beta

You're viewing our new website - find out more

Publication - Report

Work First Scotland: privacy impact assessment

Published: 13 Oct 2017
Part of:
Equality and rights, Work and skills
ISBN:
9781788511483

Privacy impact assessment for our Work First Scotland programme, which will provide employability support for disabled people under the terms of the Scotland Act 2016.

26 page PDF

361.8kB

26 page PDF

361.8kB

Contents
Work First Scotland: privacy impact assessment
7. Risks identified and appropriate solutions or mitigation actions proposed

26 page PDF

361.8kB

7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Ref Solution or mitigation Result

Mismanagement by DWP staff – eg claimants who are not eligible for WFS are referred in error and therefore data shared inappropriately

DPF 01

  • A programme of awareness raising activity ahead of go-live will make JCP Work Coaches aware of WFS eligibility criteria.
  • JCP Work Coaches will be provided with a decision tree and other materials on their intranet to help them make referrals correctly.
  • An SG/ DWP Operational Delivery Group will monitor the quality of referrals and take steps to address any issues identified.

As a result, this risk is reduced, but not eliminated. It can be accepted on the grounds that monitoring referrals will be a central role of the Operational Delivery Group.

Personal data is mis-managed by SG service providers

DPF 02

  • SG service provider security plans reviewed and approved by SG security team
  • Regular contract management and compliance checks.
  • SG service providers are experienced in handling personal data and have arrangements in place to ensure staff are appropriately trained.

Accept – risk is low

Personal data is mis-managed by SG staff

DPF 03

  • Personal data transferred via secure routes to a limited number of authorised personnel
  • Secure storage for electronic and hard-copy data
  • SG staff are appropriately vetted and are required to complete annual Data Protection Training
  • Regular review of SG security arrangements

Accept – risk is low

Systems: there is the potential for systems to be hacked, giving access to personal data.

DPF 04

  • Secure systems are being used to transfer data

Accept – risk is low

General Data Protection Regulation – Fair Processing Notices do not meet new standard.

DPF 05

  • This PIA will be reviewed after 6 months at which time any necessary amendments will be made to align with the new standard.

Accept – risk is low

The SRO referral process introduces additional risk that personal data will become accessible.

DPF 06

  • WFS operational guidance directs that the SRO referral form should be sent securely and via tracked mail to the relevant local JCP office.
  • SG service provider security plans reviewed and approved by SG security team
  • Regular contract management and compliance checks.
  • SG service providers are experienced in handling personal data and have arrangements in place to ensure staff are appropriately trained.

Accept – risk is moderate


Contact