We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Impact assessment

Data Protection Impact Assessment (DPIA)

Published
7 Aug 2025

7. UK General Data Protection Regulation (UK GDPR) principles

UK GDPR principles and compliance description

Principle 1 – fair and lawful, and transparent

Compliant - Yes

The NSWA processes personal data under the lawful basis of public task (Article 6(1)(e)) and, where applicable, substantial public interest (Article 9(2)(g)). The Scottish Government, via NSWA, is the sole data controller for all personal data processed under this initiative. A comprehensive privacy notice is provided to all stakeholders, clearly outlining the purposes, lawful bases, data sharing arrangements, and data subject rights.

Principle 2 – purpose limitation

Compliant - Yes

Personal data is collected and processed solely for specified purposes including workforce planning, professional development, engagement, and statutory reporting. Any new purposes will be assessed for compatibility and documented in updated DPIAs and privacy notices.

Principle 3 – adequacy, relevance and data minimisation

Compliant - Yes

Only the minimum necessary personal data is collected to achieve the stated purposes. Anonymised or pseudonymised data is used wherever possible, particularly in research and evaluation activities.

Principle 4 – accurate, kept up to date, deletion

Compliant - Yes

Data collected directly from individuals is verified at the point of collection. Workforce data from partners is regularly updated and reconciled. Individuals are informed of their rights to rectification and erasure.

Principle 5 – kept for no longer than necessary, anonymisation

Compliant - Yes

Personal data is retained for a standard period of three years unless otherwise required. Data is securely deleted after the retention period. Anonymisation is applied where extended retention is needed for research or statistical purposes.

UK GDPR Articles 12-22 data subject rights - Yes

The privacy notice outlines data subject rights including access, rectification, erasure, restriction, objection, and data portability. Procedures are in place to respond to rights requests within statutory timeframes.

Principle 6 - security

Compliant - Yes

Data is stored on secure Scottish Government systems with encryption and access controls. Staff receive regular data protection training. Data transfers use secure methods such as encrypted email and eRDM Connect.

UK GDPR Article 44 - Personal data shall not  be transferred to a country or territory outside the European Economic Area.

Compliant - Yes

Personal data is not transferred outside the UK. All data sharing occurs within the UK and is governed by formal agreements ensuring compliance with UK GDPR.

Back to top