Work Able Scotland: privacy impact assessment

Privacy impact assessment for our Work Able Scotland programme, which will provide employability support for people at risk of long term unemployment as a result of a health condition.


7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Ref Solution or mitigation Result
Mismanagement by DWP staff – eg claimants who are not eligible for WAS are referred in error and therefore data shared inappropriately DPA 06
  • A programme of awareness raising activity ahead of go-live will make JCP Work Coaches aware of WAS eligibility criteria.
  • JCP Work Coaches will be provided with a decision tree and other materials on their intranet to help them make referrals correctly.
  • An SG/ DWP Operational Delivery Group will monitor the quality of referrals and take steps to address any issues identified.
As a result, this risk is reduced, but not eliminated. It can be accepted on the grounds that monitoring referrals will be a central role of the Operational Delivery Group.
Personal data is mis-managed by WAS contracted providers DPA 07
  • Expectations of WAS contracted providers as data processor set out with the Work Able Scotland programme Rules (Part Three, Section D, Para 7)
  • WAS contracted provider security plans reviewed and approved by SDS Skills Investment Advisors.
  • Regular contract management site visits
  • Process in place in relation to any complaint or request made in respect of any personal data.
  • Mitigation of risk embedded in WAS Programme Rules and monitored via SDS WAS contract management.
Accept – risk is low
Personal data is mis-managed by SDS staff DPA 08
  • Personal data transferred via secure routes to a limited number of authorised personnel
  • Secure storage for electronic and hard-copy data
  • Regular review of SDS security arrangements
  • Mitigation of risk embedded in WAS Programme Rules and monitored via SDS WAS contract management.
Accept – risk is low
General Data Protection Regulation – Fair Processing Notices do not meet new standard. DPA 09
  • This PIA will be reviewed after 6 months at which time any necessary amendments will be made to align with the new standard.
Accept – risk is low
Transfer of referral form via clerical process introduces the risk of personal data being inappropriately shared DPA 10
  • Established practices in place between DWP and SDS to safeguard the transfer of information, mirroring the existing process for Employability Fund.
  • Experience of similar arrangements (eg for Employability Fund) indicates low risk.
  • Mitigation of risk embedded in WAS Programme Rules and monitored via SDS WAS contract management.
Accept – risk is low

Contact

Back to top