Care Home Services (Visits to and by Care Home Residents) (Scotland) Regulations 2026: data protection impact assessment
Data protection impact assessment undertaken to consider the impacts on personal information as a result of The Care Home Services (Visits to and by Care Home Residents) (Scotland) Regulations 2026.
6. Further assessment and risk identification
6.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?
In some cases, it may do if an Essential Care Supporter is identified whose personal details are not held by the provider.
It is anticipated that providers will use existing identifiers to maintain the record, where the details of person named as the Essential Care Supporter are already set out in the resident’s personal plan.
6.2 Will the proposal require regulation of:
(i) technology relating to processing
(ii) behaviour of individuals using technology
(iii) technology suppliers
(iv) technology infrastructure
(v) information security
No new technology will be developed in respect of this section of the Act. The Code of Practice will set out the training and access requirements to personal information.
6.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?
No
6.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)
N/A
6.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?
It has an impact on vulnerable, disabled and elderly people who are resident in adult care homes. However, processing personal information relating to Essential Care Supporters ensures that residents can receive a visit from that individual even when other visits are paused thereby strengthening rights rather than restricting them.
6.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?
Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.
Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.
No. The provision gained cross-party support during the Bill’s passage through Parliament. The Care Home Relatives Scotland group has been campaigning for this policy to be enshrined in law to protect the rights of care home residents to visits. It is likely that the subjects of personal data processing for this purpose will be family and friends most of whom will already be recorded by the care home.
No unintended consequences are anticipated.
The Scottish Government will issue a statutory Code of Practice to accompany the regulations.
Care home providers will have policies and procedures in place for safeguarding personal information in accordance with data protection legislation. The Care Inspectorate would flag any obvious concerns relating to data handling where identified through their scrutiny activity.
6.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?
No
6.8 Will this proposal necessitate an associated code of conduct?
If so, what will be the status of the code of conduct (statutory, voluntary etc.)?
It will be accompanied by a statutory Code of Practice.
6.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards
Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.
Storage security will fall within the care home provider’s own process and responsibilities for personal information under the data protection legislation.
6.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.
Decisions around visiting residents during periods of infectious outbreaks will be impacted on whether details of an Essential Care Supporter are held by the care home.
However, processing personal information relating to Essential Care Supporters ensures that residents can receive visitors from that individual under certain circumstances when other visits are paused, thereby strengthening rights rather than restricting them.
6.11 Will the proposal include automated decision making/profiling of individuals using their personal data?
No
6.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)
No