The Cross-border Placement of Children (Requirements, Effect and Enforcement) (Scotland) Regulations 2026: Data Protection Impact Assessment
Data Protection Impact Assessment (DPIA) for The Cross-border Placement of Children (Requirements, Effect and Enforcement) (Scotland) Regulations 2026
6. Risk Assessment
6.1 Risk to individual rights
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed
All controllers involved are well-established organisations and have processes in place for handling data rights requests. SG guidance will remind controllers of their obligations and encourage strengthening of processes to accommodate any new processing where necessary.
6.2 Right to be informed
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance to placing authorities in England, Wales, and Northern Ireland advising the need to explain to individuals that their information will be shared with specified Scottish parties and processed accordingly.
Likelihood: High
Severity: Green
Result: Mitigated
6.3 Right of access
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance that each specified party should be prepared to comply with any access requests they receive.
Likelihood: Low
Severity: Green
Result: Mitigated
6.4 Right to rectification
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance that each specified party should be prepared to comply with any rectification request they receive.
Likelihood: Low
Severity: Green
Result: Mitigate
6.5 Right to erasure
It is noted that this is not an absolute right and that this right does not apply if processing is necessary for the performance of a task carried out in the public interest.
Likelihood: Right does not apply
Severity: Right does not apply
Result: Right does not apply
6.6 Right to restrict processing
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance that specified parties should only process the data lawfully and should be prepared to comply with any restriction requests received.
Likelihood: Low
Severity: Green
Result: Mitigated
6.7 Right to data portability
This right does not apply as the lawful basis for processing the information is legal obligation.
Likelihood: Right does not apply
Severity: Right does not apply
Result: Right does not apply
6.8 Right to object
This right does not apply as the lawful basis for processing the information is legal obligation.
Likelihood: Right does not apply
Severity: Right does not apply
Result: Right does not apply
6.9 Right in relation to automated decision making and profiling
This is not applicable as all decisions will be person centred and made on an individual basis by an individual acting in their official capacity.
6.10.1 Privacy risks
Purpose limitation
Mitigation – The Scottish Government will set out clearly in guidance that placing authorities should only share information that is necessary as set out in the Regulations, and that sharing of any further information as required should be underpinned by data sharing agreements.
Likelihood: Low
Severity: Green
Result: Mitigated
6.10.2 Privacy risks
Transparency - data subjects may not be informed about the purposes and lawful basis for the processing, and their rights
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance to placing authorities in England, Wales, and Northern Ireland advising the need to explain to individuals that their information will be shared with specified Scottish parties and processed accordingly.
Likelihood: Low
Severity: Green
Result: Mitigated
6.10.3 Privacy risks
Minimisation and necessity
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance to placing authorities that they should only provide information that is necessary and relevant for the purpose set out in the Regulations. This will be supplemented by a template for capturing only necessary information.
Likelihood: Low
Severity: Amber
Result: Reduced
6.10.4 Privacy risks
Accuracy of personal data
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance to placing authorities to ensure data they are sharing as accurate as possible.
Likelihood: Low
Severity: Amber
Result: Accepted
6.11.1 Security risks
Keeping data securely / Retention
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance that specified parties and placing authorities should have information sharing protocols. This will be augmented by specified parties and placing authorities having policies on access permissions on data processors, thereby restricting who can access personal information.
Scottish Ministers will store data in a secure folder with limited access and will only retain data for as long as is necessary.
Likelihood: Low
Severity: Amber
Result: Reduced
6.11.2 Security risks
Transfer – data may be lost in transit
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance that placing authorities and specified parties should have organisational information security policies in place and ensuring that everyone understands the requirements of confidentiality and integrity for personal data that is processed. The Scottish Government will clearly signpost where the information is to go in the template and guidance which will accompany the Regulations.
Likelihood: Low
Severity: Green
Result: Reduced
6.11.3 Security risks
N/A
6.12 Other risks
Children’s loss of control of their information where shared with numerous controllers who they may have no further engagement with.
Mitigation: The Scottish Government will mitigate this risk by providing clear guidance that specified parties should consider the necessity of holding data and delete it when it is no longer necessary to retain it.
Likelihood: Low
Severity: Green
Result: Mitigated
Are there specified risks to be considered for differing ages of children?
There are no additional / differing risks based on the age of the child information is being shared about.
Likelihood: N/A
Severity: N/A
Result: N/A
The Regulations introduce a broader requirement to share both children’s and professional’s data with multiple parties in Scotland. While current Regulations already allow for such data sharing, it is limited to specific court orders involving a small number of children. The new provisions significantly expand this obligation to cover all cross-border placements, resulting in a substantial increase in the volume of data shared and the number of individuals whose personal information is processed.
To mitigate the risks associated with the increased data sharing requirements, robust data sharing agreements should be established with all relevant Scottish parties, clearly outlining the purpose, scope, and safeguards around the use of personal data. A strong emphasis has been placed on data minimisation, ensuring that only the essential information is being shared. Targeted awareness-raising for parties involved in these processes will help ensure compliance with data protection obligations and promote best practices. Additionally, clear retention and deletion policies will be implemented to ensure that personal data is only retained for as long as is necessary.
Likelihood: High
Severity: Amber
Result: Mitigated
Data Protection Officer (DPO)
The DPO may give additional advice, please indicate how this has been actioned.
Advice from DPO: I have reviewed this legislation DPIA and am content that the privacy risks are low and well acknowledged and mitigated – I have no specific advice or recommendations for the policy team.
Helen Findlay
SG Data Protection Officer
24 October 2025
Action: N/A
I confirm that the Cross-border Placement of Children (Requirements, Effect and Enforcement) (Scotland) Regulations 2026 has been sufficiently assessed in compliance with the requirements of the UK GDPR and Data Protection Act 2018
Name and job title of an IAO or equivalent:
Ian Donaldson
Deputy Director, Children’s Rights, Protection and Justice
Date each version authorised: 18/11/2025