Social Security (Amendment) (Scotland) Bill: data protection impact assessment

This data protection impact assessment (DPIA) considers the potential impacts of the Social Security (Amendment) (Scotland) Bill on the use of personal data.

Data Protection Impact Assessment

Social Security (Amendment) (Scotland) Bill

Version date: 23 October 2023

The purpose of this impact assessment is to consider the potential for privacy impacts and GDPR implications associated with proposals that make up the Social Security (Amendment) (Scotland) Bill (‘the Bill’). This document will also provide an evaluation of how the protection of personal data has been considered and demonstrate how the rights to privacy and confidentiality of the users are appropriately protected through mitigations.

The Bill introduces provisions aimed at effecting the continuous improvement of the social security system across a range of topics, in line with the Scottish social security principles laid out in Part 1 of the Social Security (Scotland) Act 2018 (‘the 2018 Act’).[1] These core principles, endorsed unanimously by the Scottish Parliament, deliberately correspond to some of the fundamental aspects of the right to social security, as set out in key human rights instruments such as the International Covenant on Economic, Social and Cultural Rights,[2] the Universal Declaration of Human Rights,[3] and the European Social Charter.[4]

In particular, the principles which connect most closely to the provisions included within the Bill state that –

“opportunities are to be sought to continuously improve the Scottish social security system in ways which –

(i) put the needs of those who require assistance first, and

(ii) advance equality and non-discrimination”


“the Scottish social security system is to be efficient and deliver value for money”

The majority of provisions included within the Bill are designed to enhance administration of the Scottish social security system, with a focus on measures to improve client experience and to deliver value for money. In addition, a provision is included allowing Ministers to create, by way of regulations, financial assistance for people with experience of being in care.

Each proposal has been examined as a separate entity to ensure that the full range of considerations for each has been considered as part of this assessment.

This Data Protection Impact Assessment (DPIA) works in conjunction with the Article 36(4) ICO consultation form submitted in advance of this, as the proposals require consultation with the Information Commissioner’s Office (ICO).



Back to top