Social Security (Amendment) (Scotland) Bill: data protection impact assessment - updated April 2025

2. Introductory information

2.1 Summary of proposal

An overview of the proposals included in the Bill and the specific aim of each policy is set out below.

Taking a regulation-making power for childhood assistance

New enabling powers are provided within the Bill, allowing the Scottish Ministers to make regulations for childhood assistance, which will help towards meeting some of the costs associated with having a child in the family. Scottish Ministers intend to use the new powers for childhood assistance in due course as a new legislative footing for Scottish Child Payment (SCP) to allow better alignment of Social Security Scotland benefits.

SCP is currently delivered under s79 of the 2018 Act^[5] as a ‘top-up’ where an individual is receiving a qualifying UK Government benefit.^[6] Placing the payment on a new legislative footing will offer the opportunity for greater alignment across the five family payments (including the Best Start Grants and Best Start Foods) and will afford flexibility in the way the payment is delivered in the future.

This proposal will be used in future to change the legislative footing on which the payment is based, but will not result in any change to the data collected, which was previously consulted on with ICO. Regulations resulting from this provision in the Bill could in future lead to the collection of some additional data relating to clients’ personal circumstances which goes beyond the data currently gathered by Social Security Scotland. Further consideration will be given to the impact on data protection in future during the development of regulations.

Financial support for people with care experience

A provision will be included in the Bill allowing Scottish Ministers to create, by way of regulations, financial support for people with care experience. The current intention is that these powers will be used initially for a payment called the Care Leaver Payment (CLP).

The CLP will fulfil the commitment made in the Promise Implementation Plan published in March 2022 to ‘provide some additional financial security for young people with care experience and will help reduce some of the financial barriers that young people face whilst moving on from care and into adulthood and more independent living’.

The delivery of this assistance will involve the collection and processing of applicants’ personal information. Information will be gathered relating to people’s care experience. It is proposed that this information will be gathered through an application process but data sharing with local authorities could also be involved.

A 12 week public consultation will be held in late 2023 covering the policy intent and eligibility criteria of a care leaver payment and the broader package of support for people who have experience of being in care, which is separate to the provision included in the Bill.

Secondary legislation will be required to set out the eligibility criteria, the application process and the delivery body for this assistance. The impacts on data protection will be further considered during the development of those regulations.

Making amendments to coronavirus (COVID-19) measures introduced in 2020

In 2020, due to the coronavirus (COVID-19) pandemic, sections 52A and 52B were amended into the 2018 Act by the Coronavirus (Scotland) Act 2020.

Section 52A means requests for re-determinations must be considered valid beyond the maximum period of one year prescribed by the 2018 Act, where the reason for delay was related to COVID-19. Section 52A also allows for appeals to be brought beyond the maximum prescribed period of one year, where the Tribunal gives permission on the basis of being satisfied that the reason for the delay was related to COVID-19. Section 52B allows a late application to be treated as being made within the prescribed period for a given benefit under Chapter 2 of the 2018 Act, where the reason for delay was related to COVID-19.

The provisions in the Bill will give Social Security Scotland discretion to accept late requests for re-determination beyond the one-year prescribed period on the basis of ‘exceptional circumstances’, rather than only COVID-19. The provisions in the Bill will repeal section 52A of the 2018 Act and allow appeals to be brought, with the permission of the Tribunal, beyond the one-year prescribed period on the basis of ‘exceptional circumstances’, rather than only COVID-19. Provisions in the Bill will remove section 52B from the 2018 Act and revert application periods to existing pre-COVID deadlines.

The proposal allowing Social Security Scotland to give permission for re-determination requests beyond a year in exceptional circumstances builds on existing processes and does not have implications for data protection.

The reason for the lateness of the re-determination request could involve medical or personal data about the exceptional circumstances. If the exceptional circumstances are accepted, processing the late re-determination may also involve the processing of new supporting information provided by the client or a third party.

This introduces no new processing of personal data; existing Social Security Scotland systems and processes will be used to handle this type of processing.

There are no implications for data protection arising from the provision to repeal section 52B.

Withdrawing a request for re-determination

Under the 2018 Act, where a determination of entitlement to assistance is made, an individual has a right to a re-determination. If a client asks for a re-determination, the Scottish Ministers are under a statutory duty to make a new determination. A client cannot subsequently withdraw their request for re-determination, even if their circumstances have changed since making their request, or if they have otherwise changed their mind.

The Bill includes provision enabling clients to withdraw a re-determination request if they no longer wish to challenge the decision. This policy builds on the person-centred, rights-based approach already adopted for challenge rights in line with the Scottish social security principles and the Social Security Charter (‘the Charter’).^[7]

Completing re-determinations beyond the period allowed

Where a re-determination is not completed by the Scottish Ministers in the timescales set out in the relevant regulations, the re-determination becomes out-of-time and the client is notified that they have a right to appeal to the First-tier Tribunal (Social Security Chamber) without waiting for the re-determination to be made. The Scottish Ministers are, at that point, no longer under a duty to make the re-determination. However, in practice, they continue to consider the re-determination request.

Provisions are included in the Bill so that the Scottish Ministers remain under the duty to make the re-determination beyond the period allowed, unless the client opts to exercise their right to appeal. This will offer legal clarity in terms of what happens in practice when a re-determination runs late.

These provisions relating to re-determinations may involve the processing of supporting information provided by the client. However, this type of personal information is data that Social Security Scotland already routinely processes in current re-determinations procedures. There will be no new or additional processing of personal information. As these provisions build on procedures which currently take place there are no implications for data protection.

Making a new determination of entitlement whilst there is an ongoing appeal

Under the 2018 Act, Scottish Ministers cannot make a new determination after a valid appeal has been brought, even if an error has been identified, or new evidence received, which shows that a client has been underpaid, or not received an award that they were entitled to. The appeal must continue unless it is withdrawn by the client.

In instances where the Scottish Ministers recognise that an individual should have received a higher, or more advantageous, award, the provisions in the Bill allow a new determination to be made after an appeal has been lodged and the appeal to stop as a result. The new determination can only be made if the client agreed, and will come with challenge rights.

These provisions build on existing processes utilising current systems and technology. Clients (or third parties) may provide additional supporting information but this personal data is already routinely processed by Social Security Scotland on behalf of Scottish Ministers during current re-determinations processes and shared with Scottish Courts and Tribunals Service during current appeal procedures. This process has been privacy and risk assessed when first introduced. Relevant operational DPIA and data sharing agreements are in place in line with ICO data sharing code of practice.

Appeal to First-tier Tribunal against process decisions

The 2018 Act provides at section 61 that individuals can appeal to the First-tier Tribunal for Scotland against certain decisions made by the Scottish Ministers on the process of applying for benefits, or the process of challenging determinations.

The provisions in the Bill set out the powers of the Tribunal to uphold or set aside decisions in process appeals, and the effect of a Tribunal decision in a process appeal. The Bill also sets out further circumstances in which a process appeal may be raised, to include the new types of process introduced by the Bill.

The provisions about process appeals serve to clarify current processes and do not have any implications for data protection. There is no new processing of personal information, the current Redetermination and Appeal process has been assessed and an operational DPIA is held. This is a living document and is reviewed regularly.

Determinations as part of appeal

Section 49 of the 2018 Act sets out the First-tier Tribunal’s powers to determine entitlement. In an appeal under section 49, the Tribunal may either uphold the determination subject to appeal, or make its own determination of the client’s entitlement to the type of assistance in question.

The provisions in the Bill clarify that when exercising its powers to either uphold the determination or make its own determination in an appeal, the First-tier Tribunal must not take into account circumstances which did not exist at the relevant time, although it may take into account circumstances which existed but which were not known. The relevant time is when the client’s entitlement fell to be determined by Scottish Ministers, under the applicable regulations for that assistance.

The provisions serve to clarify the law and ensure that it works in line with the original policy intention for the Scottish social security system, and do not have any implications for data protection. There is no new processing of personal information.

Overpayment liability and challenge rights

Under the 2018 Act, a client has a statutory liability to repay any overpayment made in error, except where they did not cause or contribute to that error, and if it was the sort of error a person could not reasonably be expected to have noticed.

Liability of individual/individual’s representative for assistance given in error

The provisions in the Bill set out that liability extends to clients who have a representative acting on their behalf, except where the representative uses the assistance for a purpose which is a breach of their duties or responsibilities, in which case the representative will be personally liable.

Where an overpayment is made in respect of a person who has a representative acting on their behalf, Scottish Ministers’ policy is that it should be repaid by the person who benefitted from it. That could be the entitled individual or their representative , if they have not acted in good faith. This policy is not yet on a statutory footing and a contractual liability has been imposed for representatives through use of declarations and letters.

The provisions in the Bill will broaden statutory liability to entitled individuals who have benefitted from an overpayment, even where it was the fault of their representative. Where a representative has acted in bad faith and/or used the money for their own personal gain, liability will fall to them instead. As this is merely a change of legal basis, the personal data handled by Social Security Scotland will remain the same.

Challenging decisions about liability

Currently, where Social Security Scotland determines that an overpayment has occurred, it makes a new determination on a client’s entitlement to benefit. Although this new determination will bring re-determination and appeal rights if the client wants to challenge the decision, there is not any formal right to challenge the decision that an individual is liable to repay the overpayment.

The provisions in the Bill also introduce a right to a review (followed by a right to appeal to the First-tier Tribunal for Scotland (Social Security Chamber)) against a finding of liability for an overpayment. The further review and appeal provisions in part 6 of the Tribunals (Scotland) Act 2014 will also be available.

These provisions improve existing processes. Currently where a person is found liable for an overpayment they can ask Social Security Scotland, acting on behalf of Scottish Ministers, to review that decision. If, following the review, the decision remains unchanged and the person still disagrees that they are liable for the overpayment, they would currently need wait for Social Security Scotland to enforce the recovery and raise a defence to a Sheriff Court recovery action or deduction determination raised by Social Security Scotland.

The provisions in the Bill seek to create a new statutory right to proactively challenge the liability decision mirroring the process for other challenges against Social Security Scotland determinations (redetermination and appeal), and avoids the delay and expense of potentially lengthy and stressful Sheriff court proceedings.

Personal data collected by Social Security Scotland on behalf of the Scottish Ministers is already routinely shared with the Scottish Courts and Tribunal Service for the purposes of processing appeals of entitlement. These new challenges will include largely include the same types of information.

When the provisions are commenced the sharing of data will be necessary for the performance of a task carried out in the public interest and in the exercise of official authority vested in the controller in terms of Article 6(1)(e) of the GDPR. Where special category data is processed, this will only be where necessary for the establishment, exercise or defence of legal claims and/or whenever the tribunal is acting in a judicial capacity in terms of Article 9(f) of the GDPR. A Data Sharing Agreement in respect of appeals is already in place and it is expected this new challenge right could either be added or a broadly similar agreement be reached.

Recognising Appointments made by a Minister of the Crown

Where a person lacks capacity to manage their own financial affairs, the Department for Work and Pensions (DWP) and Scottish Ministers both have provisions that allow them to appoint a person or organisation, known as an appointee, to act on that person’s behalf.

Due to differences in the law and the processes that govern appointments in Scotland and the rest of the United Kingdom, a DWP appointee – which is an appointment made by a Minister of the Crown – cannot automatically be treated as equivalent to an appointee under the 2018 Act.

The Bill will introduce powers for Scottish Ministers to make provision in regulations prescribing circumstances in which a DWP appointee may be treated as though they had been appointed by Scottish Ministers to act on a client’s behalf, pending an assessment by Social Security Scotland.

DWP currently share appointee information with Social Security Scotland who act on behalf of Scottish Ministers. Secondary legislation will set out the circumstances where Social Security Scotland may accept a DWP appointee. Further consideration will be given to the impact on data protection in future during the development of these regulations.

Liability of appointees

Currently, there is no provision within the 2018 Act with the effect that an appointee will be liable to account to the individual for any mismanagement of the individual’s property (either in relation to children or adults). There are provisions respectively, in terms of the Children (Scotland) Act 1995 and the Adults with Incapacity (Scotland) Act 2000, which make other types of representatives liable to the individual for mismanagement of their property.

The Bill provides that an appointee will be liable to account to the individual for whom they were appointed, for their use of the individual’s funds outwith their authority or power, or after having received intimation of the termination or suspension of their authority or power to intervene. They are to be liable to repay the funds to the account of the individual. No liability will be incurred where the appointee acted reasonably and in good faith in their use of the individual’s funds.

Any dispute arising under these provisions would be a private dispute between the individual and their representative and as such no personal data would be handled by Scottish Ministers or Social Security Scotland on their behalf.

Up-rating for inflation

At present, under section 86A, Scottish Ministers are required to consider the impact of inflation on all forms of assistance delivered under Part 2 Chapter 2 and Section 79 of the 2018 Act. A report must be laid in the Scottish Parliament, before the end of each financial year, setting out what they have done or intend to do as a result of the changes to prices. Legislation must then be brought forward to up-rate all forms of Carer’s Assistance (including Young Carer Grant), Disability Assistance, Employment Injury Assistance, Funeral Support Payment and Scottish Child Payment under section 86B.

In addition to extending this annual up-rating duty to include all social security assistance delivered under the 2018 Act, the provisions in the Bill also seek to extend section 86A to include assistance created under the Care Experience Assistance provisions proposed in the Bill.

Information for audit of the social security system

Social Security Scotland need to produce effective measurements and estimates of the extent of client error, official error, and fraud as assurance that the social security system is efficient and delivering value for money in line with the Scottish social security principles.

Currently Scottish Ministers can only request that people provide information for the specific purpose of determining an individual’s entitlement to social security assistance, where :

• a person applies for assistance for the first time;
• a person reports a change in their circumstances;
• a review of entitlement has been scheduled by Scottish Ministers; or
• a review of entitlement is needed because new information has come to light that may indicate there has been change of circumstances.

Provisions in the Bill will give Scottish Ministers powers to require individuals to provide information when reasonably requested to do so, in order to review their entitlement for the purposes of audit. Safeguards will be built in to ensure that where a person has good reason they might be exempted from the process.

This proposal will initially use personal data already held by Social Security Scotland to select cases for review. Once selected any new information gathered will be of the same type as that collected routinely when deciding a person’s entitlement to the benefit in question. Each form of assistance has a separate DPIA which is regularly reviewed and the DPIA will be updated to reflect any new processing.

The outcomes of these exercises will be recorded and anonymised for use in statistics. For transparency the Social Security Scotland privacy notice does advise data subjects that data is processed for statistical purposes and to carry out quality and compliance monitoring.

Where anomalies are discovered in individual cases such as overpayments, underpayments or fraudulent activity, Social Security Scotland will follow business as usual procedures which are already subject to their own DPIA. Existing DPIAs are reviewed regularly as are all data sharing agreements. If as part of the audit processes, further information is required to determine whether an individual's entitlement is still correct.

Recovering Scottish social security assistance from awards of compensation

A person affected by accident, injury, or disease due to the fault of a third party may be entitled to compensation. Depending on the nature of their accident, injury, or disease they may also be entitled to social security assistance. The Scottish Government believes that a third party’s legal obligation to fully compensate those they have harmed should not be subsidised by Scotland’s social security system.

The provisions in the Bill allow the Scottish Government to recover relevant forms of Scottish assistance from awards of compensation, avoiding the risk of a person being ‘doubly compensated’ for the same incident. The policy on compensation recovery is consistent with the responsibilities in the Scottish Public Finance Manual^[8], and aligns with the Scottish social security principle that the Scottish social security system is to be efficient and deliver value for money.^[9]

As a result of the provisions in the Bill compensators will be required to collect data regarding the injured party with the data subject’s permission and submit this to the administrator of the Scottish compensation recovery scheme. Once this information has been submitted, Social Security Scotland will be required to share data with the scheme administrator. This data will include Special Category data - health. There will be no requirement to process any criminal offence data.

The scheme administrator will use this data to generate a certificate of recoverable assistance and a copy of this will be provided to both the compensator and the data subject or their legal representative. The legal gateway for this data being shared with compensators will involve utilising section 85 of the 2018 Act, where at subsection (5) the Scottish Ministers can supply information held for a social security purpose to persons specified at section 85(2), which does not currently include compensators. In order to use this, there will be a requirement to make regulations to add compensators to the list of persons at section 85(2) to whom information can be given under section 85(5). This will likely be by amendment of the Social Security Information-sharing (Scotland) Regulations 2021/178.

The new provisions within the Bill will not require any new personal data collection from the clients by Social Security Scotland as the data to be shared was previously collected to determine the clients award of assistance. Social Security Scotland are developing an operational data protection Impact Assessment, this will provide low level process and impacts all data processing, including the data sharing mechanism.

Making changes to the remit and status of the Scottish Commission on Social Security

The Scottish Commission on Social Security (SCoSS) reviews certain social security policies, by way of consideration of draft regulations, and provides the Government and the Scottish Parliament with scrutiny reports on each piece of legislation it reviews.

The provisions in the Bill expand the types of regulations that SCoSS is able to review, and replace the requirement for SCoSS to prepare accounts for external audit, with a requirement to submit an annual report on their work to Scottish Ministers. The Scottish Ministers will then share this report with the Scottish Parliament.

The Bill also removes the status of SCoSS as a body corporate. SCoSS will continue to be recognised as an advisory non-departmental public body which better reflects how it operates in practice.

The proposed changes relating to SCoSS will not have an impact on data protection.

Consideration has been given to each proposal in the Bill and further data protection analysis is required for the proposals intended to: introduce challenge rights for overpayment liability; allow Scottish Ministers to request information for the purpose of audit and recover Scottish social security assistance from awards of compensation.

Each discrete proposal requiring relevant data protection analysis has been analysed individually below.

Information for audit of the social security system

2.2 Description of the personal data involved

Please also specify if this personal data will be special category data, or relate to criminal convictions or offences

This proposal will use personal data already held by Social Security Scotland for the alternative purpose of selecting a subset of cases for review for audit. Once selected most new information gathered will be of the same type as that collected routinely when deciding a person’s entitlement to the benefit in question.

However, the Bill makes provision that where a person has been selected for audit, and they have good reason, they may request that Scottish Ministers deselect them from further participation in the exercise. The reasons provided are likely to be about their personal circumstances and will not necessarily be the type of information routinely held in processing of that benefit. A formal decision about this would be made and the person advised on whether they had been removed from the sample or not. This particular data is only likely to be needed temporarily until the person is either exempted or the audit exercise concludes.

The Bill also provides that Scottish Ministers can prescribe in regulations categories of people who will be automatically exempted entirely from this process, in which case they would be deselected as soon as it was known that particular conditions were met. Those regulations will be subject to their own DPIA in due course.

2.3 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons?

If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights, or use of social profiling to inform policy making.

Provision in the Bill gives Scottish Ministers the power to require that individuals receiving benefits co-operate with requests for information in relation to the their award, payment, or entitlement for the purposes of audit. Where they unreasonably fail to do so, their entitlement may be suspended.

If they continue to refuse to provide the information without good reason an unscheduled review of their entitlement, which is a routine activity of Social Security Scotland, may be triggered. This could result in reinstatement at the same rate, an increase, decrease or end to benefit entitlement. Individuals will have re-determination and appeal rights as per current processes if any change is made to entitlement. The re-determination and appeal processes in Social Security Scotland follow established and fully compliant procedures where data-sharing takes place.

Where the person provides the information required and anomalies are discovered such as overpayments, underpayments or fraudulent activity, Social Security Scotland will follow business-as-usual procedures to correct them. Robust existing processes and systems are already in place to manage personal data and mitigate any associated risks within these processes, which are subject to their own DPIA.

The outcomes of audit exercises will be recorded and anonymised for use in statistics, reporting and estimates relating to the regularity of payments in the social security system and the monetary value of error and fraud. These will help Social Security Scotland to identify trends and areas for improvement, ensure individuals are receiving the benefit they are entitled to, and prevent financial losses through prevention and detection of error and crime.

2.4 Necessity, proportionality and justification

What issue/public need is the proposal seeking to address?

Estimating the extent to which error and fraud are present within the caseload of Social Security Scotland is a critical tool in preventing loss to the public finances. Measuring the propriety and regularity of payments in the Social Security System allows Social Security Scotland’s accountable officer to discharge obligations under sections 15(6) and s15(7) Public Finance and Accountability Act 2000.

Audit Scotland has highlighted a need for Social Security Scotland to measure and report as accurately as possible on overall error levels and to take steps to manage them. However, Scottish Ministers and Social Security Scotland have a wider duty to be accountable to the Scottish Parliament and the people of Scotland for the regulatory of expenditure. The proposed powers mandate participation with audit to ensure estimates are robust and reliable, particularly where a person may be acting in bad faith.

What policy objective is the legislation trying to meet?

The 2018 Act is underpinned by the principles that the Scottish social security system is to be designed on the basis of evidence, it should be efficient and deliver value for money, and that opportunities are to be sought to continuously improve.

In addition the Scottish Government believe that the Scottish Social Security benefits should be paid to the right person, at the right amount, and at the right time. All of these require regular estimates to be made of the amount of underpayment, overpayment and fraud, and analysis of underlying the causes.

Were less invasive or more privacy-friendly options considered, and if so why were these options rejected?

An alternative option considered was to request that information is provided voluntarily to support the audit of entitlement. This option was rejected as the sample would be self-selecting rather than a random statistical sample. In addition it is unlikely that individuals acting in bad faith would willingly participate in any process that is likely to scrutinise their entitlement, defeating the purpose of the audit. Without mandatory participation on the part of the individuals selected in a sample, it would not be possible to provide reliable estimates.

Are there any potential unintended consequences with regards to the provisions e.g., would the provisions result in unintended surveillance or profiling?

Data already gathered by Social Security Scotland for their public task to administer the assistance would be used to select participants according to selection criteria devised by statisticians to produce as close to a representative sample of the benefit caseload as possible. The methodology used would in itself be subject to equalities impact assessment as is it further developed.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Legislating to require individuals to provide information to review their entitlement for the purposes of audit is a necessary and proportionate measure.

The sole purpose of the provision is to allow Scottish Ministers to confirm that individuals are receiving the correct amounts and produce reliable estimates of overpayments, underpayments and fraud along with an analysis of the causes. It is therefore in also Scottish Ministers interests that they are supported in as far as possible to provide that information. Entitlement will never be ended without Social Security Scotland having gone to some lengths to secure their cooperation, or without the person having had ample the opportunity to provide a good reason that they should be exempted from the review of their entitlement.

The Bill provides that anyone selected for audit will in addition have access to the same support they would have had in applying for the benefit in question i.e. they will be entitled to have a supporter present during any discussion or assessment, and right of access to independent advocacy where required.

2.5 Will the implementation be accompanied by guidance or by an associated Code of Conduct?

The implementation of these provisions will be accompanied by internal Social Security Scotland process maps and guidance. Their staff will use these powers on behalf of Scottish Ministers, to select participants and make the request that they provide information for the purpose of audit.