Publication - Impact assessment

Scottish Crime and Justice Survey: data protection impact assessment

This is the latest version of the Data Protection Impact Assessment (DPIA) for the Scottish Crime and Justice Survey (SCJS) - published in November 2021. If you have any comments or suggestions on the DPIA, please get in touch with the SCJS Project Team via the contact details below.

Scottish Crime and Justice Survey: data protection impact assessment
7. Risks identified and appropriate solutions or mitigation actions proposed

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk

Ref

Solution or mitigation

Result

Personal information about an individual is lost/leaked during fieldwork

Interviewers sign confidentiality agreements before they start work and receive information security training.

Both Ipsos MORI and ScotCen have secure systems, software and processes in place for transmitting interview information from interviewers' laptops to central servers. The information is then deleted from the interviewers' laptops.

Risk reduced

Personal information about an individual is accidently leaked or release during or after processing.

Steps are taken to ensure that direct personal identifiers in the recontact dataset are stored separately from the main survey datasets containing pseudonymised respondent answers. Access to the different datasets is restricted to named individuals working on the SCJS within ScotCen and Ipsos MORI. A unique identifier is assigned to each respondent in each dataset to allow them to be later matched for the purposes of follow-up research (where respondents have consented to this).

Once the recontact data containing the direct personal identifiers has been transmitted to SG it is deleted by the survey contractors.

Survey datasets are transmitted securely to SG via an FTP facility at the conclusion of each year of data collection. These are stored safely in a restricted section of the SG server only accessible by a small number of named analysts within Justice Analytical Services. The recontact datasets, containing direct personal identifiers, are only accessible by the SCJS Project Director (and necessary IT staff).

Scottish Government staff with access to the data have all passed the Baseline Personnel Security Standard, are trained in the safe handling of data, and have a legitimate need to access the data.

Risk reduced

A person is identified from the survey datasets provided to UK Data Service or shared via a Data Sharing Agreement.

Statistical disclosure control procedures are performed on the SCJS datasets before they are made available to end-users. These processes are in line with controls used by the other two SG major population surveys and have been approved by the Data, Statistics and Outcomes Division in the Office of the Chief Statistician.

Requests for further or additional data under special license are assessed by the SCJS Project Team against the SG data risk matrix in the first instance. Any request with a score over 12 are referred to the SG data access panel.

SG analysis of the data does not publish figures based on less than 50 respondents, and this approach is also recommended to others undertaking analysis of SCJS data.

Risk Reduced


Contact

Email: scjs@gov.scot