Publication - Consultation paper

Child contact services - regulation: consultation

Published: 22 Mar 2021

The Children (Scotland) Act 2020 gives the Scottish Ministers the power to regulate child contact centres. This consultation seeks views on various aspects of what regulation of child contact centres would look like.

Child contact services - regulation: consultation
Annex F: Draft Data Protection Impact Assessment (DPIA)

Annex F: Draft Data Protection Impact Assessment (DPIA)

1. Introduction

The purpose of this DPIA is to report on and assess any potential data protection impacts in relation to the regulation of child contact services.

2. Document metadata

2.1 Name of Project: Regulation of child contact services.

2.2 Author of report: Family Law Unit, Civil Law & Legal System, Justice Directorate, Scottish Government.

2.3 Date of report: March 2021

2.4 Name of Information Asset Owner (IAO) of relevant business unit: Denise Swanson, Deputy Director, Civil Law & Legal System

2.5 Date for review of DPIA: This draft DPIA will be reviewed after the public consultation is completed and the Scottish Government has decided on the appropriate next steps.

3. Description of the project

3.1 Description of the work:

The Children (Scotland) Act 2020 gives the Scottish Ministers the power to set by regulations minimum standards for accommodation and staff training at child contact centres. The Act also gives the Scottish Ministers the power to appoint a body to oversee child contact services regulation.

Child contact centres are safe venues for conflict-free contact between children, parents, and other people in the child's life. The policy aim is that by establishing minimum standards the outcomes for children using child contact centres will be improved and that children will be protected where they are referred to a child contact centre. The Care Inspectorate is the Scottish Government's preferred option for this regulatory role. We are engaging with the Care Inspectorate with a view to reaching agreement on its appointment in advance of the regulations establishing the minimum standards being laid before Parliament in early 2022 and coming fully into force in April 2023.

The current indicative timetable is for the regulations appointing the body to oversee regulation to be laid before Parliament in late 2021 and come into force in early 2022.

3.2 Personal data to be processed.

Variable

Data Source

1. It is proposed that child contact centre providers will apply to the body appointed to oversee regulation to be registered under the new regulatory system. The appointed person will carry out an initial inspection and regular routine inspections to monitor whether child contact services providers are compliant with the minimum standards for staff training and to issue reports. It is envisaged that this will mean the inspection body will receive personal information on the training that individual members of staff and volunteers have undertaken and data relevant to disclosure and PVG checks.

The personal data would be provided by the child contact centre provider from their staff training records.

2. It is proposed that the body appointed to oversee child contact services regulation would deal with complaints relating to failings to meet the minimum standards, including any failings to meet staff training standards. This would mean that the body appointed to oversee regulation may require personal information on the training of individual members of staff and volunteers.

If a complainer is not satisfied with how the appointed body handled their complaint it is envisaged that this could be raised with the Scottish Public Services Ombudsman (SPSO). This may also require personal information to be shared.

The personal data would be provided by the child contact centre provider or the body appointed to oversee regulation.

3.3 Describe how this data will be processed:

In the first scenario, any information on staff training would currently be held by the child contact centre provider. Under the proposed regulatory system, child contact centre providers will have to meet minimum standards for staff training before their service can be registered as a regulated service. It is envisaged that personal information in relation to staff training would be provided by the child contact service provider to the body appointed to oversee regulation as part of the provider's initial application to be registered. Personal information may also be provided during inspections, either the initial inspection or subsequent routine inspections, which will include checking staff training records and documentation and disclosure and PVG checks. The personal information in relation to staff training could include individuals' names, contact details, training courses being undertaken or completed, dates of completion and any qualifications they have.

If personal information from staff training records is to be held by the body appointed to oversee regulation, for example for reporting purposes, it would be held securely, stored in an appropriate manner and disposed of securely when no longer required. The Care Inspectorate is the Scottish Government's preferred option for this regulatory role. We are engaging with the Care Inspectorate with a view to reaching agreement on its appointment. If appointed, any personal data received by the Care Inspectorate in its regulatory role would be held lawfully and securely subject to its existing core privacy notice. It is also expected that a specific team would be responsible for registering and inspecting child contact providers and centres. Only the necessary staff would have access to the information.

In the second scenario, it is envisaged that in the first instance child contact centre providers will deal with complaints relating to any failing to meet the minimum standards. If the complainer is not satisfied with the outcome, the complainer could complain to the person appointed to oversee regulation. Where the complaint relates to a failure in staff training it may be necessary for the body appointed to oversee regulation to request information from the child contact service provider, which could include personal information from their staff training records. The personal information in relation to staff training could include individuals' names, contact details, training courses being undertaken or completed, dates of completion and any qualifications they have.

If personal information from staff training records is to be held by the body appointed to oversee regulation, it would be held securely, stored in an appropriate manner and disposed of securely when no longer required. The Care Inspectorate is the Scottish Government's preferred option for this regulatory role. We are engaging with the Care Inspectorate with a view to reaching agreement on its appointment. If appointed, any personal data received by the Care Inspectorate in its regulatory role would be held lawfully and securely subject to its existing core privacy notice. It is also expected that a specific team would be responsible for handling complaints in relation to child contact centres and providers. Only the necessary staff would have access to the information.

Where personal information is to be held by the SPSO, as part of a complaint into how the Care Inspectorate has handled a complaint, we would expect data to be stored securely and disposed of appropriately subject to SPSO's existing privacy notice.

In relation to both scenarios, child contact centre providers have internal policies in place in relation to confidentiality and disclosure of information and data protection.

3.4 Explain the legal basis for the sharing with internal or external partners:

The Children (Scotland) Act 2020 gives the Scottish Ministers the power to set by regulations minimum standards for staff training at child contact centres. The Act also gives the Scottish Ministers the power to appoint a body for the purposes of administering the registration of contact service providers and contact centres and to confer functions on that person. The Act provides that functions may include inspecting child contact centres and providers, issuing reports on the inspection of child contact centres and providers, and refusing to register or removing child contact centres or providers from the register.

The Care Inspectorate have a statutory duty to deal with complaints made to it about the registered services it regulates. Should the Care Inspectorate be appointed as the regulator any complaint about a registered child contact centre service could be made to them directly.

If a complainer is not satisfied with how the Care Inspectorate handled their complaint they could raise this with the SPSO.

4. Stakeholder analysis and consultation

This draft DPIA is part of the full public consultation on the minimum standards for child contact services regulation. We are seeking views on this draft DPIA as part of the consultation process. The final DPIA will be published on the Scottish Government website.

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

In the first scenario, the Scottish Ministers have the power to appoint a body for the purposes of administering the registration of contact service providers and contact centres and to confer functions on that body, including inspecting child contact centres and providers to ensure the minimum standards are being met and issuing reports on the inspections.

It is proposed that minimum standards for staff training will be prescribed and that personal information regarding an individual's training history and qualifications will need to be shared with the appointed person and we would expect this information to be shared in a secure format and stored securely by that person. If it is the Care Inspectorate, we would expect data to be stored securely and disposed of appropriately subject to their data protection policies. Privacy of data would be part of the conditions of appointment.

In the second scenario, information about the training standards for staff may require to be shared with the person appointed to oversee regulation when a complaint is raised. It is expected that information would be shared in a secure format. If personal information from staff training records is to be held by the person appointed to oversee regulation, it would be held securely, stored in an appropriate manner and disposed of securely when no longer required.

If it is the Care Inspectorate is appointed, we would expect data to be stored securely and disposed of appropriately subject to their existing core privacy notice. Privacy of data would be part of the conditions of appointment.

Where personal information is to be held by the SPSO, as part of a complaint into how the Care Inspectorate has handled a complaint, we would expect data to be stored securely and disposed of appropriately subject to SPSO's existing privacy notice.

In relation to both scenarios, it is understood that child contact centre providers have policies in place in relation to confidentiality and disclosure of information and data protection.

5.2 Anonymity and pseudonymity

Not applicable in either of the scenarios as it is not the intention to combine data from two or more systems.

5.3 Technology

Not applicable in either of the scenarios as it is not the intention to gather any personal data as a by-product of a technology project.

5.4 Identification methods

Not applicable as it is not envisaged that unique identifiers will be used in either of the scenarios.

5.5 Sensitive/Special Category personal data

No information on special category personal data is envisaged to be gathered in either of the scenarios.

5.6 Changes to data handling procedures

Personal data will not be made publicly available in either of the scenarios.

None of the situations involve:

  • new or changed data collection policies or practices that are unclear or intrusive; or
  • changes to data quality assurance, processes and standards that may be unclear or unsatisfactory; or
  • new or changed data security access or disclosure arrangements that may be unclear or extensive; or
  • new or changed data retention arrangements that may be unclear or extensive; or
  • a change in the medium for disclosure of publicly available information such that the data becomes more readily accessible than before.

5.7 Statutory exemptions/protection

Neither of the scenarios would require statutory exemptions/protections.

5.8 Justification

This is not applicable in either of the scenarios.

5.9 Other risks

No other risks have been identified.

6. General Data Protection Regulation (GDPR) Principles

Principle

Compliant – Yes/No

Description of how you have complied

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Yes

The processing of data is required for the performance of a task in the public interest, under powers provided in the Children (Scotland) Act 2020. It is necessary to process personal data in the course of creating a system of regulation for child contact services.

Child contact centre staff will be informed about how their personal data may be processed.

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Under the proposals providers will be recommended to ensure their staff are aware of these policies.

Principle

Compliant – Yes/No

Description of how you have complied

6.2 Principle 2 – purpose limitation

Yes

Child contact centre staff will be informed about how their personal data may be processed and they will be informed of the extent and specificity of personal information that is required.

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Under the proposals providers will be recommended to ensure their staff are aware of these policies. Child contact centre providers will have their own privacy notices.

There will be no further use of the data beyond the purpose it has been processed for. Child contact service providers and the body appointed to oversee regulation (or the SPSO where appropriate) will hold the data securely, store it in an appropriate manner and disposed of it securely when no longer required. This will be subject to existing privacy notices.

Principle

Compliant – Yes/No

Description of how you have complied

6.3 Principle 3 – adequacy, relevance and data minimisation

Yes

It is envisaged that any data to be processed in the first and second scenarios would be limited to staff training records and would only be shared in the event of an inspection or a complaint. This would be subject to existing privacy notice for the person appointed to oversee regulation (or the SPSO where appropriate).

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Under the proposals providers will be recommended to ensure their staff are aware of these policies. Child contact centre providers will have their own privacy notices.

Principle

Compliant – Yes/No

Description of how you have complied

6.4 Principle 4 – accurate, kept up to date, deletion

Yes

It is required that any data processed in the first and second scenarios will be kept up to date.

It is envisaged that the person appointed to oversee regulation will inspect child contact centres and providers on a three yearly cycle, unless an inspection is necessary within that time period, and personal information held will be reviewed at that time.

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Under the proposals providers will be recommended to ensure their staff are aware of these policies. Child contact service providers will have their own privacy notices.

The person appointed to oversee regulation (or the SPSO where appropriate), will hold the data securely, store it in an appropriate manner and disposed of it securely when no longer required subject to their existing privacy notices.

Principle

Compliant – Yes/No

Description of how you have complied

6.5 Principle 5 – kept for no longer than necessary, anonymisation

Yes

It is envisaged that if an individual is no longer working at the child contact centre, their personal information will be deleted.

It is envisaged that the person appointed to oversee regulation will inspect child contact centres and providers on a three yearly cycle, unless an inspection is necessary within that time period, and personal information held will be reviewed at that time.

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Under the proposals providers will be recommended to ensure their staff are aware of these policies. Child contact service providers will have their own privacy notices.

The person appointed to oversee regulation (or the SPSO where appropriate), will hold the data securely, store it in an appropriate manner and dispose of it securely when no longer required, subject to their existing privacy notices.

Principle

Compliant – Yes/No

Description of how you have complied

6.6 GDPR Articles 12-22 – data subject rights

Yes

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Under the proposals providers will be recommended to ensure their staff are aware of these policies. Child contact service providers will have their own privacy notices.

It is envisaged that an individual would be able to access a copy of the information that is held about them.

The person appointed to oversee regulation (and the SPSO where appropriate) have existing privacy notices in place.

Principle

Compliant – Yes/No

Description of how you have complied

6.7 Principle 6 - security

Yes

In all scenarios it is expected that data will be held on secure systems and servers with access only granted to staff deemed to have the training and legitimate need to access such data.

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection. Providers will be recommended to ensure their staff are aware of these policies. Child contact service providers will have their own privacy notices.

The person appointed to oversee regulation (and the SPSO where appropriate) have existing privacy notices in place.

Principle

Compliant – Yes/No

Description of how you have complied

6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

N/A

No data is likely to be stored outwith the UK.

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk

Ref

Solution or mitigation

Result

Personal data is inadvertently shared between a child contact service provider and the person appointed to oversee child contact service regulation.

1

Child contact centre providers should have policies in place in relation to confidentiality and disclosure of information and data protection.

Eliminate and reduce

Personal data is stored by the person appointed to oversee regulation in a shared folder accessible to more people than is intended.

2

The body appointed to oversee regulation will be expected to ensure the staff responsible for registration and inspection of child contact centres and providers are suitably trained on how to store data.

Eliminate and reduce

Lack of transparency with data subjects over new powers

3

Renewal of privacy notices/policies from Care Inspectorate.

Eliminate and reduce

Data to be sent to SPSO in the event of an investigation is disputed by either party in the initial complaint.

4

The body appointed to oversee regulation will be expected to ensure the staff responsible for dealing with complaint in relation to child contact centres and providers are suitably trained on how to deal with disputes over data that has been shared.

Eliminate and reduce

Transfer of data between organisations is not secure; recipients of data at each organisation are not clearly identified

5

The body appointed to oversee regulation should identify existing secure methods of transfer, which may include technical methods (such as encrypted emails) and documentation such as data sharing agreements if appropriate to avoid breaching security principle.

Eliminate and reduce

8. Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk

Ref

How risk will be incorporated into planning

Owner

Personal data is inadvertently shared between a child contact service provider and the body appointed to oversee child contact service regulation

1

This will be considered as part of the appointment process for the body that will oversee child contact services regulation. The body will be expected to ensure the staff responsible for dealing with child contact centres and providers are suitably trained on how to share data. It will also be recommended that child contact centre staff are aware of data protection and confidentiality/disclosure of information as part of their internal policies.

The body appointed to oversee regulation or the child contact centre providers would be responsible.

Personal data is stored by the body appointed to oversee regulation in a shared folder accessible to more people than is intended.

2

This will be considered as part of the appointment process for the body that will oversee child contact services regulation.

The body appointed to oversee regulation would be responsible.

Lack of transparency with data subjects over new powers.

3

Renewal of privacy notices/policies from body appointed to oversee regulation. This will be considered as part of the appointment process for the body that will oversee child contact services regulation.

Body appointed to oversee regulation would be responsible

Data to be sent to SPSO in the event of an investigation is disputed by either party in the initial complaint.

4

The body appointed to oversee regulation will be expected to ensure the staff responsible for dealing with complaint in relation to child contact centres and providers are suitably trained on how to deal with disputes over data that has been shared. This will be considered in the appointment of the body.

Body appointed to oversee regulation would be responsible

Transfer of data between organisations is not secure; recipients of data at each organisation are not clearly identified

5

The body appointed to oversee regulation should identify existing secure methods of transfer, which may include technical methods (such as encrypted emails) and documentation such as data sharing agreements if appropriate to avoid breaching security principle. This will be considered in the appointment of the body.

Body appointed to oversee regulation would be responsible

9. Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO:

To be completed in Final DPIA

Action:

10. Authorisation and publication

To be completed in Final DPIA.


Contact

Email: family.law@gov.scot