Care Home Services (Visits to and by Care Home Residents) (Scotland) Regulations 2026: data protection impact assessment
Data protection impact assessment undertaken to consider the impacts on personal information as a result of The Care Home Services (Visits to and by Care Home Residents) (Scotland) Regulations 2026.
7. Risk Assessment
7.1 Risk: Risk to individual rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Solution or mitigation
Informed: The Essential Care Supporter will be informed of the data gathered and held on them.
Likelihood: Low
Severity: Green
Result: Eliminated
Access: Individuals can exercise subject access rights under GDPR. The established SAR process applies to care home providers and already exists.
Likelihood: Low
Severity: Green
Result: Eliminated
Rectification: Under Article 16 of UK GDPR, individuals will have the right to request that inaccurate information is rectified by care home providers.
Likelihood: Low
Severity: Green
Result: Eliminated
Erasure: Under Article 17 of UK GDPR individuals have the right to have their personal data erased. However, this does not apply where there is a legal obligation to process the personal information. The Care Reform (Scotland) Act places a duty on care home providers to maintain an accurate records of Essential Care Supporters. If an individual was to request that their personal information is erased, this would not be possible if they wanted to maintain their role as the resident’s Essential Care Supporter.
Likelihood: Low
Severity: Green
Result: Eliminated
Restrict processing: Under Article 18 of UK GDPR, individuals have the right to restrict the processing of their personal information in certain circumstances. In practice this means that care home providers would not be able to use their information without their consent. Similar to erasure, this could mean that if an individual was to request that their personal information is restricted, this might not be possible if they wanted to maintain their role as the resident’s Essential Care Supporter.
Likelihood: Low
Severity: Green
Result: Accepted
Data portability: This gives individuals the right to request that their data is transferred directly from one data controller to another. This may be applicable if a resident moves from one care home to another but retains the same Essential Care Supporter, however processes are already in place for portability of data relating to next-of-kin etc.
Likelihood: Low
Severity: Green
Result: Reduced
Object: Under Article 21, individuals can request that an organisation stop processing their personal information. However, under Anne’s Law, care home providers will be required to collect and retain personal data, so the right to object will not be absolute.
Likelihood: Low
Severity: Green
Result: Accepted
Automated decision making and profiling: This right is unlikely to apply as all decisions relating to Essential Care Supporters will require human involvement.
Likelihood: Low
Severity: Green
Result: Eliminated
Privacy risks – Solutions or mitigation
7.2 Purpose limitation
The Code of Practice will clarify that personal data about Essential Care Supporters will be gathered solely for the purpose of maintaining meaningful connection and access to care homes, in line with the legislation.
Likelihood: Low
Severity: Green
Result: Eliminated
7.3 Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights
The Code of Practice will require care home providers to explain to Essential Care Supporters why data is being collected, the lawful basis for processing, how it will be used and how long it will be retained.
Likelihood: Low
Severity: Green
Result: Eliminated
7.4 Minimisation and necessity
The Code of Practice will require providers only the contact information necessary.
Likelihood: Low
Severity: Green
Result: Eliminated
7.5 Accuracy of personal data
The legislation requires care home providers to “maintain” a record of Essential Care Supporters. The Code of Practice will provide more detail on the need to ensure initial accuracy of data and the importance of keeping data up to date.
Likelihood: Low
Severity: Green
Result: Eliminated
Privacy risks – Solutions or mitigation
7.6 Keeping data securely – Retention
There is a risk of unauthorised access by care home staff and retaining information for longer than necessary. Care home providers routinely process personal information relating to next-of-kin, emergency contacts and visitors which are subject to protection under GDPR. The Code of Practice will remind providers of the need to apply the same protections to Essential Care Supporters.
7.7 Transfer – data may be lost in transit
There may be a risk of data being lost in transit when a resident moves from one care home to another. This risk already exists for information held on next-of-kin and is detailed in the Care Inspectorate’s guidance on record keeping.
7.8 Security risks
No other risks have been identified.
7.9 Other risks - Will this impact on children?
No specific impacts on children unless they are identified as Essential Care Supporters. A separate Child Rights and Wellbeing Impact Assessment has been carried out.