Read the document
Published: June 14, 2022
Data Protection – TF13
Owner: ILF Scotland
Subject: Data Protection
Date Created: 14 December 2017
Amended: 8th November 2018
Last Reviewed: 31 March 2021
Next Review: 31 March 2022
The ILF Transition Fund aims to provide short term financial support for young disabled people aged 16-25 to achieve independent living goals related to being active and participating or present in their community. ILF Scotland, as the holder of these funds, is required to obtain personal and sensitive data to confirm the identity of the individual and to process their application. The outcome of the processing, (for successful applications), further requires ILF Scotland to maintain and retain records under the Public Records Acts.
ILF Scotland also takes action to comply with the following legal and professional obligations:
- The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
- The Data Protection Act 1998 (superceded);
- The Public Records Act 1958;
- The Freedom of Information (Scotland) Act 2002;
- The Computer Misuse Act 1990;
- The Privacy Electronic Communication Regulations (rev 2011), and
- The common law duty of confidentiality.
In regard to the ILF Transition Fund, significant staff training will apply due to the need for confidentiality and protection of the sensitive personal data being processed.
Operation and Data Protections
All personal data will be processed fairly and lawfully. As the Data Controller, ILF Scotland will collect the following information from those applying for funding at three key stages of the award process:
Stage 1 – Creation of My Account
- A valid email address for the purposes of account creation and communication (tracking) of application progress. If an application is received online (electronically), the applicant will be notified as to the outcome of their application through their electronic account unless they request an alternative option, (i.e. phone, text, paper).
- Details of the computer being used to make the application (the IP address) will be collected for the purposes of establishing unique/returning visitors and geographical information to enable research and continuous improvement of online services. No identifiable personal information is captured and the analytical tool used to process “site traffic” is Google Analytics.
Note: A password is required to set up the electronic account. ILF Scotland will not collect this information and has no means of establishing what an individual’s password is. As such, this information is not processed by ILF Scotland and remains the responsibility of the individual to protect and manage. If forgotten, the online system has a password reset function controlled by the applicant.
Stage 2 – About Me and My Application
- Name, age, address, National Insurance Number, (for over 16s), if in receipt of DLA or PIP, self-identification of impairment or disability, (eligibility condition), personal goals and the name of a third party who has worked with the individual on a professional basis and can identify them and their impairment. All of these details are specifically obtained to confirm the identity of the individual and to establish the impact their impairment has on their daily life. As the purpose of the grant is to enable disabled young people to increase their ability to live independently, be active and participate or be present in their community, understanding their personal circumstances will enable a more refined assessment of the impact grants will make.
- The reason for requesting whether an individual has DLA or PIP is to confirm identity and establish eligibility i.e. an individual who has DLA or PIP, (at any level), will automatically be considered to have evidenced their disability and met this specific eligibility criteria. The use of National Insurance number also forms part of identity management and is the default an alternative verification tool if an individual does not have DLA or PIP. ILF Scotland has permission from the HMRC/DWP Joint Board for requesting and processing an individual’s “NI” number for this purpose and is part of a formal data sharing agreement with them.
- ILF Scotland has established that the above data set is the minimum required for accurate processing of an application request for an identified individual. If an individual elects not to provide all of the above information, it will not be possible for ILF Scotland to process the application and it will be declined. If there are exceptional circumstances as to why the individual is not able to provide this information, it may be possible to request an application support visit where an ILF Scotland Assessor will aim to identify alternative options that collectively may assist the application process and identity verification.
Stage 3 – Accepting My Award and Providing Bank Details
- An ILF Transition Fund grant is managed by a Grant Manager. This is normally the individual who is making the application but there are many situations where the grant may be managed on behalf of the recipient, (see policy TF06).
- Details of the named individual who will be managing the grant will be requested so that ILF Scotland will have a point of contact for the duration of the grant period. Additionally this information will be used for any issues regarding misuse, theft, illegal or fraudulent use of the grant monies outwith the terms of the offer.
- Details of the bank account or building society roll number, together with the named holder of that account, will be required so that payments can be made into that account. This may be a parent or guardian or a financial management company but their account details and relationship to the applicant must be stated.
- The applicant, or person named as Grant Manager, will be asked to confirm their agreement to accept the terms and conditions of managing the grant prior to supplying the bank account information. The detailed terms and conditions are contained in the following documents:
- Your Responsibilities Guide,
- Policy TF06, Managing an ILF Transition Fund grant;
- Policy TF07 Financial Responsibilities;
- The ILF Scotland website (Transition Fund Policies).
ILF Scotland requires the individual to make an affirmative agreement to accepting these terms and conditions and will retain a record of this action in the electronic database. In effect, this is an electronic signature which replaces the need for a physically signed document.
Failure to provide valid bank account details will result in monies not being paid into that account. ILF Scotland will receive notification of payment error from the automatic payment system and will contact the named Grant Manager to confirm account information.
In any case of suspected theft or fraud, ILF Scotland will share all of the above information with Counter Fraud Scotland to assist in the investigation process and with any legal bodies if subsequent findings prove evidence of intentional theft/fraud. To assist this process, ILF Scotland will require individuals to obtain and submit receipts and/or proof of their expenditure during the grant period as detailed in the ‘Your Responsibilities Guide’, TF06 Managing an ILF Transition Fund Grant and TF07 Financial Management Support.
Confidentiality & Training
ILF Scotland staff will be obtaining and processing personal information, and potentially conducting application support visits with individual applicants and their families/carers. Data collected will be of a personally sensitive nature and all ILF Scotland staff are trained as to their responsibilities in safeguarding and using it. Any sharing or use of sensitive personal data is
strictly for the purposes of processing the application or administration of the grant and is on a need to know basis. All staff are subject to annual mandatory data protection training and receive continuing professional development and practice updates.
Obtaining, storing and processing of information
The two methods for individuals to make an application are either via the website or by submitting a completed paper based application form (either via post or emailed as a document). A physically received application form will be manually processed into the core database system which is held within a secure environment in the Scottish Government network. Once entered into the database, the original version will be deleted or destroyed.
If an application is made via the website, personal data which is submitted is initially encrypted before being stored into an applications database held in a secure Scottish Government cloud service. Several times a day this information will be extracted from the secure cloud database, decrypted and entered into the core database held in the Scottish Government network for onward processing. At no point is personal data stored in the website and either a timeout or back button will cause any temporary information to be lost. Individuals may take several days/weeks to complete an application and the option to, “save and return” is available at every stage of the application process. If this is used, the saved data is automatically stored in the secure cloud database for a short duration prior to being imported into the Scottish Government network.
Once a completed application is received, all processing of information will be completed in the core database held in the Scottish Government network and progress fed back via the online tracker or phone/letter if a physical copy is received.
Successful applications, (which lead to the grant offer being accepted by the individual), will have all personal data retained until the individual reaches 22 years of age, or for 6 months after the end of the grant period, whichever is the longest period. This is to allow for ILF Scotland to receive subsequent applications from the same individual and to compare a new application from a previously successful one. It will also allow for financial audit and impact of the grant to be established so that ILF Scotland can learn how it is making a difference. At the end of the grant period, financial details, (of the grant and receipts for spends), will be kept for audit and reporting requirements to HMRC for 6 years but all other details regarding the application will be destroyed. Retention of this personal data enables ILF Scotland to perform its core task and will assist in the improvement of its management of health and social care systems and is thus not based on consent.
Unsuccessful applicants will be informed of the reasons for not receiving an offer and may be signposted to appropriate support organisations or services. Their application records and personal data will be destroyed after 4 weeks in case the individual wishes to query or appeal the decision.
Use of ‘Big Data’, Smart Technologies, derived data sets and social media.
There is now a wide amount of information about individuals which is potentially accessible from social media platforms and technology based applications. From this, it may be possible to develop further information about a specific individual for purposes which are not declared to the individual.
ILF Scotland will not attempt to collect or develop any type of information about an individual which could be observed, derived or inferred from these data sets; and will only request the minimum information from individuals which allow for the processing and administration of an application.
Consent, withdrawing consent and accepting an offer
ILF Scotland has lawful basis to obtain and process personal information in the performance of its tasks carried out in the public interest and in the management of health and social care systems. The accepting of the grant offer does not imply or automatically give consent for ILF Scotland to process or share personal information with other relevant organisations. ILF Scotland will only use personal information to enable the fair and accurate processing of an application and share the minimum information with other organisations to confirm identity and continuing eligibility and as further described in the ‘Your Responsibilities Guide’.
If an individual no longer wishes to receive grant funding from ILF Scotland they can indicate this, and monies will no longer be paid from the stoppage date provided by the individual. ILF Scotland will retain and continue to process personal data as described above, complete its financial audits, and aim to understand the impact achieved to date and the reasons for the early ending of the grant. However, due to the nature of the performance of the task in the public interest, and in the management of health and social care systems, the individual cannot request that their data is deleted whenever they like. Processing of this personal data is necessary for the performance of key tasks and ILF Scotland will retain the details of successful applications for the purposes of record keeping, auditing and financial purposes.
ILF Scotland will keep individual financial records for a period of 6 years post expiration of the grant.
Right of Access to their data
Under the terms of the new Data Protection Act (2018), all data subjects have the ability to request the details that are held about them. This is called a Subject Access Request and can be made in writing, (or electronically), at any time.
ILF Scotland will not undertake direct marketing to individuals who create an account with us, nor will they share any information about them with any third parties who may have a commercial or particular interest in contacting individuals.