Work First Scotland: privacy impact assessment

Privacy impact assessment for our Work First Scotland programme, which will provide employability support for disabled people under the terms of the Scotland Act 2016.

6. The Data Protection Act Principles

Principle 1

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

a) at least one of the conditions in Schedule 2 is met, and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

6.1.1 The purpose of the project has been identified and set out in March 2016 in Creating a Fairer Scotland: A New Future for Employability Support in Scotland (

6.1.2 Individuals will be told about how SG service providers will use their data at their initial interview, where they will be provided with a copy of the SG service provider’s privacy notice. DWP’s privacy notice is published on line. (

6.1.3 SG service provider privacy notices will be amended to reflect the delivery of Work First Scotland.

6.1.4 The conditions for processing which apply are:

  • Condition 5(c) of schedule 2 (that the processing is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department); and
  • condition 7(1) (c) of schedule 3 (that the processing is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department, for the processing of any sensitive data).

6.1.5 We are relying on the customer’s consent to share information in order to:

  • Allow data to be shared with employers
  • Allow data to be shared with other training providers, although this is expected to happen rarely.
  • Allow the use of case studies and good news stories for marketing purposes
  • Allow a Leavers Plan to be shared with DWP
  • Enable customers to be invited to take part in evaluation activities (see paragraph 6.1.7.)

6.1.6 Consent will be collected by SG service providers at the initial interview stage.

6.1.7 The evaluation of transitional services forms an integral part of the service delivery offer for WFS and so all data processing in relation to evaluation activity is covered at sign up to the service. We are commissioning external research consultants to evaluate both service delivery processes and customer outcomes for WFS. In line with SG Social Research Guidance, this will involve completing a separate Privacy Impact Assessment and Ethics review of the commissioned evaluation activity. We will also seek informed consent from WFS customers to contact them directly (or through contracted researchers acting on our behalf) to participate in specific evaluation activities (e.g. a telephone interview or discussion group).

6.1.8 Participation on the programme is not dependent on giving consent to additional processing, where processing which is not a requirement for delivering the programme. Where the customer withholds or withdraws consent to share information as noted at paragraph 6.1.5, this will not affect their entitlement to access the services provided through Work First Scotland.

6.1.9 With reference to the Human Rights Act,

  • The actions will not interfere with the right to privacy under Article 8.
  • The social need and aims of the project have been identified.
  • The actions are a proportionate response to the social need.

Principle 2

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

6.2.1 The Employability Programme Plan for 2017 transitional services covers all of the purposes for processing personal data.

6.2.3 No potential new purposes have been identified as the scope of the project expands. Going forward any potential new purposes would be fully considered in line with our Data Protection obligations.

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

6.3.1 The information we are using of good enough quality for the purposes it is used for and is subject to internal DWP quality control.

6.3.2 All personal data is required to deliver the project.

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

6.4.1 We are not procuring new software. The software we are using allows data to be amended when necessary.

6.4.2 Personal data is gathered by DWP under their existing processes and subject to DWP internal quality control. Personal data gathered by SG service providers in order to deliver the service and in order to carry out the activities listed at paragraph 6.1.5 will be gathered directly from the customer.

Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.

6.5.1 The personal data will be retained in line with current DWP practice. SG service providers will be required to retain personal data for 5 years and are required to hold the data in line with their security plans.

6.5.2 Existing software allows deletion of information in line with retention periods.

Principle 6

Personal data shall be processed in accordance with the rights of data subjects under this Act.

6.6.1 Existing systems will allow us to respond to Subject Access Requests, which will be dealt with in line with the arrangements set out in the Service Level Agreement between the DWP and SG in Respect Of Work First Scotland.

6.6.2 Participation on the programme is not dependent on the customer giving consent to their personal information being used for marketing purposes – see paragraph 6.1.5.

Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

6.7.1 Existing systems such as the Government Secure Intranet and Bravo provide protection for the transfer of personal information between SG and DWP. Transfer Level Security has been put in place to allow for secure email between SG service providers, DWP and

6.7.2 All SG staff are appropriately vetted and are required to complete annual Data Protection Training. SG service providers have detailed security plans which have been approved by the SG Information Security and Risk team.

Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

6.8.1 It is not expected that the project will require us to transfer data outside of the EEA.

6.8.2 If DWP identifies any offshoring requests that will affect data that are being processed on behalf of SG, SG will be consulted as a stakeholder in DWP’s offshoring approvals process.


Back to top