We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Trauma Responsive Social Work Services Programme: data protection impact assessment

Published
26 March 2025
Directorate
Children and Families Directorate, +3 more … Local Government and Housing Directorate, Mental Health Directorate, Social Care and National Care Service Development
Topic
Children and families, Communities and third sector, Education, +3 more … Health and social care, Public sector, Work and skills
ISBN
9781836914075

Data Protection Impact Assessment (DPIA) for the Trauma Responsive Social Work Services Programme.

View supporting documents Supporting documents

Data controller and data processing

Personal data to be processed

All data below will be gathered from individuals participating in the Trauma Responsive Social Work Services Programme (customers or prospective customers. This is an iterative programme which currently supports around 1000 individuals with the plan to support up to 10000 over the course of the programme.

Data Source: Registering for events, joining online training, confirming attendance, communicating about programme, issuing certificates

Variable: Name and email address

Data Source: Completing surveys and evaluation forms

Variable: Professional group, length of time in profession, service, current job role, time in current role, practice area, employer, gender and age. We will also collate health data – wellbeing questions (special category data) on a voluntary basis for evaluation.

How this data will be processed

Names and work email addresses provided by those engaging with the programme will be saved in a Microsoft Excel spreadsheet, which will be used to communicate any changes to privacy notice (e.g. once a provider for independent evaluation has been agreed) and for programme evaluation purposes. This spreadsheet will be stored in a limited access area within ERDM, which will only be accessible to the TRSWS team or contracted evaluators via Scottish Government secure servers.

All information relating to the TRSWS programme survey and feedback questionnaires for implementation and learning events, including the personal information outlined in the table above, will be collected via digital survey link and stored on cloud-based platforms Microsoft Forms and Qualtrics. This information will be exported to Microsoft Excel spreadsheets to facilitate data processing, including data analysis in the form of descriptive statistics to facilitate evaluation of the programme and inform changes for future deliveries/participants. This will be electronically secured in ERDM, which will only be accessible to the TRSWS team and contracted evaluators via Scottish Government secure servers.

The above data will not be shared with any other party or used for any other purpose.

For recording of training sessions/webinars, attendees will be notified by the MS Teams call and the meeting facilitator that this meeting will be recorded and will be informed of their rights. The recordings will be made available to those not able to attend training.

For filming videos of individuals to be used in training packages, only individuals who agree to be recorded and used in our training packages will be filmed. A consent form will need to be completed before any recording takes place or videos used in packages. Videos will be saved securely on eRDM and will only be accessible by the TRSWS team. They may also be downloaded onto a secure, encrypted USB storage device to provide an offline backup in case any connection issues while delivering training. The team have the necessary approvals to use removable storage devices.

4.3 The purpose(s) of the processing

Personal data will only be used by the Trauma Responsive Social Work Services team to communicate any changes with the privacy notice, evaluating learning outcomes both pre and post training, issuing certificates upon completion of training and evaluating the impact of the programme more widely. Personal information will not be shared with any other party out with the TRSWS team or the contracted evaluator. No raw data will be shared with local areas engaging with TRSWS, however high-level summaries e.g. averages following analysis will be shared. No personal or identifiable information will be provided. Anonymised raw data will be made available to the contractor appointed to conduct external evaluation of the programme. Personal data will be held for a maximum period of 7 years from the date it is received, after which time it will be destroyed.

Individuals can also request us to remove their information before the 7-year period. This is explicit within the privacy notice which will be shared with all attendees at the outset of their engagement with the programme, and at all intervals where we seek further information. This applies to all data, whether it is stored on eRDM, Microsoft, or Qualtrics servers.

Demographic information, including protected characteristics will be used for evaluation purposes and to enable TRSWS programme outcomes to be considered within the existing evidence base and wider work of the Scottish Government in relation to equalities work. Demographic information will not be shared outwith TRSWS Team and contracted evaluators, and individual responses will not be identifiable in any reporting. Qualtrics surveys will be used to gather the data above.

This data will be saved in the Scottish Governments secure filing system and then deleted from Qualtrics servers once evaluation of this data is no longer required. This data will be held for a maximum period of 7 years from the date it is received, after which time it will be destroyed.

Data controllers

Organisation: Scottish Ministers:
Activities Devolved Government
Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018? Yes
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Delivery of training, working with implementation sites, evaluation of the Programme, recording and sharing of sessions with those not able to attend - Public task s9. of the Social Work (Scotland) Act 1968

Development of training and learning materials – recording of individuals for inclusion in training materials - Consent

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

Schedule 1 Paragraph 2 of Data Protection Act (DPA) 2018

6. Provision of social care
Law enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018 N/A
Legal gateway for any sharing of personal data between organisations N/A

Data processors and sub processors

Organisation Activity Contract in place compliant with UK GDPR Act 28? Yes/No
Implementation sites Disseminating information to those in scope. No. No personal data shared between implementation site and TRSWS team unless Data Sharing Agreement in place.
Independent evaluation company to be procured Evaluation of the Trauma Responsive Social Work Services Programme Yes. Only contractors compliant with UK GDPR will be considered. This DPIA and any privacy notices will be updated once contractor in place.
Microsoft Collation of responses from questionnaires and surveys Yes.
Qualtrics XM Creation and distribution of survey and collation of responses Yes. Qualtrics LLC complies with the EU-U.S. Data Privacy Framework (EU-US DPF), the UK Extension to the EU-U.S. DPF (UK-US DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-US DPF) as set forth by the U.S. More information at Privacy Statement - Qualtrics and Security Statement - Qualtrics.
Eventbrite Hosting participant sign up for training events and collating email contact details. No contract in place - Eventbrite are a USA based company, and therefore out with the EEA. Risk has been identified and approved by IAO prior to processing. Further information on their privacy notice can be found Eventbrite Privacy Policy | Eventbrite Help Centre. Our privacy notice will make clear that Eventbrite, INC is outwith EEA and to see their privacy notice for more information.
Youtube (Google) Hosting recorded videos of training. No contract in place – Google are a USA based company, and therefore out with the EEA. Risk identified and approved by IAO prior to processing. Further information on their privacy policy can be found at Privacy Policy – Privacy & Terms – Google. Our privacy notice will make clear that Youtube is outwith EEA and to see their privacy notice for more information.

Data flows

The overall programme will be subject to external evaluation and provide a unique opportunity for social work to contribute to the emerging evidence base in this field. In addition, the team will support the collection and use of data and feedback locally, in making and maintaining change and improvements, over time.

Flowchart at annex B.

Contact

Email: TRSWS@gov.scot

Back to top