Children's advocacy in children's hearings: DPIA

Data Protection Impact Assessment (DPIA) in relation to the the provision of an advocacy service for children and young people going to children’s hearings.

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Scottish Government may not obtain appropriate assurance from service providers that they are aware of and comply with their data protection responsibilities 

Ref ADV1

Solution or mitigation Assurances from advocacy organisations their internal training processes include data protection and GDPR rights and responsibilities as outlined in their Expressions of Interest application.

Result Reduce

Risk Scottish Government as a joint controller of the data may not be made aware if a service provider is subject of a significant data breach within 72 hours

Ref ADV2

Solution or mitigation Grant conditions specify providers have to: “The Grantee shall ensure that all requirements of theData Protection Laws are fulfilled in relation to the Project.” Which includes reporting any potential data breach.  

Result Reduce

Risk Lack of transparency around the processing of data 

Ref ADV3

Solution or mitigation Service providers will provide clients with a privacy notice in hard copy or direct to published version on their website  Client consent will be sought for sharing special category data with partner organisations 

Result Reduce

Risk  Data subjects may not be able to exercise their rights under the GDPR

Ref ADV5

Solution or mitigation Responsibility for facilitating data subject rights will sit with the service providers. Scottish Government will obtain assurances from the providers that have proper procedures and processes are in place to meet these obligations including all staff receive appropriate training. 

Result Reduce


Scottish Government may receive personal data without legal basis from service providers in their quarterly/annual returns 

Ref ADV8

Solution or mitigation As reports from service providers use quantitative information any numbers of less than 5 will not be reported to ensure identification cannot take place.  Organisations will illustrate themes by use of anonymised case studies.  The potential to receive personal data is minimal but mitigation is in place in the unlikely event of error.

Result Reduce



Back to top