Local government candidate diversity survey 2022: data protection impact assessment

This data protection impact assessment (DPIA) reports on and assesses against any potential data protection or privacy impacts as a result of the running of the 2022 local government candidate diversity survey, and the data processing undertaken as part of the project.


7. Risks identified and appropriate solutions or mitigation actions proposed

Is the risk eliminated, reduced or accepted?

Risk Ref Solution or mitigation Result
Physical security of new data, in particular against unauthorised access and accidental or deliberate damage/disclosure, particularly when the data arrives in Questback 1
  • Data from the online questionnaire will initially be collected via Questback, and will be stored in the Questback Strategy and External Affairs folder, which can be accessed by a small number of staff with access to that username and password. Each Questback Licence within the SG has a Named Licence Holder. The Named Licence Holder role involves keeping track of who has been given access to the log in details for that licence, and regularly changing the password so access is restricted to those with a legitimate need to access Questback to run a survey.
  • To further minimise any disclosure risks associated with data being held in Questback, data will be exported from Questback after the survey has closed and be securely stored on the SG server. Once successfully exported, the data will be deleted from Questback.
  • The data will be managed by an experienced Scottish Government analyst and stored securely with access restricted to those required to process it. Scottish Government staff with access to the data are trained in the safe handling of data, and will be required to have a legitimate need to access the data.
Reduce
Data transfer between private sector the APS Group and the Scottish Government. 2
  • Data files to be securely transferred to the Scottish Government.
  • Once the data has been transmitted to Scottish Government it is deleted by the contractors.
Reduce
Identity theft due to information supplied by individual 3
  • Access to data in Scottish Government and APS is restricted to named individuals working on the project. Any data breaches much be brought to the attention of Scottish Government immediately.
  • Ensure that only 6 years' worth of contact data is held
Reduce
Information about an individual's circumstances is leaked / released accidentally breaching the DPA. Personal data released 4
  • Access to data in Scottish Government and APS is restricted to named individuals working on the project. Any data breaches much be brought to the attention of Scottish Government immediately.
  • Changes to project teams should mean that individuals have access granted and removed as required, in a timely manner.
  • Steps are taken to ensure that direct personal identifiers (names and email addresses) are stored separately from the main survey datasets containing pseudonymised candidate answers.
  • A unique identifier is assigned to each candidate in each dataset to allow the Scottish Government to note which candidates have been successful following the results of the election.
  • Ensure that colleagues with access to information are trained on the requirements of the DPA at least annually and are clear on the processes for protecting information.
  • Disclosure checks are made on all data before it is released.
Reduce

Contact

Email: diverserepresentationdata@gov.scot

Back to top