Carer Support Payment: data protection impact assessment
This impact assessment records how data will be used in relation to the Carer’s Assistance (Carer Support Payment) (Scotland) Regulations 2023 and how that use is compliant with data protection legislation.
3. Data Controllers
Organisation
Social Security Scotland
Activities
Social Security Scotland collect and store personal data in order to make determinations of entitlement to devolved benefits and for the ongoing management of client awards.
Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?
Yes
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data
Article 9 (g) – processing is necessary for reasons of substantial public interest, on the basis of law which shall be proportionate to the aim of maximising benefit take-up and reducing barriers to accessing social security benefits in Scotland. Processing will respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [domestic law] or a collective agreement pursuant [to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that, processing is necessary for the exercise of a function conferred on Social Security Scotland.
An Appropriate Policy is held.
Processing of criminal offence data will be required for Carer Support Payment. To assess eligibility or process a change in a client's circumstances we will need to know if they have been admitted to or have left legal detention. We accept that this would be considered criminal offence and therefore special category data, The processing of this information is required for Social Security Purposes as provided for in the Data Protection Act 2018 at Schedule 1 Part 1 Paragraph 1. In line with this we have an appropriate policy document in place for our processing of this data which includes our policy on retention of this data.
Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018
For law enforcement purposes Social Security Scotland is a competent authority in paragraph 2 of Schedule 7, (Scottish Ministers devolved through the Social Security Act 2018).
Legal gateway for any sharing of personal data between organisations
N/A - Existing legal gateways will apply.
In line with ICO Data Sharing Code of Practice, as required by Section 121 of the Data Protection Act 2018.
Organisation
Department for Work and Pensions (DWP)
Activities
DWP collect and store personal data in order to make determinations of entitlement and maintain for Carer's Allowance benefit payments in England, Wales and Scotland, until those Scottish cases have been transferred to Scottish Government as Carer Support Payment. DWP also process and maintain other linked and income-related benefits impacted by Carer Support Payment, as well as qualifying disability benefits required for Carer Support Payment benefit entitlement.
Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?
Yes
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data
Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [domestic law] or a collective agreement pursuant [to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that, processing is necessary for the exercise of a function conferred on Social Security Scotland.
An Appropriate Policy is held.
Processing of criminal offence data will be required for Carer Support Payment. To assess eligibility or process a change in a client's circumstances we will need to know if they have been admitted to or have left legal detention. We accept that this would be considered criminal offence and therefore special category data, The processing of this information is required for Social Security Purposes as provided for in the Data Protection Act 2018 at Schedule 1 Part 1 Paragraph 1. In line with this we have an appropriate policy document in place for our processing of this data which includes our policy on retention of this data
Organisation
His Majesty's Revenue & Customs (HMRC)
Activities
HMRC collect and store personal data in order to process and maintain information regarding a client's earnings and tax liability. This information is required in order to determine entitlement and maintain Carer Support Payments for carers in Scotland.
Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?
Yes
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data
Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [domestic law] or a collective agreement pursuant [to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that, processing is necessary for the exercise of a function conferred on Social Security Scotland.
An Appropriate Policy is held.
Article 10
N/A - data processing does not pertain to the nature of the conviction for the individual and is only in regard to whether they have been legally detained for the purposes of social security.
Organisation
Ministry of Defence (MoD)
Activities
MoD collect and store personal data in order to process and maintain War Pension Scheme Supplementary Allowances which cannot be paid at the same time as Carer Support Payments. They also process and maintain Armed Forces Independence Payments which is a qualifying benefit for cared for persons who may be subject to a carer's Carer Support Payment claim.
Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?
Yes
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data
Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [domestic law] or a collective agreement pursuant [to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that, processing is necessary for the exercise of a function conferred on Social Security Scotland.
An Appropriate Policy is held.
Article 10N/A - data processing does not pertain to the nature of the conviction for the individual and is only in regard to whether they have been legally detained for the purposes of social security.
Organisation
Northern Ireland Department for Communities
Activities
The Northern Ireland Department for Communities collect and store personal data in order to make determinations of entitlement and maintain for Carer's Allowance payments in Northern Ireland.
Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?
Yes
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data
Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by [domestic law] or a collective agreement pursuant [to domestic law] providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that, processing is necessary for the exercise of a function conferred on Social Security Scotland.
An Appropriate Policy is held.
Article 10
N/A - data processing does not pertain to the nature of the conviction for the individual and is only in regard to whether they have been legally detained for the purposes of social security.
Contact
Email: CarerSupportPayment@gov.scot
There is a problem
Thanks for your feedback