood: Low

Severity: Green

Result: Accepted