Disability Assistance for Older People (Scotland) Regulations 2024: Data Protection Impact Assessment

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

Comments

Delivery of the benefit will reuse existing mechanisms introduced for other Scottish social security benefits that will retrieve identifiers for individuals when sharing data with the DWP.

The DWP hold Global Unique Identifiers (GUIDs) for each individual who receives benefits that they administer. To obtain a GUID from DWP, SPM will share the individual’s name, date of birth and postcode. If there is a match with information held by DWP, a GUID will be shared and stored within SPM.

The GUID is then used to share data on other data necessary to make determinations of entitlement and to maintain entitlement for individuals who receive PADP. SPM may hold a GUID already obtained for an individual applying for PADP if they had previously received another Scottish Government social security benefit. Where this is the case, the identifier will be reused when requesting data from DWP for the purposes of administering PADP.

Delivery of this benefit will reuse existing mechanisms introduced for other Scottish social security benefits that will retrieve Community Health Index (CHI) numbers for individuals when sharing information with health boards and GPs. The re-use of CHI numbers has previously been agreed via the CHI Advisory Board.

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

Comments

In practice, DWP will encrypt data and the Scottish Government will decrypt on arrival. All data will be accessed – identity and access mapping will be completed.

The existing infrastructure and security used by Social Security Scotland to transfer data from DWP will be utilised. There are no legislative measures relating to technology.

Technology already used to provide other Social Security Scotland payments will be used to support the payment of PADP. Technology used to support the applications for PADP and payment of PADP will be limited to support those functions.

Social Security Scotland have technical and operational controls in place to safeguard individuals.

An IT Health Check that includes penetration testing takes place prior to any system release. Digital Security officials undertake an operational readiness statement prior to any go live decision. All digital security risks are registered and a treatment plan put in place. These plans are reviewed regularly.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

Comments

No.

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

Comments

The proposal does not introduce any new requirements regarding investigatory powers; these are already included in the Social Security (Scotland) Act 2018 and regulations to be made under it.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify) In what way?

Comments

This proposal relates to the collection of data and information for new PADP applications

and the transfer of data and information on awards of Attendance Allowance in Scotland. This will have a direct impact on the individual and the individual to whom the benefit is paid, where the individual has an appointee in place.

The main data subject should in the vast majority of cases be a disabled older person. Impact assessments have been drafted, including an Equalities Impact Assessment, with the intention that these are to be published alongside the Regulations in the Scottish Parliament.

Drafts of impact assessments were prepared and published in relation to the draft PADP Regulations to ensure transparent governance when the draft Regulations were issued to SCoSS on 7 August 2023.

SCoSS provided an observation in their report on the draft PADP Regulations relating to the Equalities Impact Assessment, following engagement with the Equalities and Human Rights Commission. The Scottish Government has made necessary amendments to all impact assessments as a result.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result in unintended surveillance or profiling.

Have you considered whether the intended processing will have appropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments

There is nothing potentially controversial or of significant public interest in relation to the processing of data for PADP.

For case transfer, research has confirmed that the majority of people are supportive of award information being transferred to allow for a safe and secure transfer rather than being required to complete a new application for a replacement Scottish Government benefit.

Social Security Scotland will process PADP data for the same purpose and in a similar manner to how Attendance Allowance data is currently processed by DWP. There are no identified potential unintended consequences.

The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications and case transfers.

A security risk assessment is completed for all new processes via IT to ensure sufficient security controls are in place.

An operational DPIA is already being completed and updated as the new system develops to ensure privacy risks are identified and assessed.

The Operational DPIA will consider the data subject rights of individuals associated with the processing and payment of PADP. Any risks will be mitigated to ensure the rights of data subjects are not impacted.

Under the case transfer process, processing will be completed using ADM only where the outcome for the individual is positive. To note there is no profiling.

Safeguards that will be in place included being transparent to individuals that Social Security Scotland’s case transfer process is using ADM. This can be seen in the Privacy Notice.

The Privacy Notice is layered and will provide an easily understood privacy pattern to allow the individual to understand how ADM is used.

The individual will be notified ADM has been used and provided details on how to exercise their rights for a review (including by a person). Operational safeguards include staff being able to provide an explanation on how ADM processing is undertaken, accuracy checks to ensure the process is accurate and access controls on system application to ensure codes changes are monitored and logged.

5.7 Are there consequential changes to other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Comments

Provisions consequential to the principal PADP regulations are being made under:

• the schedule of the principal PADP regulations to amend primary legislation
• consequential amendment regulations to amend devolved secondary legislation
• section 104 orders to amend reserved legislation.

These regulations will not relate to information sharing and/or information processing.

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

Comments

The implementation of the proposals is principally guided by the Social Security Charter^[10] and the Civil Service Code^[11].

All Social Security Scotland staff are bound by the Civil Service Code, to ensure individual confidentiality, integrity and accuracy of personal data.

Implementation will also be supported by operational and decision-making guidance with input from colleagues with relevant interests across the Social Security Directorate, including policy and legal officials and will be tested before PADP launches.

5.9 Have you considered whether the intended processing will have appropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Comments

The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications, including:

• pseudonymisation of equalities data
• redaction of personal data received on documents during the application process
• retention schedules to minimise personal data where there is no longer purpose for retention
• Social Security Scotland will adhere to a policy of data minimisation in the transfer of information from the DWP.
• Where an individual is terminally ill, relevant ‘harmful information’ indicators will ensure that where harmful information is held, Social Security Scotland will not disclose this to an individual who is unaware of their terminal diagnosis.

An IT Health Check that includes penetration testing takes place prior to any system release. Digital Security undertake an operational readiness statement prior to any go live decision, all digital security risks are registered and treatment plan put in place, these plans are reviewed regularly.

The Operational DPIA will consider the data subject rights of individuals associated with the processing and payment of PADP. Any risks will be mitigated to ensure the rights of data subjects are not impacted.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual’s rights or use of social profiling to inform policy making.

Comments

Personal data will be used to inform decisions on an individual’s entitlement to disability benefits and make payments to them. For both new applications and case transfers, determinations of entitlement will be subject to full re-determination and appeal rights

For case transfers where ADM processing has taken place, the individual will also have the right of review, including by a person. The individual will be advised of their rights.

There is a risk that individuals will not be fully aware of their right to full re-determination and appeal. This will be mitigated through a communications framework for all individuals whose case is transferred with letters detailing this process. For ADM, details are added to the outcome notice and the Privacy Notice.

All individuals are also asked to complete a voluntary Equality Monitoring and Feedback form along with the application form for each benefit delivered by Social Security Scotland, including PADP.

The data collected is used to identify who is using the service, to investigate how Social Security Scotland processes work for different groups of people and to understand whether groups with protected characteristics are able to adequately access social security payments. The equalities data is also analysed by outcome of application to assess if there is any variation.

The Scottish Government is are also seeking to receive any relevant equalities data DWP collected for individuals in order to meet the statutory duty to report on outcomes for those with protected characteristics.

For additional protection all equalities data is retained in a separate location to the individual’s record in a pseudonymised state.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

Comments

No profiling takes place.

ADM will be used when transferring the data from DWP. Where all the information from DWP passes validation and a like for like award can be made this action will be undertaken without any meaningful intervention from an individual.

This relates to a positive award only, where the individual is awarded the same rate of payment as they were previously in receipt of by DWP. If validation fails or the rate differs then the case will be handed to a member of staff to undertake a manual determination.

These decisions have a legal and significant effect on the individual and are deemed as ADM processing.

Article 22(1) does not apply as processing is under Article (22)(2)(b) authorised by law. The Data Protection Act 2018 (Chapter 2, Part 2, Section 14(3)(b) refers only to a decision which is required or authorised by law and that law doesn’t have to explicitly state that solely automated decision making is authorised for a particular purpose.

The use of ADM is justified as there is a statutory power to award social security benefit and Pension Age Disability Payment and the use of automated decision-making/profiling is the most appropriate way to achieve this purpose.

There will be safeguards in place to ensure the individual is aware that they have been subject to ADM, details will be provided in their outcome notice and on Social Security Scotland’s Privacy Notice^[12].

Additional safeguards, for example, ensuring that the individual is aware and how to have their decision reviewed by a person, checks on the ADM solution to ensure accurate application and staff training to allow an explanation of how the ADM decision was made, will all be in place prior to the use of ADM for case transfer.

Scottish Ministers consider the use of ADM to be lawful and it will not disadvantage individuals. This will be further demonstrated in the Operational DPIA. There is no machine learning therefore no bias will be introduced.

The ADM is based on set factors, the data matches set parameters and formatting, the rate paid and personal details match DWP.

ADM is only used where it creates the positive award, not all cases will be subject to ADM, cases where data doesn’t match will “fall out” to a member of staff. The use of ADM allows the processing of high volumes accurately, allowing time for staff members to deal with the more complex cases, ensuring a seamless transfer for the individual. ADM allows for all cases selected for transfer to be completed within an agreed 17 week window, during this time DWP will continue to pay the individual ensuring no break in payment.

The processing of data resulting from these regulations will follow the same high security standards already in place within Social Security Scotland.

5.12 Will the proposal require the transfer of personal data to a ‘third country’? (Under UK GDPR this is defined as country outside the UK.)

Comments

No – there will be no transfer of personal data to organisations in a third country outside of the United Kingdom.

In limited circumstances, there may be a small number of individuals residing outwith the United Kingdom who will be entitled to PADP. In these cases, interaction will be with the data subject directly and not with any data controllers or processers within those countries.