We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Social Security (Amendment) (Scotland) Bill: data protection impact assessment - updated April 2025

Published
28 April 2025
From
Cabinet Secretary for Social Justice
Directorate
Social Security Directorate
Topic
Children and families, Communities and third sector, Public sector
ISBN
9781836915102

This data protection impact assessment (DPIA) considers the potential impacts of the Social Security (Amendment) (Scotland) Bill on the use of personal data.

View supporting documents Supporting documents

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

The proposal will not require the creation of new identifiers but will require the use of existing identifiers held by Social Security Scotland such as National Insurance Number, name or date of birth to select individuals for the purpose of audit.

5.2 Will the proposal require regulation of:

  • technology relating to processing
  • behaviour of individuals using technology
  • technology suppliers
  • technology infrastructure information security

There are no legislative measures relating to technology.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

No

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The proposal does not introduce any new requirements regarding the collection or storage of data to be used as evidence or use of investigatory powers. Where the use of this power uncovered information that suggested any illegal or irregular activity Social Security Scotland’s existing investigatory powers under the 2018 Act and associated regulations and processes would be engaged which are subject to their own DPIA and the Social Security Code of Practice for Investigations[10].

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

The proposal will have an impact on people who are receiving assistance from Social Security Scotland. Scottish Ministers may request that they provide information when reasonably requested in order to review their entitlement for the purposes of audit. No additional data over and above the types of data already used by Social Security Scotland for the purpose of determining a person’s entitlement would be gathered or processed.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

No

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

No

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Ministers requesting information for the purposes of audit in particular for undertaking exercises to estimate the monetary value of error and fraud is already a standard feature of the reserved benefit system and affects very small numbers of people. It is unlikely, as a result, that the public should view the measures included in the Bill as intrusive or onerous.

The Bill makes provision that where a person has good reason they might be exempted from the process and also provides that Scottish Ministers can, by way of regulations, prescribe categories of people who will be exempted entirely from this process. It also ensures that anyone selected has the right to access the same support measures as they would when making their original application for Scottish benefits i.e. a supporter and/or access to independent advocacy services.

These safeguards ensure that people will not be required to participate in this process where they have a good reason while supporting them to do so, and balancing the need for a sample to be randomly selected in order to produce robust estimates.

No unintended consequences have been identified and this will continue to be reviewed during parliamentary passage. A full operational data protection impact assessment will be undertaken prior to implementation.

5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Provision has been made in the Bill for Scottish Ministers to make secondary regulations in respect of those who might be exempt from the audit process , and the form in which information might be sought and required.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

No

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Social Security Scotland on behalf of Scottish Ministers will handle personal data for the purpose of selecting participants at random for the purpose of requesting information for audit.

Social Security Scotland holds and processes personal data in compliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Social Security Scotland’s privacy notice details their robust measures to handle and store personal data.

The measures included in the Bill to request information for audit will usually ask individuals to share information of a type already listed in the examples of personal data that Social Security Scotland might collect. They will also have access to the same support as any other person applying for Scottish social security benefits, throughout the audit process.

In exceptional circumstances where a person refuses to comply with requests for information or with the unscheduled review process that is triggered as a result, they will have full redetermination and appeal rights to any new determination of their entitlement.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

The Bill gives Scottish Ministers the power to require that individuals receiving assistance co-operate with requests for information in relation to the individual’s payment or entitlement for the purposes of auditing the monetary value of fraud and error and associated or carrying out corrections of apparent errors and investigations into potential fraud (and other activities connected to auditing). Where they unreasonably fail to do so, their entitlement may be suspended.

Where, following suspension, they still fail to provide the requested information by the end of the further specified period for a response, an unscheduled review of their entitlement may be triggered, which could ultimately lead to an increase, reduction or termination of the benefit in question.

If an individual provides the information requested by the Scottish Ministers and anomalies are discovered such as overpayments, underpayments or fraudulent activity, Social Security Scotland will follow business-as usual procedures to correct them, which are already subject to their own DPIA.

Data collected from audit exercises will be usually be recorded and anonymised for use in statistics, reporting and estimates relating to the regularity of payments in the social security system.

Social Security Scotland has robust existing processes and systems in place to manage clients’ personal data and mitigate any associated risks.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

No

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

The proposal will not require the transfer of personal data to a ‘third country'.

Contact

Email: socialsecurityCI@gov.scot

Back to top