Scotland's Proof of Concept Fund: data protection impact assessment (DPIA)

4. Data controllers and data processors/sub processors

4.1 Data controllers

Organisation:

Scottish government

Activities:

Devolved government

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018:

Yes.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data general processing

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Consent to the collection of special category data will be Explicit meaning the person consenting has to agree to a specific statement, either by ticking a box or signing their name.

The individual will have a genuine choice about consenting, so it will be clearly distinct from the required data, and it’s clear that an individual wouldn’t feel required to provide this data as part of their application.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.