Child's Interview Right's Practitioner regulations: data protection impact assessment

6. General Data Protection Regulation (GDPR) Principles

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Compliant – Yes/No

Yes

Description of how you have complied

• The data processing is a proportionate response to the need to perform a task carried out in the public interest or in the exercise of official authority – Article 6(1) (e).
• The legal basis is section 51 and 56 of the Age of Criminal Responsibility (Scotland) Act 2019.

6.2 Principle 2 – purpose limitation

Compliant – Yes/No

Yes

Description of how you have complied

• Information is used only for the intended purposes.
• Apart from PS, information is not passed to any other individuals or third parties.

6.3 Principle 3 – adequacy, relevance and data minimisation

Compliant – Yes/No

Yes

Description of how you have complied

• Only essential required data is collected.
• The data ingathered is subject to careful consideration to ensure there is a strong need for it to be collected.
• We do not process/ retain any unnecessary additional information.

6.4 Principle 4 – accurate, kept up to date, deletion

Compliant – Yes/No

Yes

Description of how you have complied

• Only data needed to ensure that the ChIRP register is up to date and contains all relevant data about individual ChIRPs is retained (such as training done, status on register, contact details).
• The register is reviewed periodically to ensure it is up to date and correct, ensuring that details of individual ChIRPs are current.
• Out of date or irrelevant data will be deleted.

6.5 Principle 5 – kept for no longer than necessary, anonymisation

Compliant – Yes/No

Yes

Description of how you have complied

• Information will only be retained for as long as it is necessary. Given the nature of the work and appointments, this is open ended.
• We will regularly review the need for the data to determine if the information is still required and, if it is not required, it will be destroyed securely in line with the SG information handling protocols.
• The review will be annually or more frequently done when a ChIRP is removed/added.
• Anonymisation is not appropriate.

6.6 GDPR Articles 12-22 – data subject rights

Compliant – Yes/No

Yes

Description of how you have complied

• Data is collected and held in accordance with the data subject's rights.
• The register will be updated as needed to ensure the content is correct and up to date.
• A privacy notice will be provided to all ChIRPs stating what personal information will be held and for what purpose and what their rights are. Right of access – can be actioned by contacting the ACR Team or the SG data protection branch.

6.7 Principle 6 - security

Compliant – Yes/No

Yes

Description of how you have complied

• Data is held on the SG SCOTS system and in a file in erdm with access restricted to an ad hoc group of named individuals.
• Information is shared only via the PS pnn network.
• All SG staff complete mandatory Data Protection training at least once per year to ensure staff are aware of regulation.

6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the UK.

Compliant – Yes/No

Yes

Description of how you have complied

Information will only be transferred within Scotland.