We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Data Protection Impact Assessment (DPIA)

Published
7 Aug 2025

8. Data protection risks

Risk management is embedded within the governance and delivery arrangements for the National Social Work Agency. Potential risks to individuals’ rights and freedoms have been identified and assessed, with appropriate mitigations in place to reduce those risks to an acceptable level. These risks will continue to be reviewed as the functions of the NSWA develop.

Risk 1: Failure to have UK GDPR Article 28–compliant contracts in place with third party processors

Description

There is a risk that personal data could be processed by third party organisations without appropriate contractual safeguards if Article 28–compliant agreements are not in place.

Potential impact on individuals

This could result in inappropriate processing of personal data, delays in responding to data breaches or rights requests, and distress to individuals if their information is not handled lawfully or securely.

Mitigation and controls

The Scottish Government, via the NSWA, will ensure that:

  • All processors operate under contracts that are compliant with Article 28 of UK GDPR
  • Data processing arrangements clearly specify security, confidentiality, accountability and incident handling requirements
  • No processing by third parties begins until appropriate contractual controls are in place

Residual risk

With these controls applied, the residual risk to individuals is assessed as low.

Risk 2: Failure to adequately train or brief staff on the handling of personal data

Description

There is a risk that staff may mishandle personal data if they are not appropriately trained or supported.

Potential impact on individuals

This could lead to data breaches (for example, information being shared with the wrong recipient), inappropriate sharing or withholding of data, or delays in responding to data subject rights requests.

Mitigation and controls

Mitigations include:

  • Mandatory staff induction covering data protection responsibilities
  • Clear handling instructions for personal and sensitive data
  • Established routes for staff to raise concerns or seek advice
  • Ongoing management oversight and support

Residual risk

Following implementation of these measures, the likelihood and impact of harm to individuals is reduced to a low level.

Risk 3: Failure to be transparent about the use of personal data

Description

There is a risk that individuals may not fully understand how their personal data is used if transparency requirements are not met.

Potential impact on individuals

This could undermine individuals’ right to be informed, affect their ability to exercise other rights (such as objection), and lead to loss of trust in the NSWA.

Mitigation and controls

To address this risk:

  • A clear and accessible privacy notice has been drafted and published
  • Privacy information explains purposes of processing, lawful bases, data sharing arrangements and individual rights
  • Privacy information will be kept under review and updated as required

Residual risk

With these safeguards in place, the residual risk is low.

Risk 4: Failure to adequately respond to data subject rights requests

Description

There is a risk that requests from individuals to exercise their data protection rights may not be handled appropriately or within statutory timescales.

Potential impact on individuals

This could result in non compliance with UK GDPR and frustration or harm to individuals seeking to exercise their rights.

Mitigation and controls

Controls include:

  • Maintaining an up to date information asset register
  • Ensuring personal data is held only on approved Scottish Government systems
  • Clear accountability through the Information Asset Owner
  • Established procedures for handling rights requests

Residual risk

These measures reduce the residual risk to a low level.

Risk 5: Use of insecure systems or platforms

Description

There is a risk of unauthorised access or data breaches if personal data is stored or shared using insecure systems.

Potential impact on individuals

Impacts could include distress, loss of control over personal data, and disruption to services individuals rely on.

Mitigation and controls

Mitigations include:

  • Restricting storage of personal data to approved Scottish Government systems
  • Engagement with IT Security and Cyber Security teams
  • Use of access controls and encryption
  • Requiring assurance of appropriate security standards from any data processors

Residual  risk

Following these mitigations, the residual risk to individuals is assessed as low.

Back to top