National Care Service: data protection impact assessment

Data protection impact assessment for the National Care Service (Scotland) Bill.

5. Further assessment and risk identification

Question /Comments

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?


The proposal, at the moment, will not require identifiers. In due course identifiers may be required. The National Care Service could choose to use an existing identifier or create its own, however, no decision has been made. This will be considered as part of the next phase of work.

5.2 Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure
  • information security


The proposal at the moment places no requirement for regulation of technology, users of technology or the security of the technology. As future regulations are developed, this document will be updated to reflect any standards around technology processing, technology infrastructure, data flows and associated information security.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?



5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers ( relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)


This will be fully considered in the course of developing regulations. All the issues, for example the obligations under Part 1 of the Adult Support and Protection (S) Act 2007 will be fully considered.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?


There will not be an immediate impact from the Bill. In due course we anticipate that those eligible for social care support – including vulnerable adults – will be affected. We are committed to co-design to fully understand the impact and progress regulations accordingly. Of course, individuals will continue to have the same rights under the UK GDPR.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.


The 2021 Consultation found strong support for proposals related to the use of data however, there were concerns raised around ensuring the safeguarding of people's data and ensuring a balance is found between data that is necessary and people's right to privacy.

There is therefore likely to be public interest in the extent of data sharing, and ensuring this is proportionate and necessary, as well as around the steps that will be taken to ensure people's data is kept safe and shared securely.

With Scottish Ministers becoming responsible for social care, it is possible there may be some concern around the type and extent of data that those working on behalf of Scottish Ministers will have access to.

At this stage the data that will be collected and shared has not been fully developed. The scheme for sharing information which can be set up under the regulation making power in the Bill will be established through a co-design process which take account of the views of stakeholders. As work progresses to set-out requirements, these will comply with Article 5(1)(c) of GDPR, "Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)"

The National Care Service will require a number of administrative systems, however, no decision has been made on whether existing systems will be used or new/modified system will be required. Any systems that National Care Service uses to store personal data will require to meet or exceed security standards required for health systems used in Scotland including adequate encryption, secure monitoring at all times, secure access and an audit/log.

5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?



5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?


Scottish Ministers will have the power to produce an information standard to ensure consistency in what and how information is recorded and stored. A provision will put to those persons to the whom the standard is addressed a duty to have regard to the standard.

However, it is recognised that many of the organisations involved in the collection of data will take time or may need to wait until upgrading systems in order to be able to properly follow all information standards.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.


The necessary safeguards for information sharing will be developed as part of the future work on regulations – this will be fully addressed in future DPIAs. Of course, we will follow relevant GDPR principles.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling to inform policy making.


At the moment there will be no new processing as a result of the primary legislation. Further detail will be developed with the regulations.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?



5.12 Will the proposal require the transfer of personal data to a 'third country'? (Under UK GDPR this is defined as country outside the UK.)





Back to top