We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Social Security (Amendment) (Scotland) Bill: data protection impact assessment - updated April 2025

Published
28 April 2025
From
Cabinet Secretary for Social Justice
Directorate
Social Security Directorate
Topic
Children and families, Communities and third sector, Public sector
ISBN
9781836915102

This data protection impact assessment (DPIA) considers the potential impacts of the Social Security (Amendment) (Scotland) Bill on the use of personal data.

View supporting documents Supporting documents

3. Data Controllers

Organisation: Social Security Scotland

Activities: Social Security Scotland acts on behalf of the Scottish Ministers as controller for the personal data processed. Social Security Scotland is an Executive Agency of the Scottish Government. It has the responsibility for managing and administering the benefits that are devolved to Scotland.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, section 7 of the Data Protection Act 2018? : Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing: Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

(Include condition from Schedule 1 or 2 of the Data Protection Act 2018):

The Article 9 condition that applies for processing the special category data is (b) Employment, social security and social protection (if authorised by law).

The condition from Schedule 1 of the Data Protection Act 2018 is met if:

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018:

Not applicable

Legal gateway for any sharing of personal data between organisations, eg as part of existing common interest investigation processes with DWP:

Not applicable

Contact

Email: socialsecurityCI@gov.scot

Back to top