Redress for Survivors (Historical Child Abuse in Care) (Scotland) Bill: data protection impact assessment

Summary – Data Protection Impact Assessment

11 Do you need to specify a Data Controller/s?

The Scottish Government is the data controller for this redress scheme.

12 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Appropriate safeguards such as limited and secure access to the scheme case management system, application forms and documentary evidence will be put in place to ensure the safety of data.

All data will be kept up to date and deleted when no longer required, as set out in Data Protection law. The data will be retained in line with Scottish Government, audit, finance and IT requirements and disposed of in line with Scottish Government guidance.

All current known risks have been outlined in part 8 of the DPIA. Risks and associated mitigation will be continuously reviewed. An operational DPIA has been started and will continue to be developed and reviewed during the implementation and delivery phases of the scheme. The operational DPIA will set out the details of the case management system and records management plans. This includes allocating case numbers so that the use of personal data is minimised in correspondence.

13 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

The Bill will establish Redress Scotland, which will be the decision making and review function of the redress scheme. Decisions will be made based on the applications and information submitted by applicants to Scottish Ministers, who will then share this information with Redress Scotland. The decisions made will include:

• Decisions on eligibility
• Decisions on payment levels
• Decisions on prioritisation
• Decisions on legal fee payments
• Decisions on reviews

This is necessary for the scheme to function and serve its purpose. Without decisions being made, the scheme would not function and redress would not be provided for survivors. Applicants who are unhappy with the outcome of the decision can apply for a review.

14 If the proposal involves processing, do you or stakeholders have any relevant comments about mitigating any risks identified in the DPIA including any costs or options, such as alternative measures.

There will be significant interest in the scheme due to the scale and cost of the proposals and the highly sensitive subject matter. There are many prominent stakeholders interested in the Bill, including survivors of historical child abuse in care and organisations who provided care to children during the time period that the scheme covers.

The matter of the waiver is likely to be controversial and could generate significant debate both in and beyond Parliament but the controversy is not about the processing of data, it is an issue of surrendering rights.

As set out in section 8 of the DPIA and Annex B, there are 6 risks which have been identified, all of which are categorised as a low or medium risk.

Mitigating these risks will involve:

• developing policies and procedures to support effective document management and data handling, supported by appropriate technology
• developing clear guidance and training for staff
• the development of a clear and effective privacy notice
• emotional support for applicants and staff
• further engagement with the ICO and GDPR colleagues to ensure the approaches taken are legally compliant, and
• further engagement with stakeholders, including survivors and scheme contributors, to ensure that their personal data is handled and stored appropriately.

Details on the implementation and delivery of the scheme are being developed alongside the passage of the Bill and will be included within the operational DPIA.

Authorisation

The DPIA report should be signed by your Information Asset Owner (IAO). The IAO will be the Deputy Director or Head of Division or the relevant person in the business area sponsoring the Bill/proposals.

Before signing the DPIA report, an IAO should ensure that she/he is satisfied that the impact assessment is robust and has addressed all the relevant issues.

By signing the DPIA report, the IAO is confirming that the impact of the policy has been sufficiently assessed against individuals’ right to privacy.

The results of the impact assessment must be published in the eRDM with the phrase “Legislative DPIA” and the name of the project or initiative in the title.

Details of any relevant information asset must be added to the Information Asset Register, with a note that a DPIA has been conducted.

I confirm that the impact of these provisions has been sufficiently assessed in compliance with the requirements of the GDPR

Name and job title of a IAO or equivalent
Donald Henderson – Deputy Director of Redress, Relations and Response Division

Date each version authorised
12 August 2020