Education (Scotland) Bill: data protection impact assessment

Data protection impact assessment (DPIA) for the Education (Reform) Bill.

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

The expectation is that the new qualifications body and independent inspectorate will manage/handle the same type of data as is currently done by the SQA and Education Scotland in respect of its inspection functions. The work of the Digital Pathfinder thematic of the education reform programme includes analysis of the data collected at present by the SQA and Education Scotland. The outcome of this may suggest additional data is collected by the new bodies or shared to enhance the learner and end user experience. There is no policy intention to enforce any changes via legislation. Should the outcome of this work require the creation of any new identifiers this will be taken forward through the education reform programme in supporting the establishment of the new bodies.

5.2 Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security


5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?


5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers ( relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)


5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

Yes. The functions of the new qualifications body and those to be discharged by the Chief Inspector will require the handling of personal data as is currently undertaken by the SQA and Education Scotland, impacting on children and young people, vulnerable individuals, disabled persons and adult learners.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.





5.7 Are there consequential changes in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Consequential changes to other legislation will be required to replace any reference to the SQA with the name of the new qualifications body, and any reference to HM Inspectors of schools with a reference to HM Chief Inspector of Education in Scotland (where such legislation relates to a function of the HM Chief Inspector).

Amendments to legislation in other jurisdictions in the UK will be required, and this is intended to be made by way of an order under section 104 of the Scotland Act 1998.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?


5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so, briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

This will be taken forward through the Digital pathfinder thematic in conjunction with the new bodies.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

The Bill will result in the transfer of the functions currently undertaken by the SQA to a new qualifications body. This consists of handling the personal data of those taking qualifications. The delivery of qualifications functions of the new body will be the same as those currently carried out by the SQA. The decisions made about individuals or groups in the processing of personal data will be the responsibility of the new qualifications body.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?


5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

Yes. It is anticipated that the new Qualifications body will undertake the same processes that are currently undertaken by the SQA. In order to certificate candidates and charge the centres for entries, including for commercial contracts, the SQA transfer candidates’ personal data to whichever country they are in. Essentially a reverse transfer where the personal data is returning to the country that it originated from, although it does use contractual clauses in centre operating agreements to cover this.

It also uses some suppliers that operate outwith the UK, including Ireland where examination scripts are processed within SQA’s e-marking system, the US where the transactional email service it uses is based and the tenancy it has with Microsoft which has some processing within the EU (Ireland and Germany) mostly for Outlook.

The SQA has a ROPA which it makes available as part of its privacy statement.

The new body will need to be resourced sufficiently and have in place arrangements to follow guidance on international transfers and ensure that appropriate controls are in place for such processing.



Back to top