First-tier Tribunal for Scotland Social Security Chamber and Upper Tribunal for Scotland (Rules of Procedure) (Miscellaneous Amendment) Regulations 2022: data protection impact assessment

Data Protection Impact Assessment (DPIA) for legislation for The First-tier Tribunal for Scotland Social Security Chamber and Upper Tribunal for Scotland (Rules of Procedure) (Miscellaneous Amendment) Regulations 2022

1. Summary of proposal

Under section 62A of the Social Security (Scotland) Act 2018 ("the 2018 Act"), Scottish Ministers have powers for the non-disclosure of information to a recipient if it relates to the physical or mental health of an individual and if a registered medical practitioner or a registered nurse has advised Scottish Ministers that the information is likely to cause serious mental or physical harm to the recipient if disclosed. An example could be information about a diagnosis of malignancy. The recipient could be the patient or the parent/individual with legal parental responsibilities for a child.

However, section 62A of the 2018 Act only applies to certain duties of the Scottish Ministers under the 2018 Act. Section 62A will not apply if the individual's case is appealed to the First-tier Tribunal or Upper Tribunal for Scotland.

The regulations will give the First-tier Tribunal and Upper Tribunal a discretionary power to issue a direction prohibiting the disclosure of information to a person if a registered medical practitioner or a registered nurse has advised that the information is likely to cause serious harm to the physical or mental health of the recipient or some other person, subject to the Tribunal being satisfied that it is proportionate to give such a direction having regard to the interests of justice.

Your department: Social Security Policy Division, Scottish Government

Contact email: Nathalie Leger, Policy Manager, Social Security Policy Division

Nathalie.leger@gov.scot

Data protection support email: Data protection officer, Stuart Gardner

dataprotectionofficer@gov.scot

2. Is your proposal primary legislation, secondary legislation or other form of statutory measure?

The provisions are being made through secondary legislation subject to the negative procedure.

These Regulations amend the following:

• The First-tier Tribunal for Scotland Social Security Chamber (Procedure) Regulations 2018
• The Upper Tribunal for Scotland (Social Security Rules of Procedure) Regulations 2018

3. What stage is the legislative process at? Please indicate any relevant timescales and deadlines.

We expect to lay the regulations on 12 May 2022 with an anticipated coming into force date of 21 June 2022.

4. Have you consulted with the ICO using the Article 36(4) form? If the ICO has provided feedback, please include this.

A request for consultation was submitted to the ICO.

During engagement with the ICO, they advised that they were satisfied with the assertions that:

• The proposals involve an automatic release of information during the appeal process (and is not something prompted by the appellant) and so it would not be handled under the data protection right of access, which requires the individual (or their nominated representative) to request their data.
• The decision to issue a direction to prohibit disclosure of information will be a judicial decision and;
• The use of the discretionary power can only be considered by the Tribunal where a registered medical practitioner or a registered nurse has advised that the information is likely to cause serious harm to the physical or mental health of the recipient if disclosed;
• The way the threshold for something being considered for non-disclosure by the Tribunal will work is equivalent to the serious harm exemption for health data under the Data Protection Act 2018.

5. Do you need to hold a public consultation and if so has this taken place?

We have engaged with the President of the Social Security Chamber, and consulted the President of the Tribunals, in the making of these regulations. Members of the National Implementation Group on Terminal Illness were also consulted on this policy and they supported the introduction of measures to ensure that harmful information is not disclosed during an appeal.

6. Were there any comments/feedback from the public consultation about privacy, information or data protection?

No

7. What issue/public need is the proposal seeking to address? What policy objective is the legislation trying to meet?

The aim of this policy is to mitigate the risk of a person seeing or hearing information during a social security appeal that could cause serious harm to their physical or mental health.

While Scottish Ministers already have powers under section 62A of the 2018 Act for the non-disclosure of information to a recipient if it relates to the physical or mental health of an individual and if a registered medical practitioner or a registered nurse has advised Scottish Ministers that the information is likely to cause serious mental or physical harm to the recipient if disclosed, those powers only extend to the interactions between Social Security Scotland and the recipient in connection with the determination of the individual's entitlement to assistance up to the point where the individual appeals to the First-tier Tribunal or Upper Tribunal for Scotland. Section 62A does not apply if the individual's case is appealed to the First-tier Tribunal or Upper Tribunal for Scotland.

This means that if the individual appeals against a decision made by Social Security Scotland, there is a risk that harmful information could be disclosed to a person at risk of serious harm at the appeal stage. For example, in a case for Child Disability Payment, harmful information could be disclosed to the child's parent which, based on clinical evidence, could cause the parent serious harm to their physical or mental health.

This policy will introduce a new discretionary power to allow the First-tier Tribunal and Upper Tribunal, respectively, to issue a direction prohibiting the disclosure of a document or information to a person ("the recipient") if a registered medical practitioner or a registered nurse has advised that the information is likely to cause serious harm to the physical or mental health of the recipient or some other person.

The policy will ensure continuity of treatment for the entire client journey, from application through to appeal.

Although we expect that the need to prohibit disclosure of harmful information will only occur in exceptional circumstances, the repercussions of disclosing a document or information that would cause serious harm to the physical or mental health of a person could be devastating for individuals and their families.

The approach is in line with Scottish Social Security principles to respect the dignity of individuals and the client's right to choose as outlined in section 1 of the 2018 Act.

8. Does your proposal relate to the processing of personal data? If so, please provide a brief explanation of the intended processing and what kind of personal data it might involve. Who might be affected by the proposed processing? Is the processing considered necessary to meet a policy aim? Is there a less invasive way to meet the objective (for example, anonymising data, processing less data). Please also specify if this personal data will be sensitive or special category data or relate to criminal convictions or offences

Personal data collected by Social Security Scotland (the Agency) will be shared with the Tribunal for the purposes of processing appeals where determinations/re-determinations made by the Agency are being challenged by the individual. This may include special category data relating to the physical or mental health of a person.

Under section 47 of the 2018 Act, during an appeal, Social Security Scotland is required to send the Tribunal the information held by them that they used to make the determination. This could include medical information about the individual's condition or prognosis.

The First-tier Tribunal sends the individual who appeals a copy of all the evidence the Tribunal has received from Social Security Scotland that was used to make the determination on the individuals' applications for assistance. The Tribunal is obligated to send a copy of this information to the individual and this is set out in rule 21(5) of The First-tier Tribunal for Scotland Social Security Chamber (Procedure) Regulations 2018 (SSI 2018/273). If the individual's case is appealed to the Upper Tribunal At the Upper Tribunal, the Upper Tribunal sends copies of information to the individual and the respondent. Rules 4, 5 and 6 of The Upper Tribunal for Scotland (Social Security Rules of Procedure) Regulations 2018 (SSI 2018/274) refer.

The draft regulations give the First-tier Tribunal and Upper Tribunal a discretionary power to issue a direction prohibiting the disclosure of a document or information to a person if a registered medical practitioner or a registered nurse has advised that the information is likely to cause serious harm to the physical or mental health of the recipient or some other person.

The Tribunal can use this power on its own initiative or on the request of one of the parties to the appeal. The draft regulations provide that if a party to an appeal considers that the Tribunal should give a direction prohibiting disclosure of a document or information to a person because it is likely to cause serious harm to their physical or mental health, the party should be able to make a request for the Tribunal to give a direction to that effect. The party who makes that request should provide the information to the Tribunal, request that it is not disclosed, and set out the reasons why the party thinks the information should be withheld.

The decision to issue a direction to prohibit disclosure of information will be a judicial decision, and can only be considered where a registered medical practitioner or a registered nurse has provided advice that the information is likely to cause serious harm to the physical or mental health of the recipient if disclosed and where the Tribunal is satisfied that the threshold for withholding such data has been met. This is necessary to ensure fair processing of data consistent with the principles of data protection legislation.

9. Will your proposal engage any rights under ECHR, in particular Article 8 ECHR? How will the proposal ensure a balance with Article 8 rights? If the proposal interferes with Article 8 rights, what is your justification for doing so – why is it necessary?

These draft regulations may engage Article 8 of the ECHR because they deal with personal information about an individual's health. This is deemed necessary for the protection of health of those people at risk of experiencing serious harm as a result of seeing or hearing information, in relation to the determination of an individual's entitlement to disability assistance, when the Tribunal discloses that information to the parties during an appeal. Without these regulations, giving the First-tier Tribunal and Upper Tribunal a discretionary power to issue a direction prohibiting disclosure to a person, there is a risk of a person seeing or hearing information during a social security appeal which could cause serious harm to their physical or mental health.

The rationale for introducing this policy is to protect individuals from serious harm to their physical or mental health during the appeals process. This policy introduces a discretionary power for the First-tier Tribunal or the Upper Tribunal to issue a direction prohibiting the disclosure of a document or information to a person, but only if a registered medical practitioner or a registered nurse has advised that the information is likely to cause serious harm to the physical or mental health of the recipient or some other person. The General Medical Council's Guidance on Consent sets out that "in very exceptional circumstances" it may be appropriate to prohibit disclosure of harmful information from the patient if it would cause them serious harm.

Linking the Tribunal's powers for issuing a direction to prohibit the disclosure of information only where a medical practitioner or registered nurse has informed either the Tribunal, or one or more of the parties, that disclosure of the document or information would be likely to cause serious harm to the physical or mental health of the recipient, or some other person, provides reassurance from a policy standpoint that the discretionary power to issue a direction would only be used by either the First-tier Tribunal or Upper Tribunal when truly needed and would mitigate any impact on rights of access to information. The regulations clearly set out the limited circumstances in which the Tribunal can consider giving such a direction. In addition, in exercising this discretionary power, the Tribunal must be satisfied, having regard to the interests of justice, that it is proportionate to give such a direction.

These draft regulations may also engage Article 6 of the ECHR. Without these regulations there is a risk of a person seeing or hearing harmful information during a social security appeal which could cause serious harm to their physical or mental health. Introducing this discretionary power to give a direction, exercisable only when based on clinical evidence, will protect people at risk of serious harm, while ensuring the parties to an appeal can still fully participate in the proceedings.

10. Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

There are no legislative measures relating to technology.

11. Please explain if the proposal will have an impact on the use of technology and what that impact will be.

The proposed regulations will have no impact on the use of technology.

12. Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

The proposed regulations will not establish or change the operation of an established public register.

13. Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The proposal does not introduce any new requirements regarding the collection or storage of data to be used as evidence or use of investigatory powers; these are already included in the Social Security (Scotland) Act 2018 and regulations made under it.

14. Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? In what way?

As this policy will give the First-tier Tribunal and Upper Tribunal a discretionary power to issue a direction prohibiting the disclosure of a document or information to a person if it will cause serious harm to the physical or mental health of the recipient or some other person, it is expected that people in receipt of disability assistance will be the most likely to be affected. This is because applications for disability assistance generally include consideration of the individual's physical and/or mental health, while applications for other devolved benefits such as the Five Family Payments do not include consideration of the individual's physical and/or mental health.

We expect that it will be more likely that adults and young people aged 16 and 17 will be impacted by this policy.

This is partly because children who are under 16 and eligible for disability assistance are generally not responsible for communicating directly with the Tribunal during an appeal. Instead it is generally a parent, guardian or appointee who makes the application on behalf of the child, who receives communications about the child's disability benefit, and who communicates with the Tribunal during an appeal on the child's behalf. They can therefore ensure that any information that could cause the child serious physical and/or mental harm is not shared with the child during an appeal.

Once a child reaches the age of 16, they are considered a young person with legal capacity. Young people already in receipt of Child Disability Payment before the age of sixteen can continue to receive it until their eighteenth birthday as long as they are eligible, rather than applying for Adult Disability Payment. Young people aged 16 and 17 can also choose to apply for Adult Disability Payment. Young people aged 16 and 17 in receipt of disability assistance are generally expected to manage their own application for assistance and manage their own payments. They receive communications directly from Social Security Scotland about their disability assistance. During an appeal, they would also receive direct communication from the Tribunal. If the young person cannot manage their own entitlement after they become 16, Social Security Scotland must consider whether an appointee is required to receive disability assistance on behalf of the young person.

It is also possible that the adult receiving Child Disability Payment on behalf of the child could themselves be at risk of serious harm to their physical or mental health and that information may not be disclosed to them for their own safety if it is deemed necessary by the Tribunal based on clinical evidence.

15. Will the Bill necessitate the sharing of personal data to meet the policy objectives? For example

• From one public sector organisation to another public sector organisation;
• From a public sector organisation to a private sector organisation, charity, etc.;
• Between public sector organisations;
• Between individuals (e.g. practitioners/ service users/sole traders etc.);
• Upon request from a nominated (or specified) organisation?

If so, does the Bill make appropriate provision to establish a legal gateway to allow for sharing personal data Please briefly explain what the gateway will be and how this then helps meet one of the legal basis under Article 6 of the GDPR.

The proposed regulations will not introduce a new requirement to share personal data.

There are existing provisions that require the sharing of personal data between Social Security Scotland and the Tribunal during an appeal. Under section 47 of the 2018 Act, during an appeal, Social Security Scotland is required to send the Tribunal everything they used to make the determination. In addition, rule 21(4) of the First-tier Tribunal for Scotland (Procedure) Regulations 2018 (SSI 2018/273) requires Social Security Scotland to provide the Tribunal with copies of any documents relevant to the case which have not already been provided to the Tribunal. Rules 4, 5 and 6 of The Upper Tribunal for Scotland (Social Security Rules of Procedure) Regulations 2018 (SSI 2018/274) govern what information needs to be shared by the Upper Tribunal with the parties during an Upper Tribunal appeal.

16. Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to view the measures as intrusive or onerous? Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling. Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

There may be interest in how the proposed policy may have a potential negative impact in terms of people's rights to access information about themselves.

Although we expect that the need to prohibit the disclosure of harmful information will only occur in exceptional circumstances, the repercussions of disclosing a document or information that would cause serious harm to the physical or mental health of a person could be devastating for individuals and their families. The General Medical Council's Guidance on Consent sets out that in very exceptional circumstances it may be appropriate to withhold information from the patient if it would cause them serious harm. The guidance goes on to say that 'serious harm' means more than that the patient might become upset, decide to refuse treatment, or choose an alternative.

We have assessed that the impact will be positive overall as the policy proposal meets the overarching aim of avoiding causing serious harm to a person's physical or mental health. In addition, any negative impact is mitigated by the inclusion of clear rules that set a high threshold to be met, which is informed by clinical advice, before either the First-tier Tribunal or Upper Tribunal can use their discretionary power to issue a direction prohibiting disclosure of a document or information to a person if it is likely to cause them serious harm.

17. Are there consequential changes in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

No

18. Will this proposal necessitate an associated code of conduct? If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

At the time of publication we don't consider that this proposal will necessitate an associated code of conduct.

We understand that Members of the Tribunal are expected to adhere to the Judicial Ethical Standards. SCTS provides administrative support to the Scottish Tribunals. SCTS has published a Tribunals Users Charter which sets out what Tribunal Users can expect from them.

19. Do you need to specify a Data Controller/s?

The Scottish Courts and Tribunals Service will be the Data Controller.

20. Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards. Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing. SCTS have established policies and procedures for the safeguarding of personal data. This includes mature retention and destruction schedules, information security and data protection polices, technical measures and training for staff and breach reporting.

SCTS have established policies and procedures for the safeguarding of personal data. This includes mature retention and destruction schedules, information security and data protection polices, technical measures and training for staff and breach reporting.

21. Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.

The processing of personal data as a result of the proposal will not have an impact on any decision made about a person's award or entitlement to assistance.

The draft regulations do not prevent people from receiving any social security payment due to them, or from challenging a decision made by Social Security Scotland on their entitlement to assistance. The policy is instead intended to mitigate the risks of vulnerable clients being exposed to information during an appeal that may cause serious harm to their physical or mental health.

The processing of personal data as a result of the proposal will have an impact on the Tribunal's decision to issue a direction prohibiting the disclosure of information to a person if it would cause them serious harm. The decision by the Tribunal to issue a direction to prohibit disclosure of information will be a judicial decision.

22. If the proposal involves processing, do you or stakeholders have any relevant comments about mitigating any risks identified in the DPIA including any costs or options, such as alternative measures.

The proposals aim to mitigate the risk of vulnerable persons being exposed to information during an appeal that may cause serious harm to their physical or mental health. Any potential negative impact is mitigated by the inclusion of clear rules that set a high threshold to be met, which is informed by clinical advice, before either the First-tier Tribunal or Upper Tribunal can use their discretionary power to issue a direction prohibiting disclosure of a document or information to a person if it is likely to cause them serious harm.

Stakeholders identified the significant harm that could come from sharing potentially harmful information to vulnerable individuals. This processing would address that risk. No further risks have been identified in the DPIA that require additional mitigation.

23. Authorisation

The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.

Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.

By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals' right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase "Legislative DPIA" and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of First-tier Tribunal for Scotland Social Security Chamber and Upper Tribunal for Scotland (Rules of Procedure) (Miscellaneous Amendment) Regulations 2022 have been sufficiently assessed in compliance with the requirements of the UK GDPR

Name and job title of a IAO or equivalent: Lynn Forsyth, Head of Unit, Five Family Payments, Funeral Support and Challenge Rights

Date each version authorised: 3 May 2022