Children's advocacy in children's hearings: DPIA

Data Protection Impact Assessment (DPIA) in relation to the the provision of an advocacy service for children and young people going to children’s hearings.


6. General Data Protection Regulation (GDPR) Principles

Principle: 6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Compliant – Yes/No:  Yes

Description of how you have complied

Scottish Government are providing the grants to meet the duty under S.122 of the Children’s Hearing (Scotland) Act 2011, and therefore any personal data processed will fall under 6(1)(e) ‘Public Task’

Information only gathered after written consent obtained from data subject or their legal guardian if appropriate. Consent can be withdrawn at any time.

A Privacy Notice will be provided.

Principle: 6.2 Principle 2 – purpose limitation

Compliant – Yes/No:  Yes

Description of how you have complied

The information collected by providers will only be that what is necessary to provide the support and advice to that individual with regards to their hearing. The advocacy providers follow the standards for advocacy as detailed in the National Practice Model.   

Principle: 6.3 Principle 3 – adequacy, relevance and data minimisation

Compliant – Yes/No: Yes

Description of how you have complied

The information recorded will be obtained from interviews with the child/young person. Any inaccurate information will be corrected or removed at their request. Any electronic files will be based on these interviews. 

Principle: 6.4 Principle 4 – accurate, kept up to date, deletion

Compliant – Yes/No:  Yes

Description of how you have complied

The information recorded will be obtained from interviews with the child/young person. Any inaccurate information will be corrected or removed on request and will be securely destroyed at the conclusion of the children’s hearing.

Principle: 6.5 Principle 5 – kept for no longer than necessary, anonymization

Compliant – Yes/No: Yes

Description of how you have complied

The data will only be kept for as long as outlined in service providers data retention policies. 

Principle: 6.6 GDPR Articles 12-22 – data subject rights

Compliant – Yes/No: Yes

Description of how you have complied

Service providers are required to have processes and procedures in place to ensure data subjects are able to exercise their rights as required under DP legislation. SG receives assurance that this is in place through the application process. 

Principle: 6.7 Principle 6 - security

Compliant – Yes/No: Yes

Description of how you have complied

No personal data will be transferred to Scottish Government. Providers are required to provide assurances that they have appropriate security measures in place to protect personal data as required by the legislation. Providers will be required to give assurances to Scottish Government that their practices and processes in relation to security measures are reviewed at least annually.  These assurances will be provided in the annual report requirement as part of the grant funding conditions. 

Principle: 6.8 GDPR Article 24 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

Compliant – Yes/No: Yes

Description of how you have complied

The information will be stored within service providers’ case management systems and are asked to provide assurances on compliance with the Data Protection legislation.  

Contact

Email: CYPAdvocacy@gov.scot

Back to top