Disclosure (Scotland) Bill: data protection impact assessment

Data protection impact assessment (DPIA) for the Disclosure (Scotland) Bill explores how the bill impacts on personal data and privacy.

7. Risks identified and appropriate solutions or mitigation actions proposed



Solution or mitigation


Introduction of new processes, specifically surrounding independent reviewer and internal appeal process.


This DPIA has identified that any new processes will use the current data handling and storage arrangements and that these arrangements do not pose any significant risks to the privacy of that information.

The systems in place for managing the transfer and storage of data comply with legislative demands, and will be reviewed any further legislative changes to ensure that the arrangements comply with them.


There is a risk that unauthorised 3rd Parties attempt to obtain access to our data or introduce malicious data or code to the service


Designs are approved tested to ensure all necessary controls are effective and fit for purpose.

Anti-Virus products and security controls are in use across the estate to continually monitor the service.

Maintenance activities are scheduled and acted upon to ensure the resilience and security standards of the service

Access controls are in place to ensure that only trained and security cleared, authorised personnel have access to the system.

All software is pre-approved by the Technical Design Authority and security risks are managed through the Security Working Group who are responsible for maintaining the overall integrity of the service.

Security risks are reviewed at the Technical Design Authority


There is an ongoing potential risk of human error, which may result in information being handled incorrectly or delivered to incorrect recipient.


New processes being introduced, such as the review to the independent reviewer and widened referral duties/powers for police and local authorities will introduce new channels of communication/ increased volume of communication between stakeholders. This may impact the potential for human error.

The new processes will be based around existing processes.

Disclosure Scotland staff will be given appropriate training before new processes are implemented.

Disclosure Scotland will engage with the external stakeholders involved to agree process requirements.




Back to top