We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Scottish Health Survey: data protection impact assessment (DPIA)

Published
2 July 2025
Directorate
Population Health Directorate
Topic
Health and social care
ISBN
9781836918592

Reports on and assesses against any potential privacy impacts as a result of undertaking the Scottish Health Survey.

View supporting documents Supporting documents

8. Incorporating Privacy Risks into planning

Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be monitored. There must be a named official responsible for addressing and monitoring each risk.

Risk

Personal information about an individual is lost/leaked during fieldwork.

  • How risk will be incorporated into planning:
  • Interviewers must report any data loss during fieldwork as information security incidents to Natcens Head of Project Management and to the Scotcen survey lead as soon as they become aware of it. All third parties are also required to report actual or potential data security breaches to the Scotcen survey lead. The Scotcen survey lead will then raise all of the above formally as a critical incident within Natcen and report this to the Scottish Government survey manager as soon as possible. Procedures will be reviewed formally as part of the critical incident process to minimise any future risk.
  • Owner:
  • Nicola Edge/Anita Morrison//Julie Landsberg

Personal information about an individual is accidentally leaked/released during or after processing.

  • How risk will be incorporated into planning:
  • The Scotcen survey lead will report any leak of personal data to the Scottish Government survey manager as soon as possible and raise this formally as a critical incident within Natcen. Procedures will be reviewed formally as part of the critical incident process to minimise any future risk.
  • Owner:
  • Nicola Edge/Anita Morrison//Julie Landsberg

A person is identified from the pseudonymised survey datasets or survey analysis.

  • How risk will be incorporated into planning:
  • Should the survey manager be advised of any individual being identified form the survey datasets or analysis, the survey disclosure control procedures will be amended to minimise the possibility of any future risk.
  • Owner:
  • Nicola Edge/Anita Morrison//Julie Landsberg

Data not being protected against unauthorised or unlawful processing or against accidental loss, destruction or damage.

  • How risk will be incorporated into planning:
  • In the event of any failure of information security policy or procedure, Natcen’s Incident Reporting and Corrective Action Procedures would be invoked.
  • Immediate system lockdown until problem identified and eradicated.
  • Use of back-up systems.
  • Owner:
  • ScotCen/Natcen

Contact

Email: scottishhealthsurvey@gov.scot

Back to top