Work First Scotland: privacy impact assessment

Privacy impact assessment for our Work First Scotland programme, which will provide employability support for disabled people under the terms of the Scotland Act 2016.


Annex A

WFS Process List

Customer Journey

Reference

Description of activity and Data Processing Arrangements

1

SG Provide security accreditation for SG Providers and notifying POST

  • No personal data is shared at this stage.

2

SG Provide POST with contract information to set up PRaP records and SG Providers information

  • No personal data is shared at this stage.
  • This information has been provided ( SG Providers data, including bank details) via secure email.

3

POST set up and maintain SG Providers information and LMS / WSP Opportunity type on PRaP systems

  • No data is shared at this stage.

4

POST set up contracts for SG provision on PRAP and (following SG Approval) transfer to LMS/ WSP

  • No data is shared at this stage.

5

JCP Work Coach performs diagnostic to identify eligible customers for WFS

  • No data is shared at this stage.

6

JCP work coach discusses the SG Providers available with the customer

  • No data is shared at this stage.

7

JCP work coaches make referrals via LMS or WSP systems to PRaP

  • No data is shared at this stage.

PRaP transmits referral to SG Provider

  • DWP will transmit customer data to SG providers via their existing Provider Referral and Payment ( PRaP) system.
  • SG have provided DWP with the security assurance necessary to allow SG Providers access to PRaP.

JCP 3 rd Party team Undertake daily administration of incorrect referrals on behalf of SG

  • No personal data is shared at this stage.
  • Transferred by telephone call or secure email.

8

SG Providers acknowledge or Cancel referral using PRaP, in consultation with SG

  • Customer data including NI no
  • Provider shares information regarding cancellation to SG via email or phone;
  • Provider shares acknowledgement or cancellation with DWP via PRaP

9

SG Providers will issue DWP JCP work coach with a Leavers Plan within 10 days of customer exiting and undertake end action on PRaP (when customer consent given)

  • Customer data potentially including sensitive information
  • Shared by SG Providers with DWP In person or through secure mail (will vary by JCP office)

10

JCP work coach will action the Leavers Plan from the SG Providers (if received)

  • No data is shared at this stage.

SG Provider notifies DWP about the death of a customer

  • Customer data including sensitive information
  • Shared by SG Provider with DWP via Phone Call and followed in Writing

DWP notifies SG Provider about the death of a customer

  • Customer data including sensitive information
  • Shared by DWP with SG via Phone Call and followed in Writing

11

POST : provide administrative support direct to SG Providers for the delivery of PRaP functions including SG Providers enquiry, support service and reporting

  • No data is shared at this stage.

12

SG Providers generate Invoices

  • Personal data including:
  • PO number
  • Employer details
  • Salary & hours
  • Shared by SG Providers with DWP via PRaP

13

PRAP system generates a payment file

  • No data is shared at this stage

14

POST securely transfer electronic Payfile to SG payment system SEAS

  • Personal information including:
  • Customer name
  • NINO
  • Postcode
  • Address
  • Shared by DWP with SG Via PRaP

15

SG processes payment via SEAS

  • No data is shared at this stage

16

DWP provides SG with Payfile Report

  • No personal data
  • SG/Non SG Parameter
  • Payment Date
  • Payment Number
  • Payment Amount
  • Invoice Number
  • Invoice Date
  • Invoice Line Description
  • Tax Status
  • Tax Classification Code
  • Line Amount
  • Invoice Tax Amount
  • Invoice Total Amount
  • Purchase Order Number
  • CPA Number
  • BPA Number
  • Supplier Name
  • Supplier Site Code
  • Supplier Number
  • Shared from DWP to SG by email to nominated SG mailbox. The email will be marked “Official Sensitive”. The report will be password protected.

SG to administer the direct payment of outcome fees to Service Providers for clerical records such as Sensitive Customer Records ( SCRs)

  • Customer information
  • Shared between SG and SG Service Providers by secure tracked post

17

POST securely provide full details of all outcomes payments report ( PPVR) on a monthly basis

  • Personal data including :
  • Customer name
  • NINO
  • Postcode
  • Address
  • Telephone number
  • 2 nd Telephone number
  • Employer details
  • Staff payroll reference
  • Shared from DWP to SG by email to nominated SG mailbox. The email will be marked “Official Sensitive”. The report will be password protected.

18

SG carry out payment validation checks

  • Personal data including :
  • Customer name
  • NINO
  • Postcode
  • Address
  • Telephone number
  • 2 nd Telephone number
  • Employer details
  • Staff payroll reference
  • Shared from SG to customer or employer by phone

19

SG administer and pay service fees direct to SG Providers

  • No data is shared at this stage

20

SG action payment recovery following Validation

  • No data is shared at this stage

21

To allow compliance checks, CEPMI will securely provide a full file of customers for each contract/ CPA area on a monthly basis via Bravo

  • No Personal data :
  • SG Service name
  • Contract reference number
  • PRaP referral reference number
  • CPA
  • Customer Group
  • Referral date
  • Start date
  • Shared by DWP to SG via Bravo

SG CPOT carry out compliance checks

  • Customer data including personal information
  • Shared by SG Providers with SG at face to face compliance visits

22

CEPMI will provide Scottish Government an MI Pack on a Monthly basis per provider per CPA

  • No Personal data :
  • Referrals
  • Starts
  • Job Entries
  • Job Outcomes
  • Sustainment Outcomes
  • Shared by DWP to SG via Bravo

22

Weekly MI (issued first 8 weeks of contract)

  • No personal data:
  • Net Referrals (Gross minus rejected / cancelled)
  • (Of Which) Did Not Attend
  • (Of Which) Did Not Start
  • Starts - In Week
  • First Job Entries - Started In Week
  • Shared by DWP to SG via Bravo

23

SG adjust MI following Validation

  • No data is shared at this stage

24

SG publish MI

  • No data is shared at this stage

SG carry out payment validation checks for Sensitive Customer Records cases

  • Sensitive Customer Information
  • Shared by SG Providers with SG by Tracked Post or face to face

Customer Complaints

  • Customer data including personal information
  • Shared between customer, SG, SG Provider and potentially DWP by email / letter

SG Provider Requests Extension of Customer’s Pre Employment time

  • Customer Data
  • Shared by SG Providers with SG by secure email.

SG Provider Reports Customer Unacceptable Behaviour

  • Customer data including personal information
  • Shared between SG Provider and SG and/or DWP by secure email

SG Provider Reports Accident / Incident within Provider Premises

  • Customer Data
  • Shared by SG Providers with SG by secure email.

Contact

Back to top