Carer Support Payment: data protection impact assessment
This impact assessment records how data will be used in relation to the Carer’s Assistance (Carer Support Payment) (Scotland) Regulations 2023 and how that use is compliant with data protection legislation.
6. Risk Assessment
Risk |
Solution or mitigation |
Likelihood (Low/Med/High) |
Severity (Red/Amber Green) |
Result |
|---|---|---|---|---|
6.1.1 Risk to individual rights
Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed |
Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. The Personal information to be processed is required to enable Social Security Scotland to meet its statutory requirement in providing Social Security Assistance, the data being processed under public task with the legal basis being GDPR Article 6 (1) (e).There is no profiling and the appropriate safeguards for processing using automated decision making will be in place and document on the Operational DPIA. Work has been undertaken to ensure only the minimum amount of personal information is gathered and stored only for the appropriate time. There is a process in place for managing all subject rights requests. |
Low |
Green |
Mitigated |
6.2.1 Privacy risks Purpose limitation |
Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. Social Security Scotland has a Privacy Notice that is accessible on My Gov. Outward letters and telephony messaging also advise individuals where to find information regarding the processing of their information. Data Sharing Agreements will be in place with stakeholders following the ICO Data Sharing code of practice, where clear purpose is documented and adhered to. |
Low |
Green |
Mitigated |
6.2.2 Privacy risks Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights |
Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. Social Security Scotland has a Privacy Notice that is accessible on My Gov. Outward letters and telephony messaging also advise individuals where to find information regarding processing of their information. |
Low |
Green |
Mitigated |
6.2.3 Privacy risks Minimisation and necessity |
Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. Necessity of the data to be processed has been determined based on the minimum amount of personal information required for assessing entitlement. |
Low |
Green |
Mitigated |
6.2.4 Privacy risks Accuracy of personal data |
The personal data gathered is from the client, their representative or an Other Government Department where the client has an established relationship. Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. |
Low |
Green |
Mitigated |
6.3.1 Security risks Keeping data securely Retention |
Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. |
Low |
Green |
Mitigated |
6.3.2 Security risks Transfer – data may be lost in transit |
Established secure transfer routes will be re-used for previous transitions. Data is encrypted at rest and in transit. Data Sharing Agreements will be in place detailing both parties roles and responsibilities in relation to safeguarding individual personal information. Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. |
Low |
Green |
Mitigated |
6.3.3 Security risks |
Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. |
Low |
Green |
Mitigated |
6.4.1 Other risks <will this impact on children?> |
Child personal information will be processed however Social Security Scotland have in place a high level of security and safeguards to protect all client data including children. Detailed discussion of risks and mitigations will be set out in the Operational Data Protection Impact Assessment. |
Low |
Green |
Mitigated |
Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
Advice from DPO
The DPO has been consulted in the development of the Article 36(4) form and DPIA for legislation and is content with the consideration given to privacy and notes the engagement with data protection and information governance during the development of these materials. No high level risks are remaining.
Action
No action needed,
I confirm that the impact of these provisions has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018
Name and job title of a IAO or equivalent
Ian Davidson, Deputy Director of Social Security Policy Division
Date each version authorised
18 August 2023
Contact
Email: CarerSupportPayment@gov.scot
There is a problem
Thanks for your feedback