Scottish Health Survey: data protection impact assessment (DPIA)

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk

Personal information about an individual is lost/leaked during fieldwork.

• Solution or mitigation:
• Interviewers sign confidentiality agreements before they start work and receive information security training when joining Natcen refresher courses.
• Scotcen has ISO27001 information security accreditation. Environment and procedures are externally audited twice a year as part of maintaining accreditation and assuring compliance.
• Any third parties contracted by Scotcen, such as document fulfilment or mailing companies and labs also have to conform to Scotcen’s data security standards and the best practice defined in ISO27001. Third party individuals such as the Survey Doctor have to sign a Third Party Information Security agreement and a non-disclosure agreement stating that they will conform to Natcen data security standards.
• Interviews conducted by the ONS were collected using Scotcen encrypted laptops and uploaded directly to Scotcen systems.
• For Intake24, all respondent confidential data is saved in secure locations only. Access is controlled via a data security plan which specifies who has been granted access to the data, with access being revoked when no longer needed. All staff who access data are required to sign a confidentiality agreement. Data is restored from secure backup.
• Saliva samples and urine samples (when included in the survey up to 2917) are labelled only with respondent date of birth and serial number; they are also accompanied by a dispatch note that contains the above information plus the sex of the respondent. This ensures that the samples could not be linked to any individual if they were to be lost. The samples are sent by interviewers via business class (1^st) Royal Mail and in accordance with the posting regulations for hazardous samples. Saliva samples are also then batched by the RVI laboratory and sent to another laboratory (ABS) via secure courier for processing.
• Result:
• Eliminate/reduce/accept Risk reduced

Personal information about an individual is accidentally leaked/released during or after processing.

• Solution or mitigation:
• Personal identifiers (names, addresses and dates of birth) are stored securely and separately to the survey answers of respondents. Access to personal identifiers within Scotcen is limited to all interviewers, field managers, the programmer, the data manager, the immediate research team, logistics and statistics and field monitoring staff. Other third parties that have access to personal identifiers include printing and data capture agencies (scanning) and the Survey Doctor.
• The survey datasets are pseudonymised and stored securely on the Scotcen server with access limited to the Scotcen research team, data manager, programmer and Natcen and external chapter authors (e.g. academics). The datasets are transferred to the Scottish Government via secure file transfer and stored on the Scottish Government’s secure server with access limited to the survey team.
• All Scottish Government and Scotcen personnel with access to the survey datasets are trained on data protection requirements at least annually and are clear on the processes for protecting personal information, including sensitive personal information.
• Result:
• Risk reduced

A person is identified from the pseudonymised survey datasets or survey analysis.

• Solution or mitigation:
• Statistical disclosure control procedures are performed on the data before the dataset is made available to users via the UK Data Service. These controls are in line with those used by the other two large SG household surveys (the Scottish Household Survey and the Scottish Crime and Justice Survey) and have been approved by the Office of the Chief Statistician.
• Special Dataset requests are assessed by the SG survey team in the first instance and scored against the SG data access risk matrix. Any request with a score of over 12 are referred to the SG Public Benefit and Privacy Panel.
• Result:
• Risk reduced

Personal information about an individual is accidentally released from the data held on a US server by ACM Global.

• Solution or mitigation:
• A transfer risk assessment was conducted indicating that the risk of an individual being identified from the limited information held by ACM Global is very low. The UK-US Data Bridge was identified as the formal safeguard. ACM Global will continue to analyse the saliva samples subject to the sub-contract for the saliva analysis being retendered for the 2026 survey analysis onwards.
• Result:
• Risk accepted and will be reduced following retendering of the saliva analysis.

Data not being protected against unauthorised or unlawful processing or against accidental loss, destruction or damage.

• Solution or mitigation:
• Natcen comply with the most stringent regulatory standards for the legal and safe processing of personal and/or sensitive data, including ISO 27001 and GDPR.
• Every project has a Data Security Plan, detailing procedures to be applied, including data storage and access. Participant data files are identified by serial number and stored securely in restricted folders on password-protected encrypted servers.
• Enhanced security arrangements in place, including monitoring of internet traffic, computer use policy for all users and implementation of Standard Desktop Footprint.
• Access to office buildings is restricted. When working from home all data is stored on a secure network, accessible only to Natcen employees via a secure VPN connection.
• Access to servers is restricted using controls based on user accounts. The network is protected by appropriate use of firewalls and other network controls.
• Comprehensive backup system, to ensure that we are able to retrieve data files that are accidentally lost or damaged.
• Result:
• Risk reduced