Annex E: Article 36(4) form
Meeting report (Scotland office)
Article 36(4) meeting with Scottish Government on the Scottish Carer's Assistance
28 June at 13pm
ICO Senior Policy Officer
SG policy officials
The Social Security (Scotland) Act 2018 provided for the creation of a new social security system and established Social Security Scotland (SSS), an Executive Agency of the Scottish Government.
The Scottish Carers Assistance regulations, yet to be drafted, will allow for the processing of data to assess eligibility for the Scottish Carer's Assistance. The regulations will give new powers to SSS to process personal data in relation to the Scottish Carer's Assistance and will:
establish the Scottish Carer's Assistance including the creation of a new payment, the Carer's Additional Person Payment, which will be delivered by Social Security Scotland on behalf of Scottish Ministers, and will replace Carer's Allowance which is currently delivered by the Department for Work and Pensions (the DWP); and
enable the transfer of entitlement for carers in Scotland currently in receipt of Carer's Allowance onto Scottish Carer's Assistance which will require the DWP to share personal data with SSS.
The Scottish Government advised that the roll out of this payment will begin in 2023 with a national launch in 2024. The public consultation closed in May and the Scottish Government are analysing the responses ahead of drafting the regulations.
It was noted that this benefit will have complex links to the Carer's Allowance and there is a need to maintain those links so carers receive same level of support as they were receiving under the DWP. In terms of the processing the Scottish Government should consider:
- What risks and harms may arise as a result of the processing and;
- If in the DPIA, it is identified that there is a high risk to the rights and freedoms of any individual that you cannot mitigate then the Scottish Government must consult with us.
The ICO has provided advice below, including recommendations, beneath relevant headings which are to be considered by the Scottish Government. The advice is focused in parts on the data sharing aspect of this proposal as the regulations, as well as the Data Protection Impact Assessment (DPIA), had yet to be drafted at the point of meeting. It is noted that some advice is for Scottish Government in relation to what it should consider in drafting the regulations and some advice is highlighted as being relevant to consider when it comes to operationalisation and compliance with data protection law.
Lawful, fair and transparent
The first principle of the UK GDPR is that the processing of personal data is lawful, fair and transparent. Advice for each of these elements is provided below.
It is key that personal data can flow as intended, the Scottish Government will wish to ensure that the necessary legal gateways are in place for all involved controllers and processors.
To ensure that all controllers are able to rely on a valid lawful basis the Scottish Government may at this stage wish to complete a data flow map, particularly as it has been highlighted that there are "complex links" with other benefits which means there may be various data flows as well as controllers and processors. Completing a data flow map will help the Scottish Government to establish who the those relevant controllers and processors will be and consider whether they have existing powers to process data for the purposes set out in the new legislation or whether those controllers will require new powers, duties or obligations.
Transparency / Right to be Informed
The following advice is provided for the Scottish Government to consider when SSS move to implementation of the benefit.
Individuals have the right to be informed about the collection and use of their personal data.
Currently individuals are receiving the UK Carer's Allowance from the DWP. After the transfer of information their data will be processed by Social Security Scotland. It will be key that individuals receive meaningful privacy information so that they understand that their data will be processed by Social Security Scotland for Scottish Carer's Assistance and the Carer's Additional Person Payment. This needs to be made clear to individuals so they can exercise their information rights. Therefore the DWP and SSS should consider updating their privacy notices.
The Scottish Government should consider how privacy information will be provided to those individuals with whom it does not have a direct relationship with but whose data may be processed ie those individuals being cared for. This will avoid "invisible processing". The Scottish Government may want to consider this risk within a Data Protection Impact Assessment (DPIA) and in advance of any data sharing.
As well as ensuring that data is being processed lawfully and transparently the Scottish Government should consider the fairness of the processing and in particular whether the proposed processing would result in any unjustified adverse impacts on individuals and to ensure that appropriate safeguards and mitigations are put in place as necessary. The Scottish Government should also consider the reasonable expectations of those individuals, particularly where the Scottish Government are receiving data from the DWP which those individuals may not be expecting. If there will be any unexpected processing it must be justified and documented in advance.
It will be key to consider what powers the SSS will be given to process the personal data and whether there a risk of function creep? How will this be managed? We have more guidance on this in purpose limitation.
Data minimisation requires that the processing of personal data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is being processed.
Broadly there will be those individuals in receipt of the benefit(s) but also the data of those individuals being cared for. Will the legislation specify what data should be processed or will they create broad new powers? If it specifies the data then the Scottish Government should consider carefully what data is adequate, relevant and necessary for the purpose for which it is being processed. Is it proportionate? What risks are presented? If it creates broad new powers what are the risks of excessive or inadequate processing? The Scottish Government should consider whether guidance may be required?
Criminal offence data
The UK GDPR gives extra protection to "personal data relating to criminal convictions and offences or related security measures" and we refer to this as criminal offence data. Whilst the Article 36(4) form states that "Criminal offences data will not be processed" it should be noted that in order to process criminal offence data it either needs to be under the control of official authority or a specific condition from Schedule 1 of the DPA 2018 must be identified. The Scottish Government should consider whether the regulations will or should provide official authority to relevant controllers to process criminal offence data.
We discussed that there would be data sharing between DWP and the Scottish Government in order to facilitate the implementation of these benefits.In terms of compliance with data protection lawit is worth highlightingthe ICO's data sharing hub and within that the data sharing code of practice. The code contains practical guidance on how to share data fairly and lawfully, and how to meet your accountability obligations. The sections on fairness and transparency in data sharing, the rights of individuals will be particularly relevant.
The Article 36(4) form also references that data sharing agreements will be in place. The Data sharing agreements section of our Data Sharing Code of Practice will be useful and details what a DSA should cover.
In relation to the regulations that will be drafted the Scottish Government will want to consider whether there are legal gateways available in order to share data.
Data Protection Impact Assessment / Risk assessment
Whilst completing a DPIA for the Article 36(4) process is not a legal obligation we do advise that it is a useful tool to think through the risks associated with the legislation. The form notes the development of the DPIA.
It is recommended that completing a DPIA, particularly as the Scottish Government moves to preparing the legislation, as the analysis will allow consideration of what should go in the bill and what guidance or other safeguards and mitigations may be required.
The Article 36(4) form states that carers and stakeholders have 'raised concerns' about this new benefit, where appropriate and particularly where these concerns relate to privacy or data protection, you may wish to address these concerns within the risk assessment of the DPIA.
One impact that was highlighted was the need to ensure that carers receive the same level of support under SSS as they were receiving under the DWP, and that carers would not be over or under paid. It is key that any risks to individuals rights and freedoms are identified, assessed and mitigated. We have specific guidance on 'how do we identify and assess risks in our DPIA guidance.
When identifying and assessing risks it may be useful to consult our Harms taxonomy at Data Protection Harms . It sets out a framework and contains examples of possible harms.
It is also recommended that a separate DPIA is undertaken specifically for the data sharing aspect of this proposal due to the complexity of the sharing and to identify any risks associated with it. As various government departments will be involved in sharing personal a DPIA will allow the Scottish Government to ensure there are the necessary legal gateways in place to allow for the sharing and more broadly work through each of the data protection principles and how the sharing will comply with each.
- Ensure you have consulted with the Scottish Government's data protection team and or your Data Protection Officer on the proposals.
- Please provide a copy of the legislative DPIA and regulations once drafted for us to review.
- Once you have firmed up what data sharing will be taking place, do provide us with an update including what new powers and obligations to share data there may be
There is a problem
Thanks for your feedback