Social Security (Amendment) (Scotland) Bill: data protection impact assessment

Overpayment Challenge Rights

2.2 Description of the personal data involved

Social Security Scotland already shares information digitally on public task basis with the Scottish Courts and Tribunal Service in relation to process and entitlement appeals. These may include data on their health condition, financial circumstances or residence. The Social Security Scotland privacy notice explains that Social Security Scotland has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data.

Challenges to decisions about overpayment liability are likely to include largely same information because they are about the circumstances and history of a person’s entitlements and payments of the same forms of assistance. It is expected that either same or similar digital methods would be used to share information and either an amended or broadly similar data sharing agreement with SCTS would be required.

Please also specify if this personal data will be special category data, or relate to criminal convictions or offences

As above, it is reasonable to assume in cases in relation to disability assistance that some data relating to the health of an individual may be gathered if germane to the disputing of liability. Where fraudulent activity by a person has caused or contributed to an overpayment Social Security Scotland may have reported an offence to the Crown Office and Procurator Fiscal Service. The documentation in relation to the liability under challenge may contain information that forms part of that report.

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

The provisions within the Bill would allow individuals to dispute liability for an overpayment in line with other challenges against process and entitlement challenges in the social security system. Therefore the only individuals/groups affected by this are those clients who are considered liable for an overpayment by the agency and who choose to dispute this.

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights, or use of social profiling to inform policy making.

The provisions in the Bill seek to create a right of challenge which will allow the individual to dispute liability in the same manner as other challenges against Social Security Scotland decisions. Exercising this will avoid the delay and expense of potentially lengthy and stressful court proceedings for clients. It will lead to no denial of an individual’s rights or use of social profiling to inform policy making.

2.4 Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

Currently, any dispute around liability for an overpayment is addressed by a non-statutory informal internal process. The only formal right of challenge comes if and when Social Security Scotland decide to enforce recovery of the overpaid sums. These provisions put the challenge for liability on the same footing as other challenges within the devolved social security system. This provides for transparency and ensures that individuals have the ability to proactively apply to the First-tier Tribunal to challenge Scottish Ministers decision that they are liable for an overpayment.

What policy objective is the legislation trying to meet?

Transparency, consistency of challenge processes within the system, and improved access to administrative justice.

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

As the same process exists for other challenges within the devolved social security system, and consistency and transparency of approach were key drivers of this proposed legislation, there were no other available options to achieve the same outcomes. As noted above, the Social Security Scotland privacy notice explains that Social Security Scotland has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data.

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

No unintended consequences such as unintended surveillance or profiling have been identified.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

It will be for individuals to instigate this process and provide the information required to demonstrate that they are not liable for an overpayment. As noted above, this is likely to be data regarding their original entitlement determination or subsequent related processing or events. Safeguarding and data protection processes are already in place within the social security Scotland agency to protect individual’s data and this would be subject to the same processes and safeguards. As above, it is reasonable to assume that the only special category data that could conceivably be gathered would be in relation to those cases of disability assistance where there is a dispute over liability and that some data relating to the health of an individual may be gathered if germane. Safeguards are already in place to protect special category of data. The Social Security Scotland privacy notice explains that Social Security Scotland has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data.

2.4 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

As above, the Social Security Scotland privacy notice explains that the agency has appropriate technical and organizational measures in place to ensure a level of security appropriate to the risk of processing personal data.

If the latter, what will be the status of the Code of Conduct? (statutory or voluntary?)

Not applicable

3. Data Controllers

Organisation: Social Security Scotland

Activities: Social Security Scotland acts on behalf of the Scottish Ministers as controller for the personal data processed. Social Security Scotland is an Executive Agency of the Scottish Government. It has the responsibility for managing and administering the benefits that are devolved to Scotland.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, section 7 of the Data Protection Act 2018? : Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing: Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data (Include condition from Schedule 1 or 2 of the Data Protection Act 2018): The Article 9 condition that applies for processing the special category data is (b) Employment, social security and social protection (if authorised by law).

The condition from Schedule 1 of the Data Protection Act 2018 is met if:

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018: Where fraudulent activity by a person has caused or contributed to an overpayment Social Security Scotland may have reported an offence to the Crown Office and Procurator Fiscal Service. The documentation in relation to the liability under challenge may contain information that forms part of that report. Fraud processes are already subject to a separate DPIA.

Legal gateway for any sharing of personal data between organisations, eg as part of existing common interest investigation processes with DWP: Data Sharing will be required with Scottish Courts and Tribunal Service as a result.

Article 6(1)(e) – once the provisions become law processing will be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. Consultation

4.1 Have you consulted with the ICO using the Article 36(4) form?

An Article 36(4) form was sent to the ICO prior to publication of the consultation in 2022 and an updated form was sent in August 2023. The Scottish Government has engaged with the ICO and addressed their feedback.

4.2 Do you need to hold a public consultation and if so has this taken place? What was the result?

The public consultation “Scotland’s social security system: enhanced administration and compensation recovery” was published in August 2022. Respondents were asked whether they agreed or disagreed that the Scottish Government should introduce rights of challenge against Social Security Scotland's decision that someone was liable to repay an overpayment. All consultation respondents who answered this question agreed (100%)with the proposal.

4.3 Were there any Comments/feedback from the public consultation about privacy, information or data protection?

No

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

Unknown. There is currently capability for the Scottish Government to use automatic transmission capability for benefits that are live however further development would be required for both the Scottish Government and SCTS to support the expansion to include new case types therefore this functionality is not in existence yet.

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

No

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

No

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

This process may in involve the use of data gathered during a fraud investigation which is also subject of a report to the Crown Office and Procurator Fiscal Service. Where a person is disputing Scottish Minister’s decision that they are at fault, or that an individual could have been reasonably expected to notice an overpayment, they may offer new information or explanations for their actions. Oral or documentary evidence provided to a tribunal could also be pertinent to Criminal Proceedings however distinct fraud processes for any disputes in which this type of information needs to be handled by SCTS are already subject to their own DPIA.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

It will be for individuals to instigate this process and provide the information required to demonstrate that they are not liable for an overpayment. It is not expected that this would impact upon any specific group.

Furthermore, section 4 of the 2018 Act requires Scottish Ministers to communicate with individuals in an inclusive and accessible manner. This should reduce any potential impact on individual members of vulnerable groups.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

No

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

No

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Safeguarding and data protection processes are already in place within the social security Scotland agency to protect individual’s data and this would be subject to the same processes and safeguards. The Social Security Scotland privacy notice explains that Social Security Scotland has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data.

5.7 Are there consequential changes to/in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Regulations will be required to

• prescribe the period in which a person can request a review
• prescribe the time that Scottish Ministers can take to carry out the review
• amendments to the First-tier Tribunal procedural rules in relation to this type of dispute
• amendments to the FtT Composition regs in relation to who should hear this type of dispute
• amendments to the regulations for Scottish Child Payment to align it with the Bill provisions in relation to liability challenge rights

5.8 Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

No

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

The Social Security Scotland privacy notice explains that Social Security Scotland has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data.

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Not applicable

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

No

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

No

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

No

6. Risk Assessment

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

It will be for individuals to instigate this process and provide the information required to demonstrate that they are not liable for an overpayment.

Solution or Mitigation: The Social Security Scotland privacy notice explains the purpose of the processing and that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.

Likelihood: Low

Severity: Green

Result: Accepted

6.2.1 Privacy risks

Purpose limitation

Solution or Mitigation: The Social Security Scotland privacy notice, application forms and outcome letters explain the purpose for the collection of the information.

As lawful basis is public task any processing for a new purpose would only be considered if there was a legal obligation or a function set out in law.

Operational DPIA are undertaken and regularly reviewed, processes in place to govern new processes involving personal data

Likelihood: Low

Severity: Green

Result: Accepted

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or Mitigation: The Social Security Scotland has a Privacy Notice that is regularly reviewed, application process and outcome letters all advise the client on where to find information regarding the processing of their personal data.

There is also a route if the client is not digital aware, this is through requesting information direct from the Data Protection Officer, this can be requested in writing

Likelihood: Low

Severity: Green

Result: Accepted

6.2.3 Privacy risks

Minimisation and necessity

Solution or Mitigation: Work is undertaken by Social Security Scotland to embed a privacy by design and default approach in the processing of personal data. Data minimisation is key part of the data requirements at the outset of all projects and when data sharing work is undertaken with all stakeholders to ensure only the minimum data is collected, stored and shared to undertake the task

Likelihood: Low

Severity: Green

Result: Accepted

6.2.4 Privacy risks

Accuracy of personal data

Solution or Mitigation: This change relies on the client providing the information therefore the client would provide the most accurate up to date information.

Likelihood: Low

Severity: Green

Result: Accepted

6.3.1 Security risks

Keeping data securely

Retention

Solution or Mitigation: Social Security Scotland has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.

Likelihood: Low

Severity: Green

Result: Accepted

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or Mitigation: The Social Security Scotland privacy notice explains that Social Security Scotland has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.

Where data is shared out with Social Security Scotland data is encrypted at rest and in transit.

Likelihood: Low

Severity: Green

Result: Accepted