Publication - Impact assessment

Disability Assistance for Working Age People (Scotland) Regulations: data protection impact assessment

Data protection impact assessment to consider the impacts of the Disability Assistance for Working Age People (Scotland) Regulations 2022.

Disability Assistance for Working Age People (Scotland) Regulations: data protection impact assessment
Data Protection Impact Assessment (DPIA) for legislation for the Disability Assistance for Working Age People (Scotland) Regulations 2022

Data Protection Impact Assessment (DPIA) for legislation for the Disability Assistance for Working Age People (Scotland) Regulations 2022

Summary of proposal:

Regulations to make provision to:

  • establish Adult Disability Payment (ADP), which will be delivered by Social Security Scotland on behalf of Scottish Ministers, and will replace Personal Independence Payment (PIP) in Scotland. PIP is currently delivered by the Department for Work and Pensions (the DWP) on behalf of the Scottish Ministers under an agency agreement; and
  • enable the transfer of entitlement for the recipients of PIP.

Your department:

Social Security Policy Division, Scottish Government

Contact email:

Nathan.Gale@gov.scot

Data protection support email

Data protection officer

Stuart Gardner

dataprotectionofficer@gov.scot

Is your proposal primary legislation, secondary legislation or other form of statutory measure?

The provisions are being made through secondary legislation. Draft Regulations will be laid before the Scottish Parliament under sections 13(3), 31(2), 36(2), 41(4)(a), 43(5), 51, 52 and 95 of the Social Security (Scotland) Act 2018. The instrument will be subject to the affirmative procedure.

What stage is the legislative process at? Please indicate any relevant timescales and deadlines.

Assuming coming into force on 21 March 2022, then making and laying dates would need to be 54 days (not including periods of recess of more than 4 days), as it has been agreed by convention with Parliament that instruments subject to the affirmative procedure should be laid for 54 sitting days.

The regulations were laid before Parliament on 17 December 2021.

Have you consulted with the ICO using the Article 36(4) form (please provide a link to it)?

Completed Article 34 (4)

If the ICO has provided feedback, please include this.

Completed- ICO feedback

Do you need to hold a public consultation and if so has this taken place

Consultation on a previous draft of these Regulations was held between 20 December 2020 and 15 March 2021. A total of 127 consultation responses were received overall - 78 from individuals and 49 from organisations (including Disabled People's Organisations, Deaf People's Organisations, local authorities, third sector charities/groups and others). To support the online consultation, the Scottish Government also ran a series of stakeholder engagement events attended by a broad range of organisations and individuals with lived experience of disability. Full analysis of the consultation was published in June 2021:

Adult Disability Payment: consultation analysis - gov.scot (www.gov.scot)

The consultation on these Regulations was preceded by a broader consultation on Disability Assistance. The Consultation on Disability Assistance built on work with people with lived experience of benefits ('the Experience Panels') and was published on 5 March 2019. In line with the principles of dignity, fairness and respect, the Scottish Government sought the views of the people of Scotland on the proposed disability assistance benefits, including Disability Assistance for Working Age People (now known as ADP). The consultation closed on 28 May 2019, having received 263 replies, of which 74 were from stakeholder organisations and 189 were from individuals. Full analysis report of the Consultation on Disability Assistance in Scotland was published in October 2019: https://www.gov.scot/publications/consultation-disability-assistance-scotland-analysis-responses/

Two surveys of experience panel members[1] and a series of individual and group interviews focused on the case transfer process itself, including when clients should be notified, what information they should be given, what order clients should be transferred in, and what information should be transferred, These were carried out in Spring 2019 and the results published:

Due to the technical nature of the provisions and the engagement on the process to date it was not considered necessary to undertake a formal consultation on the draft regulatory provisions for case transfer. We continue to engage with stakeholders whilst we design the processes for case transfer.

Were there any comments/feedback from the public consultation about privacy, information or data protection?

During the ADP consultation, respondents and those attending stakeholder events welcomed the use of existing data, and information which already exists in the public sector, to inform decisions.

Respondents welcomed the change to gather information from a broad range of sources, as well as accepting input from informal sources. It was suggested that this would help to shift the burden from the individual and allow those who knew them best to provide information on the real impact that their condition has on their abilities. It was felt that this would make the process less stressful for the applicant.

Some organisations did, however, seek clarity on how any data-sharing process would work and the point at which the applicant would give permission for this. Another organisation cautioned that it would be important for Social Security Scotland to consider health inequalities in access to primary care which may affect the quality and availability of information about the person. The data-sharing process will be one part of the information gathering process. We will consider the needs a client has in a holistic and person-centred way.

Both case transfer surveys sought feedback from experience panel members on the processes for transfer. Responses to the first survey showed a strong preference for our intention that no client should have to reapply for their benefit as part of the case transfer process. In the second set of interviews with experience panel members participants were presented with the different types of information that Social Security Scotland may take over as part of a client's case transfer. Participants were asked how they felt about Social Security Scotland taking over the different information types. It was explained that some information is essential for Social Security Scotland to take over as part of a client's case, including payment information, personal information (such as a client's address and contact information) and award information. All participants asked agreed that this information should be transferred as part of a client's case. Nearly all those asked were happy with Social Security Scotland taking over application information. Again, the majority of participants were happy for information submitted for evidence to be taken over. Views were mixed on taking over assessment information and case management information.

Some participants saw no problems with Social Security Scotland taking over assessment information and thought it would be better for Social Security Scotland to have all the information that DWP currently hold as part of a client's case. Some participants requested that Social Security Scotland staff view the contents of previous assessments with a critical eye if the information is to be transferred. However, some participants thought that assessment information should not be taken over. The most common reason for this was that participants did not feel the information from their assessment was accurate or correct. Participants spoke of their previous experience of assessments with DWP and some said they would like a fresh start with Social Security Scotland.

Some participants wanted case management information to be transferred so that there was a fully comprehensive record of a client's circumstances. However, many participants saw this information as irrelevant and questioned whether it would be needed. Similarly to assessment information, some participants also spoke of wanting a fresh start with Social Security Scotland and therefore didn't want this information transferred. Gathering this information is intended to reduce the burden on clients.

Our approach to gather all relevant information is intended to reduce the burden on clients. It means people will not need to submit new information to Social Security Scotland. However, where a client is unhappy with their award, they will be able to submit new information to Social Security Scotland.

Question / Comments

1 What issue/public need is the proposal seeking to address? What policy objective is the legislation trying to meet?

The Scotland Act 2016 made provision to devolve limited aspects of social security powers to Scottish Ministers, including 11 social security benefits:

  • Benefits for carers, disabled people and those who are ill: Attendance Allowance, Carer's Allowance, DLA, PIP, Industrial Injuries Scheme Benefits and Severe Disablement Allowance.
  • Benefits which currently comprise the Regulated Social Fund: Cold Weather Payment, Funeral Payment, Sure Start Maternity Grant and Winter Fuel Payment.
  • Discretionary Housing Payments.

The Social Security (Scotland) Act 2018 received Royal Assent on 1 June 2018 and sets out the overarching legislative framework for the delivery of devolved forms of social security assistance.

Scottish Ministers will through a series of regulations, make provision for new benefits to replace some current UK benefits for clients in Scotland.

In addition, Scottish Ministers will make provision for the transfer of clients resident in Scotland currently in receipt of the UK disability and carer benefits, that are currently being administered and paid by the DWP for clients in Scotland under agency agreements, onto these new Scottish benefits.

Over 700,000 people are currently in receipt of UK disability and carer benefits that will be replaced by Scottish forms of assistance and responsibility for delivering benefits for these people will require to be transferred from the DWP to Social Security Scotland as the new forms of Scottish disability and carers assistance 'go live'.

These regulations will make provision to establish ADP and for the transfer of entitlement for working age adults in Scotland currently in receipt of PIP. Based on DWP data, in Scotland in November 2020 there were approximately 280,000 people receiving PIP.

2 Does your proposal relate to the processing of personal data? If so, please provide a brief explanation of the intended processing and what kind of personal data it might involve. Who might be affected by the proposed processing?

Is the processing considered necessary to meet a policy aim? Is there a less invasive way to meet the objective (for example, anonymising data, processing less data).

Please also specify if this personal data will be sensitive or special category data or relate to criminal convictions or offences

(Note: 'special categories' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person's sex life or sexual orientation and sensitive personal data means criminal information or history)

Intended processing and how it meets the policy aim

To make determinations of entitlement for new clients applying for ADP, Social Security Scotland will collect information by way of an application form. The application form will be available in both paper and digital formats, and will include information about the identity of the client (name, date of birth, address and NINO), their communication preferences, information about the impact of their disability or illness, and payment details.

As entitlement to ADP relates to an adult. In some cases, someone with responsibilities under Part 2, 4 or 6 of the Adults with Incapacity (Scotland) Act 2000 will be applying on behalf of the individual. Social Security Scotland will collect information about their identity also (name, date of birth, address and NINO). Further supporting data and information will also be collected from the clients, Social Security Scotland practitioners as well as from formal sources such as a GP or social worker. We will also gather supporting information from informal sources such as a client's friends and family. This will be processed as part of the process to consider the application and make a determination, as part of any re-determination or appeal, and as part of any future review of entitlement.

For the transfer of entitlement for adults currently in receipt of PIP from the DWP to Social Security Scotland, both organisations will work together to securely transfer data and information held by DWP that is necessary to: create a client file within Social Security Scotland's case management system; to make a determination of entitlement to ADP; to support the future management of the award and to put the award into payment. This is to ensure that adults in receipt of PIP are not required to re-apply for the replacement benefit and to ensure they are not disadvantaged or face any interruption to receipt of their benefits.

Information transfer will also ensure that Social Security Scotland does not have to duplicate requests for relevant information that has already been supplied. Otherwise there would be additional and unnecessary burdens on the individual, other government departments, or other third parties, such as health care providers, who would be required to re-provide supporting information.

The data and information transferred will, therefore, include much of the same data and information on the individual or appointee that receives payment on the persons behalf, as is required for a new application and for managing the award for the individual once a determination of entitlement has been made.

This will include information on the individual's disability and data necessary to effect payment of the benefit such as address and bank details. To have information to communicate effectively with clients, information such as accessibility requirements and language preferences will be also be transferred.

The volume of data transferred will vary depending on the client. For example, not all clients will have an appointee. The data being transferred has been agreed with DWP, and included within the relevant benefit appendix in the Case Transfer Data Sharing Agreement.

The volume of supporting information transferred will also vary by client. Based on a response from DWP we estimate that the volumes of forms and supporting information received will be 20-30 pages per client, with an average size of 50kb per page.

Special category, sensitive information and data relating to criminal convictions or offences

For both new applications and case transfer, data and information regarding the impact of a client's disability will be processed, and this may include details of their health and social care requirements, and also whether they have a terminal illness. For case transfer, data on the clients' care and mobility award components for their award will be transferred, together with any supporting records supplied in connection with the original application to the DWP.

In some cases this data may also be sensitive, for example DWP will transfer details of clients with a terminal illness and from the records supplied Social Security Scotland will determine and record if the client is aware or not of their terminal illness.

No data on criminal convictions or offences will be transferred. However, if the client is in legal detention this data will be transferred as this impacts on the client's benefit entitlements.

There is a risk (Transparency) that clients who have their records transferred from the DWP will not understand the changes to how they can exercise their data subject rights. This has been mitigated by a number of communications including:

Letter notifying the client of the transfer

Letter and leaflet from Social Security Scotland welcoming the client, detailing their rights for re-determination and appeal and providing information on the privacy notice and how to exercise their data subject rights.

Equalities Data

All clients are asked to complete an Equality Monitoring and Feedback form along with the application form for each benefit delivered by Social Security Scotland. The data collected is used to identify who is using the service, to investigate how Social Security Scotland processes work for different groups of people and to understand whether groups with protected characteristics are able to adequately access social security payments. The equalities data is also analysed by outcome of application to assess if there is any variation.

Any data related to protected characteristics and held on existing client's files will also be transferred and used for similar purposes and in line with how it was originally collected.

For additional protection all equalities data is retained in a separate location to the client record in a pseudonymised state.

Processing of such data already occurs as part of Social Security Scotland administering devolved benefits but this will increase the volume of special category information being processed as it relates to a new form of disability assistance being administered by Social Security Scotland.

Health Data

In some cases a consultation will be part of the decision making process where a Health or Social Care Practitioner will gather more information on the impact of a client's disability or illness. Information collected during this process will be shared with the individual in a detailed document for them to check accuracy.

3 Will your proposal engage any rights under ECHR, in particular Article 8 ECHR? How will the proposal ensure a balance with Article 8 rights? If the proposal interferes with Article 8 rights, what is your justification for doing so - why is it necessary?

Article 8 ECHR:

Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

You may also wish to consider

Article 6 right to a fair trial (and rights of the accused)

Article 10 right to freedom of expression

Article 14 rights prohibiting discrimination

Or any other convention or treaty rights?

Yes. No. The gathering of information from the client and other sources is relevant to Article 8 rights, but it is justified on the basis that the client is required to consent to this information being gathered.

The information gathered from the client, the DWP, and other sources of information is in line with information sharing agreements and processing requirements. We will gather only what is needed to make a determination of someone's entitlement to Adult Disability Payment, which they have requested.

There are instances where information gathered may be withheld from a client, such as in the event where a client is terminally ill. It may be deemed in the best interests of the client to withhold this information from them.

We anticipate in some cases that new applications will be submitted to Scottish Ministers by someone acting as an appointee. Social Security Scotland can appoint a person, or organisation, to act on behalf of a client under section 85B of the Social Security (Scotland) Act 2018(the 2018 Act). This can occur where on the balance of probabilities the client meets the definition of 'incapable' set out in section 1(6) of the Adults with Incapacity (Scotland) Act 2000 (the 2000 Act) and there is no-one else with legal authority to manage their benefits for them.

In such cases, Social Security Scotland will seek the views of the client(where possible), anyone with legal rights on behalf of the client, and others with an interest in their welfare or financial affairs before appointing a third party to act on the individual's behalf.

There will also be a legal right to dispute a decision to appoint someone without legal rights to the First-Tier Tribunal for Scotland, to ensure that there is a sufficiently fair and robust process to resolve any disputes.

For case transfer, there will be an assumption that a person acting as an appointee for the purposes of a DWP award will be treated as an appointee for the new ADP award until Social Security Scotland's appointee processes set out in the statutory guidance required by section 85C of the 2018 Act can be applied. This will be done as soon as reasonably practical after the client's case has transferred to Social Security Scotland.

4 Will the proposal require regulation of :

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security

(Non-exhaustive examples might include whether your proposal requires online surveillance, regulation of online behaviour, the creation of centralised databases accessible by multiple organisations, the supply or creation of particular technology solutions or platforms, or any of the areas covered in questions 4a or 4b.)

In practice, DWP will encrypt the data and the Scottish Government will decrypt on arrival. All data will be accessed – identity and access mapping will be completed.

The existing infrastructure and security used by Social Security Scotland to transfer data from DWP will be utilised. There are no legislative measures relating to technology.

Technology already used to provide other Social Security Scotland payments will be used to support the payment of ADP. Technology used to support the applications for ADP and payment of ADP will be limited to support those functions necessary.

4a Please explain if the proposal will have an impact on the use of technology and what that impact will be.

Please consider/address any issues involving:

  • Identification of individuals online (directly or indirectly, including the combining of information that allows for identification of individuals, such as email addresses or postcodes );
  • Surveillance (necessary or unintended);
  • Tracking of individuals online, including tracking behaviour online;
  • Profiling;
  • Collection of 'online' or other technology-based evidence
  • Artificial intelligence (AI);
  • Democratic impacts e.g. public services that can only be accessed online, voting, digital services that might exclude individuals or groups of individuals

(Non-exhaustive examples might include online hate speech, use of systems, platforms for delivering public services, stalking or other regulated behaviour that might engage collection of evidence from online use, registers of people's information, or other technology proposals that impact on online safety, online behaviour, or engagement with public services or democratic processes.)

No.

4b Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

No.

5 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The proposal does not introduce any new requirements regarding investigatory powers; these are already included in the Social Security (Scotland) Act 2018 and regulations to be made under it.

6 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

This proposal relates to the collection of data and information in relation to new applications for ADP and the transfer of data and information on adults in Scotland currently in receipt of PIP so will have a direct impact on the client and the individual to whom the benefit is paid (in the case of an appointee). The main data subject should in the vast majority of cases be a disabled adult. The individual to whom the benefit is paid may also in some cases be a member of a specific group, for example they may be disabled or be elderly.

Impact assessments have been drafted, including an Equalities Impact Assessment and Children's Rights and Wellbeing Impact Assessment, with the intention that these are to be laid alongside the draft regulations in the Scottish Parliament in December 2021.

7 Will these Regulations necessitate the sharing of personal data to meet the policy objectives? For example

  • From one public sector organisation to another public sector organisation;
  • From a public sector organisation to a private sector organisation, charity, etc.;
  • Between public sector organisations;
  • Between individuals (e.g. practitioners/ service users/sole traders etc.);
  • Upon request from a nominated (or specified) organisation?

If so, does these Regulations make appropriate provision to establish a legal gateway to allow for sharing personal data Please briefly explain what the gateway will be and how this then helps meet one of the legal basis under Article 6 of the GDPR.

(Please provide details of data sharing, e.g. if there is a newly established organisation, if it is new sharing with an already established third party organisation, if it is with a specified individual or class of individuals, or any other information about the sharing provision/s. State what is the purpose of the sharing and why it is considered to be necessary to achieve the policy aims.)

Yes.

Personal data will be transferred from the DWP to Social Security Scotland in order for clients to be moved on to a devolved Scottish benefit without completing a new ADP application. In order to process new applications to make a determination on a client's entitlement to ADP, and to carry out any re-determinations, appeals and reviews of entitlement, personal data will also be sought from and shared with other public sector organisations and third parties.

There are already legal gateways in place to enable the sharing of data with the DWP.

Sharing of personal data with a number of other government departments and third parties already occurs as part of Social Security Scotland administering devolved forms of assistance and benefits, but this will increase the volume of data being shared as it relates to a new form of disability assistance being administered by Social Security Scotland and to the first time data and information has been shared to facilitate case transfer.

Provision has already been made under section 85 of the Social Security (Scotland) Act 2018 and the Social Security Information-sharing (Scotland) Regulations 2021 for the sharing of information between certain public bodies to Scottish Ministers for the purpose of a social security functions, or other functions prescribed in legislation. Further regulations are also due to be laid on 17 December 2021, under enabling powers in the 2018 Act, to enable the sharing of social security information with vehicle suppliers who supply vehicles under the Accessible Vehicles and Equipment (AVE) for ADP.

8 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to view the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

There is nothing potentially controversial or of significant public interest. For case transfer, client research has confirmed that the majority of clients are supportive of transfer of information to allow the new benefit to be set up rather than being required to complete a new application for a benefit they consider they are already entitled to. There are no identified potential unintended consequences.

The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications.

A security risk assessment is completed for all new processes and one will be completed for Adult Disability Payment. This will be contained in the Operational Data Protection Impact Assessment.

The operational DPIA will consider the data subject rights of individuals associated with the processing and payment of ADP and ensure that any risks are mitigated to ensure the rights of data subjects are not impacted.

9 Are there consequential changes in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

(This might include, for example, regulation or order making powers; or provisions repealing older legislation; or reference to existing powers (e.g. police or court powers etc.).

Provisions consequential to the regulations establishing ADP and providing for case transfer for Scottish cases are being made under the Disability Assistance for Working Age People (Consequential Amendment and Transitional Provision) (Scotland) Regulations 2022. These regulations will not relate to information sharing and/ or information processing.

10 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

No

Summary - Data Protection Impact Assessment

11 Do you need to specify a Data Controller/s?

Joint Data Controller for client data held by Department for Work and Pensions (DWP) from the first file transfer up to the agreed end date on the DWP award : DWP and SG Social Security Scotland.

Social Security Scotland will be Data Controller for all client data once the case transfer process is complete.

12 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Social Security Scotland are not proposing to use anything over and above the existing safeguarding measures which are in place for new cases which include:

  • Pseudonymisation of equalities data
  • Redaction of personal data received on documents during the application process
  • Retention schedule to minimise personal data where there is no longer purpose to retain.

13 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.

Personal data will be used to inform decisions on a client's entitlement to disability benefits and make payments to them. For both new applications and case transfers, determinations of entitlement will be subject to full re-determination and appeal rights.

There is a risk that clients will not be fully aware of their right to full re-determination and appeal.

This will be mitigated through a communications framework for all clients whose case is transferred with letters detailing this process.

All clients are also asked to complete an Equality Monitoring and Feedback form along with the application form for each benefit delivered by Social Security Scotland. The data collected is used to identify who is using the service, to investigate how Social Security Scotland processes work for different groups of people and to understand whether groups with protected characteristics are able to adequately access social security payments. The equalities data is also analysed by outcome of application to assess if there is any variation.

Any equalities data held on existing client's Disability Assistance files will also be transferred and used for similar purposes and in line with how it was originally collected.

For additional protection all equalities data is retained in a separate location to the client record in a pseudonymised state.

14 If the proposal involves processing, do you or stakeholders have any relevant comments about mitigating any risks identified in the DPIA including any costs or options, such as alternative measures.

No.

I confirm that the impact of The Disability Assistance for Working Age People (Scotland) Regulations 2021 has been sufficiently assessed in compliance with the requirements of the GDPR

Name and job title of a IAO or equivalent:

Ian Davidson, Deputy Director of Social Security Policy Division

Date each version authorised:

13 December


Contact

Email: matthew.duff@gov.scot