We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Data Protection Impact Assessment (DPIA)

Published
7 Aug 2025

6. Questions to identify data protection issues

Necessity

Personal data such as names, email addresses, and resourcing data are collected only where necessary to facilitate the establishment and operation of the NSWA. This includes communication of key documentation (business case, MoU, ToR, TOM), meeting invites, and coordination of stakeholders.

Proportionality

Processing methods are chosen to minimise risk and are proportionate to the objectives. For example, names and email addresses are stored securely on eRDM, and resourcing data is retained in respective HR systems. Data sharing is limited and only occurs via secure channels (eRDM Connect) with tightly controlled access. Less intrusive options were considered and adopted wherever possible. The level of processing reflects the early establishment phase of the NSWA and avoids unnecessary or excessive use of personal data.

Justification

The collection and use of personal data is justified by the need to set up the NSWA as a new public body, enabling partnership working and supporting the social work workforce. The project serves a significant public good by addressing workforce challenges and supporting policy objectives set by Scottish Ministers. All processing is carried out under Article 6(1)(e) – Public Task and, where applicable, Article 9(2)(g) – Substantial Public Interest.

Involvement of multiple organisations

Multiple organisations have been engaged as partners and stakeholders during the establishment of the NSWA. Scottish Government (via the NSWA) remains the sole data controller for all personal data processed under this initiative. At this stage, partner organisations do not process personal data on behalf of the NSWA, and any information exchanged is anonymised or aggregated.

Anonymity and pseudonymity

Currently, all data received from partners is anonymised.

No combining or linking of personal data from different organisations is currently taking place. Any future combination of data will be carefully assessed for data protection risks and will be subject to review of this DPIA and, where required, additional safeguards.

Technology

The NSWA is not a digital project where personal data is gathered as a by-product. Data is collected and processed intentionally, not incidentally, and no intrusive technologies (e.g., CCTV, biometrics) are used.

Identification methods

Identifiers used include names and email addresses, securely stored on eRDM for communication and coordination. No unique identifiers beyond basic contact details are currently required or processed by the NSWA.

Sensitive/special category personal data – including biometric data

The NSWA only receives anonymised data from partners.

The NSWA does not currently process special category personal data as part of its establishment activity.

Any future processing of special category data would be subject to additional safeguards, lawful basis assessment and review of this DPIA.

No biometric data is processed.

Children or other vulnerable data subjects (people)

The NSWA does not currently process personal data relating to children or other vulnerable individuals.

No direct processing of children’s or vulnerable persons’ personal data is anticipated at this stage.

Data matching or linkage

Currently, all data received from partners is anonymised. No data matching or linkage involving personal data is currently undertaken. Any future data matching or linkage will comply with UK GDPR principles and use anonymisation or pseudonymisation where possible, and will be subject to further DPIA assessment before implementation.

Changes to data handling procedures

All data received from partners is currently anonymised. If resourcing data is combined for staff redeployment purposes, procedures will be updated and risks reassessed accordingly.

Any future sharing of workforce data by COSLA will be negotiated via MoU and reflected in updated procedures.

Statutory exemptions/protection

No statutory exemptions or protections currently apply to the activities being completed by NSWA.

Automated decision making or profiling

NSWA does not use automated decision making or profiling in its activities.

Other risks

No additional risks have been identified at this stage. The DPIA will be revisited and updated if new risks emerge, particularly as partnership arrangements develop and before any expansion of personal data processing beyond the establishment phase.

Back to top