Children (Care and Justice) (Scotland) Bill: data protection impact assessment

6. Risk Assessment

It is not considered that the Bill results in any direct data risks beyond those which already exist. This is because the Bill does not introduce provision for extra information collection, sharing or processing outwith existing data flows and agreements.

During the Bill’s progress, further consideration will be given to risk assessment and any risks that emerge will be recorded in future versions of the DPIA. At the point of implementation, responsibility for operational DPIA’s will be assumed by the organisations involved in delivery.

Risk

6.1.1 Risk to individual rights

• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights in relation to automated decision making and profiling

Will this initiative result in any detriment if individuals do not want their personal data to be processed? This is particularly relevant if special category data is being processed

Solution or mitigation

The Bill does not create new impacts on individual’s rights. Data controllers already make mention of the rights in privacy statements and will be expected to continue to do so.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber/Green)

green

Result

No new impact.

Risk

6.2.1 Privacy risks

Purpose limitation

Solution or mitigation

The purpose of data processing is not changed by the Bill. Data will continue to be collected and processed by data controllers for the same purposes as it currently is.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber Green)

green

Result

No new impact.

Risk

6.2.2 Privacy risks

Transparency – data subjects may not be informed about the purposes and lawful basis for the processing, and their rights

Solution or mitigation

The Bill does not impact on the way data subjects are informed.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber Green)

green

Result

No new impact.

Risk

6.2.3 Privacy risks

Minimisation and necessity

Solution or mitigation

No additional data will be collected as a result of the Bill, therefore it will continue to be minimal and only collected and processed when necessary.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber Green)

green

Result

No new impact.

Risk

6.2.4 Privacy risks

Accuracy of personal data

Solution or mitigation

Data controllers will continue to be responsible for ensuring that the information they hold about a subject is accurate and up-to-date. This is not affected by the Bill.

Likelihood (Low/Med/High)

Low

Severity (Red/AmberGreen)

green

Result

No new impact.

Risk

6.3.1 Security risks

Keeping data securely

Retention

Solution or mitigation

The Bill and Scottish Ministers do not have any impact on the way in which data controllers store or retain data.

Likelihood (Low/Med/High)

Low

Severity (Red/Amber Green)

green

Result

No new impact.

Risk

6.3.2 Security risks

Transfer – data may be lost in transit

Solution or mitigation

Risks surrounding loss of data and information transfers occur at an operational level and therefore are not subject to risk assessment at Bill level.

Likelihood (Low/Med/High)

Low

Severity (Red/AmberGreen)

green

Result

No new impact.

Data Protection Officer (DPO)

The DPO may give additional advice, please indicate how this has been actioned.

Advice from DPO

Action

Advice has been sought from DPO throughout the drafting of this assessment.

All advice and comments have been incorporated where possible.

I confirm that the Children (Care and Justice) (Scotland) Bill has been sufficiently assessed in compliance with the requirements of the UKGDPR and Data Protection Act 2018

Name and job title of a IAO or equivalent

Date each version authorised

Tom McNamara

Interim Deputy Director, Children’s Rights Protection and Justice

02/12/2022