Carer Support Payment: data protection impact assessment

5. Further assessment and risk identification

5.1 Will the proposal require the creation of new identifiers, or require the use of existing ones?

Delivery of the benefit will reuse existing mechanisms introduced for other Scottish benefits that will retrieve identifiers for claimants when sharing data with the DWP.

The DWP hold Global Unique Identifiers (GUIDs) for each individual who claims benefits that they administer. To obtain a GUID from DWP, SPM will share the claimant's name, date of birth and postcode. If there is a match with information held by DWP, a GUID will be shared and stored within SPM.

The GUID is then used to share data on other data necessary to make determinations of entitlement and to maintain entitlement for claimants of Carer Support Payment. SPM may hold a GUID already obtained for a Carer Support Payment client if they had previously claimed another Scottish benefit. Where this is the case, the identifier will be reused when requesting data from DWP for the purposes of administering Carer Support Payment.

5.2 Will the proposal require regulation of:

• technology relating to processing
• behaviour of individuals using technology
• technology suppliers
• technology infrastructure
• information security

In practice, DWP will encrypt the data and the Scottish Government will decrypt on arrival. All data will be accessed – identity and access mapping will be completed.

The existing infrastructure and security used by Social Security Scotland to transfer data from DWP will be utilised. There are no legislative measures relating to technology for these changes.

Technology already used to provide other Social Security Scotland payments will be used to support the payment of CSP.

Social Security Scotland have technical and operationalcontrols in place to safeguard individuals.

5.3 Will the proposal require establishing or change to operation of an established public register (e.g. Accountancy in Bankruptcy, Land Register etc.) or other online service/s?

N/A

5.4 Please provide details of whether the proposal will involve the collection or storage of data to be used as evidence or use of investigatory powers (e.g.in relation to fraud, identify theft, misuse of public funds, any possible criminal activity, witness information, victim information or other monitoring of online behaviour)

The data will not be collected or stored for the explicit purpose of use as evidence. However, the stored data could be used to investigate fraud. This is also the case for other Scottish benefits already live.

For law enforcement purposes Social Security Scotland is a competent authority in paragraph 2 of Schedule 7 of the Data Protection Act 2018 (Scottish Ministers devolved through the Social Security Act 2018). Any processing will satisfy the conditions as per The Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, and the Data Protection Act 2018 Part 3 which sets out a separate regime for law enforcement authorities in the UK.

5.5 Would the proposal have an impact on a specific group of persons e.g. children, vulnerable individuals, disabled persons, persons with health issues, persons with financial difficulties, elderly people? (Please specify)In what way?

This proposal relates to the collection of data and information in relation to new applications for Carer Support Payment and the transfer of data and information on adults in Scotland currently in receipt of Carer's Allowance so will have a direct impact on the client, the individual to whom the benefit is paid (in the case of an appointee), as well as the cared for person. The main data subject will be unpaid carers, who are at increased risk of poverty. As mentioned in section 2.3, it is anticipated that a large proportion of CSP recipients will be women in particular. Data relating to the cared for person will relate to disabled adults and children. The client themselves may also be an adult with a disability, and a significant number of current CA clients are above State Pension age, and would therefore be categorised as elderly.

Impact assessments have also been drafted, including an Equalities Impact Assessment and Children's Rights and Wellbeing Impact Assessment, with the intention that these will be laid alongside the draft regulations in September 2023. Links to these assessments can be found in Annex F.

5.6 Is there anything potentially controversial or of significant public interest in the policy proposal as it relates to processing of data? For example, is the public likely to views the measures as intrusive or onerous?

Are there any potential unintended consequences with regards to the provisions e.g. would the provisions result inunintended surveillance or profiling.

Have you considered whether the intended processing will haveappropriate safeguards in place? If so briefly explain the nature of those safeguards and how any safeguards ensure the balance of any competing interests in relation to the processing.

There is nothing potentially controversial or of significant public interest in relation to the processing of data for Carer Support Payment. For case transfer, client research has confirmed that the majority of clients are supportive of transfer of information to allow the new benefit to be set up rather than being required to complete a new application for a benefit they consider they are already entitled to. Carer Support Payment will process data for the same purpose, in a similar manner, to how Carer's Allowance is currently processed by DWP. There are no identified potential unintended consequences.

The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications.

A security risk assessment is completed for all new processes and one will be completed for Carer Support Payment. This will be contained in the Operational Data Protection Impact Assessment.

The operational DPIA will consider the data subject rights of individuals associated with the processing and payment of Carer Support Payment and ensure that any risks are mitigated to ensure the rights of data subjects are not impacted.

5.7 Are there consequential changes to in other legislation that need to be considered as a result of the proposal or the need to make further subordinate legislation to achieve the aim?

Changes will need to be made to existing Scottish and UK legislation as a consequence of introducing Carer Support Payment. These changes will be made through provisions in the schedule to the Carer Support Payment regulations and through consequential amendments regulations in Scotland and UK wider Section 104 Orders.

These changes will ensure that Carer Support Payment can be delivered as set out above, and the relevant data processing and sharing requirements are considered here and will be set out further in the Operational DPIA

5.8 Will this proposal necessitate an associated code of conduct?

If so, what will be the status of the code of conduct (statutory, voluntary etc.)?

The implementation of the proposals is principally guided by the Social Security Scotland Charter and the Civil Service Code of Conduct (Scotland).

Implementation will also be supported by operational guidance with input from colleagues with relevant interest across the Directorate, including policy and legal (SGLD) and will be tested before the benefit launches.

5.9 Have you considered whether the intended processing will haveappropriate safeguards in place, for example in relation to data security, limitation of storage time, anonymisation? If so briefly explain the nature of those safeguards

Please indicate how any safeguards ensure the balance of any competing interests in relation to the processing.

Social Security Scotland are not proposing to use anything over and above the existing safeguarding measures which are in place for new cases which include:

• Pseudonymisation of equalities data
• Redaction of personal data received on documents during the application process
• Retention schedule to minimise personal data where there is no longer purpose to retain.
• Social Security Scotland will adhere to a policy of data minimisation in the transfer of information from DWP and HMRC.
• The processing of data will follow the same high security standards already in place within Social Security Scotland for the processing of new applications.
• A security risk assessment is completed for all new processes and one will be completed for Carer Support Payment. This will be contained in the Operational Data Protection Impact Assessment.

5.10 Will the processing of personal data as a result of the proposal have an impact on decisions made about individuals, groups or categories of persons? If so, please explain the potential or actual impact. This may include, for example, a denial of an individual's rights or use of social profiling toinform policy making.

Personal data will be used to inform decisions on a client's entitlement to carer benefits and make payments to them. For both new applications and case transfers, decisions on entitlement will be subject to full re-determination and appeal rights.

There is a risk that clients will not be fully aware of their right to full re-determination and appeal.

This will be mitigated through a communications framework for all clients whose case is transferred with letters detailing this process.

In some cases, the processing of Carer Support Payment applications may impact the cared for person's entitlement to other linked benefits and premia administered by the DWP. This is because of DWP rules that these benefits/premia cannot be in payment at the same time.

All clients are also asked to complete an Equality Monitoring and Feedback form along with the application form for each benefit delivered by Social Security Scotland. The data collected is used to identify who is using the service, to investigate how Social Security Scotland processes work for different groups of people and to understand whether groups with protected characteristics are able to adequately access social security payments. The equalities data is also analysed by outcome of application to assess if there is any variation.

For additional protection all equalities data is retained in a separate location to the client record in a pseudonymised state.

5.11 Will the proposal include automated decision making/profiling of individuals using their personal data?

No profiling takes place.

Automated Decision Making processingdoes apply - Article 22(1) the right not to be subject to automated decision making doesn't not apply as Article 22(2)( b) is applicable.

There is statutory law that determines the entitlement to Carer Support Payment through Social Security (Scotland) 2018 Act and Carer Support (Scotland) Regulations 2023 . These allow Social Security Scotland to determine and award the benefit.

Straight through processing ensures that the individual's award is processed on time, accurately without putting any undue burden on the client allowing Social Security Scotland to meet the demand for this benefit allowing intake to be managed effectively ensuring accurate payment with no delay to the individuals.

There is no machine learning in this process the decision making is based on the entitlement conditions, there will be no bias in the decision making.

Social Security Scotland has responsibility to provide secure, accurate and efficient award of benefit to individuals of Scotland and also to protect the public finances by putting in place the most financially effective process that meets all requirements. The welfare system of Scotland is a public funded service.

Article 22(2)(b) of the UK GDPR does not require the law to expressly provide that a decision can be made based solely on automated processing.

Social Security Scotland can demonstrate that straight though processing of Scottish Carers Assistance is a reasonable way of complying with the statutory law.

The Data Protection Act 2018 (DPA 2018) (Chapter 2, Part 2, Section 14 (3)(b)).

Social Security Scotland can demonstrate that appropriate safeguard are in place to comply with The Data Protection Act 2018 (DPA 2018) (Chapter 2, Part 2, Section 14 (4) to ensure individuals are aware of the processing and able to exercise their rights.

5.12 Will the proposal require the transfer of personal data to a 'third country'? (Under UK GDPR this is defined as country outside the UK.)

No – there will be no transfer of personal data to organisations in a third country outside of the UK. In limited circumstances, there may be a small number of cases where individuals outside of the UK will be entitled to Carer Support Payment. In these cases, interaction would be with the data subject directly and not with any data controllers or processers within those countries.