Children (Scotland) Bill: data protection impact assessment

Assessment carried out in relation to the Children (Scotland) Bill to identify and mitigate risks to privacy, and identify how data protection regulations will be complied with.


Children (Scotland) Bill - Data Protection Impact Assessment (DPIA)

1. Introduction

The purpose of this impact assessment is to report on and assess against any potential data protection impacts as a result of the Children (Scotland) Bill.

2. Document metadata

2.1 Name of Project: Children (Scotland) Bill

2.2 Author of report: Family Law Unit, Civil Law & Legal System, Justice Directorate, Scottish Government

2.3 Date of report: 2 September 2019

2.4 Name of Information Asset Owner (IAO) of relevant business unit: Gavin Henderson, Deputy Director, Civil Law & Legal System.

2.5 Date for review of DPIA:

Review date Details of update Completion date Approval Date

Stage 2 of Children (Scotland) Bill.

DPIA will be reviewed to reflect any amendments

Stage 3 of Children (Scotland) Bill

DPIA will be reviewed to reflect any amendments

Royal Assent of Children (Scotland) Bill

DPIA will be reviewed to reflect any amendments

3. Description of the project

3.1 Description of the work:

The Children (Scotland) Bill resulted from a consultation on the Review of the Children (Scotland) Act 1995 (the 1995 Act) which is the key legislation in relation to parental responsibilities and rights and cases on where a child should live and who should see the child where parents are separated or not together (contact and residence cases).

The key policy aims of the Bill are to:

  • ensure that the child’s best interests are at the centre of any contact and residence case or Children’s Hearing;
  • ensure that the views of the child are heard;
  • further protect victims of domestic abuse and their children; and
  • further compliance with the principles of the United Nations Convention on the Rights of the Child (UNCRC).

3.2 Personal data to be processed.

Variable Data Source

Establishing registers of Child Welfare Reporters and curators ad litem (curators) appointed in cases under section 11 of the 1995 Act will require the Scottish Ministers or a contactor to operate the registers. This could include personal details, date of birth, employment history, appraisal forms, training records and any records of misconduct.

The personal information will be provided by the Child Welfare Reporters and curators themselves.

Establishing a register of lawyers who can be appointed to represent a party where an individual has been banned from personal conduct of a case and has not appointed a lawyer themselves would require the Scottish Ministers or a contractor to hold personal details of the lawyers on the list. This could include personal details, date of birth, employment history, appraisal forms, training records and any records of misconduct.

This information would be provided by the individuals who are appointed to the list of lawyers.

Placing a duty on local authorities to promote sibling personal relations could require local authorities to hold information on individuals who a child considers to be a sibling.

The personal information could be provided by the child, or their parents, by other relatives or by the sibling themselves.

3.3 Describe how this data will be processed:

In the first circumstance, personal data on the existing Child Welfare Reporters are on lists held by the Court of Session and the six sheriffs principal. Personal data on the existing curators appointed in cases under section 11 of the 1995 Act is currently held by different individuals in different areas of Scotland. In some sheriffdoms curators are appointed from the list of Child Welfare Reporters held by the sheriff principal. In other areas curators are appointed from the panel of curators held by each local authority for permanence and adoption cases. In one sheriffdom the sheriff principal maintains a separate list.

The personal data held on Child Welfare Reporters and curators includes contact information and employment history. The Bill will mean that this information would be gathered by Scottish Government. This work may be contracted out to another organisation. The information will only be accessed by the body who will be responsible for operating and maintaining the registers of Child Welfare Reporters and curators or the relevant team within Scottish Government. The information will be stored in an appropriate manner and disposed of securely when no longer required. The data will be owned by either the Scottish Government or the organisation that is contracted to do this work. Child Welfare Reporters and curators will be asked to notify any changes to contact details. Child Welfare Reporters and curators are likely to require regular appraisals and to maintain a training record. Any complaint is likely to be raised directly with either the Scottish Government or the organisation contracted to do this work.

In the second circumstance, this will be a new register of lawyers established as a result of provisions in the Bill prohibiting personal conduct of a case in certain circumstances including if an individual has committed a specified offence against a witness in a case. As with the registers of Child Welfare Reporters and curators this work may be contracted out to another organisation. The information will only be accessed by the body who will be responsible for operation and maintain the list. The

3.4 Explain the legal basis for the sharing with internal or external partners:

In the first two circumstances the Bill gives the Scottish Ministers the power to contract out the maintenance and operation of the registers of Child Welfare Reporters and curators and the register of lawyers when a party has been banned from personally conducting their own case. If Scottish Government consider this to be the most appropriate option then further consideration would be needed in relation to how the data is shared with the organisation(s) who wins the contract, for the registers and the list.

In the first two circumstances it is envisaged that the name of the Child Welfare Reporter, curator or lawyer appointed will be shared with the court. No other details are expected to be shared.

In the third circumstance, this data would not be held by the Scottish Ministers and therefore this is not applicable.

4. Stakeholder analysis and consultation

4.1 The Scottish Government consulted on a draft DPIA as part of the consultation on the Review of the Children (Scotland) Act 1995[1]. The Scottish Government also ran a young person friendly survey which was available on SurveyMonkey. No comments were received on the draft DPIA.

4.2 The Scottish Government also consulted with the Information Commissioner’s Office under section 36(4) of the General Data Protection Regulation. The Scottish Government met with the Scottish Information Commissioner’s Office and no concerns were raised on the proposals in the Bill.

4.3 Method used to communicate the outcomes of the DPIA.

The DPIA has been published on the Scottish Government website.

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

In the first case, if the Scottish Government used secondary legislation to contract out the operation and administration of the registers of Child Welfare Reporters and curators then the organisation who won the contract would have access to personal data. Privacy of data would be one of the criteria when awarding the contract.

5.2 Anonymity and pseudonymity

Not applicable in any of the situations as the Scottish Government is not planning on combining data from two or more systems.

5.3 Technology

Not applicable in any of the situations.

5.4 Identification methods

Not applicable as the Scottish Government is not proposing to use unique identifiers in any of the circumstances.

5.5 Sensitive/Special Category personal data

No information on special category personal data is envisaged to be gathered in any of the circumstances.

In the first two situations the Scottish Government or its contractor will be responsible for paying individuals on the register. Therefore, they will require information on bank details for the individuals on the registers of Child Welfare Reporters or curators or on the register of lawyers.

5.6 Changes to data handling procedures

The Scottish Government would not make the personal data in any of the situations publicly available.

None of the situations involve:

  • new or changed data collection policies or practices that are unclear or intrusive; or
  • changes to data quality assurance, processes and standards that may be unclear or unsatisfactory; or
  • new or changed data security access or disclosure arrangements that may be unclear or extensive; or
  • new or changed data retention arrangements that may be unclear or extensive; or
  • a change in the medium for disclosure of publicly available information such that the data becomes more readily accessible than before.

5.7 Statutory exemptions/protection

None of the situations would require statutory exemptions/protections.

5.8 Justification

This is not application in any of the situations in relation to the Children (Scotland) Bill

5.9 Other risks

No other risks have been identified.

6. General Data Protection Regulation (GDPR) Principles

Principle Compliant – Yes/No Description of how you have complied

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

Yes

When an individual applies to be either on the register for Child Welfare Reports or curators or on the register of lawyers then they would be informed about how their personal data will be processed.

Principle Compliant – Yes/No Description of how you have complied

6.2 Principle 2 – purpose limitation

Yes

Child Welfare Reporters, curators and lawyers will be informed of the extent and specificity of personal information that is required. There will be no further use of the data once transmission has taken place because it will be securely deleted.

Principle Compliant – Yes/No Description of how you have complied

6.3 Principle 3 – adequacy, relevance and data minimisation

Yes

The data to be collected in each of the situations will be carefully considered and kept to the minimum necessary.

Principle Compliant – Yes/No Description of how you have complied

6.4 Principle 4 – accurate, kept up to date, deletion

Yes

The data held will be reviewed as part of the regular review and reappointment process for Child Welfare Reporters and curators.

Principle Compliant – Yes/No Description of how you have complied

6.5 Principle 5 – kept for no longer than necessary, anonymization

Yes

It is envisaged in the first two scenarios that if an individual wishes to be removed from any of the registers then their personal information would be deleted.

The individual appointed to the registers would be responsible for ensuring that any changes of personal data are submitted. When an individual is reappointed periodically this could be used as an opportunity to check that data remains current.

It is envisage that in the third scenario when a child either no longer requires local authority intervention or becomes an adult then the information on the individual identified as a sibling would be deleted.

Principle Compliant – Yes/No Description of how you have complied

6.6 GDPR Articles 12-22 – data subject rights

Yes

A privacy notice will be published for each of the registers. The data collected will not be used for marketing purposes.

In all of the situations it is envisaged that an individual would be able to access a copy of the information that is held about them.

Principle Compliant – Yes/No Description of how you have complied

6.7 Principle 6 - security

Yes

In the first two situations, data will be held on secure systems managed and held by either Scottish Government or a contractor, on secure servers with access only granted to staff deemed to have the training and legitimate need to access such data.

In the third situation, data will be held on secure systems managed and held by local authorities.

Principle Compliant – Yes/No Description of how you have complied

6.8 GDPR Article 44 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

N/A

No data is likely to be stored outside the EEA.

7. Risks identified and appropriate solutions or mitigation actionsproposed

Is the risk eliminated, reduced or accepted?

Risk Ref Solution or mitigation Result

Personal data is inadvertently shared between Scottish Government and contractor

appointed to run any of the registers.

1

This will be mitigated by ensuring there is a data sharing agreement in place.

Eliminate and reduce

Data on individuals who a looked after child considers to be a sibling would need to be shared between local authorities if a child moves to another local authority

2

This risk will be mitigated by ensure that data sharing processes are secure.

Reduce and accept the risk

8. Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk Ref How risk will be incorporated into planning Owner

Personal data is

1

This will be considered when planning

Family Law Unit

inadvertently shared

whether to contract out the

Scottish Government.

between Scottish

administration and operation of the

Government and

registers of Child Welfare Reporters and

contractor appointed

curators and the list of lawyers.

to run any of the

registers.

Data on individuals

2

This will be highlighted to local

Looked After Children

who a looked after

authorities prior to commencement of

Unit, Scottish

child considers to be

the relevant provision in the Bill.

Government

a sibling would need

to be shared between

local authorities if a

child moves to

another local

authority

9. Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

example table

10. Authorisation and publication

The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division.

Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust, has addressed all the relevant issues and that appropriate actions have been taken.

By signing the DPIA report, the IAO is confirming that the impact of applying the policy has been sufficiently assessed against the individuals’ right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase “DPIA report” and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of the Children (Scotland) Bill has been sufficiently assessed against the needs of the privacy duty:

Contact

Email: family.law@gov.scot

Back to top