Privacy Impact Assessment (PIA)
1. Introduction
The purpose of this document is to report on and assess against any potential
Privacy Impacts as a result of research conducted by the National Centre for Social
Research (NatCen) on gambling behaviour using data shared by Scottish
Government on selected participants in the Scottish Health Survey.
2. Document metadata
2.1 Name of Project: National Centre for Social Research: Gambling data in the
Scottish Health Survey
2.2 Date of report: 22/08/2014
2.3 Author of report: Craig Kellock
2.4 Deputy Director: Angela Campbell
2.5 Date for review of Privacy Impact Assessment: 22/08/2015
3. Description of the project
3.1 Description
The project will explore gambling machine play in Great Britain, to identify the
characteristics of those who play gambling machines, why, under what
circumstances, how behaviours have changed and how this relates to problem
gambling. In order to identify gambling machine players, data from the Scottish
Health Survey, in conjunction with data from the Health Survey for England (HSE)
and the British Gambling Prevalence Survey (BGPS) will be used, thereby producing
a sample across Great Britain. A matched sample of other survey participants with
similar characteristics who did not report machine gambling will be required for the
work. Those samples will be the sampling frame for a representative survey of
gambling machine players. Therefore, the work requires personal information from
the Scottish Health Survey, including names and addresses, for participants who
agreed to be contacted for follow-up research, to be available to a researcher and
interviewers at NatCen.
There is political interest in problem gambling and the role played by machine
gambling; the UK Minister for Gambling has requested that research is undertaken
by Autumn 2014 to examine machine play more generally. The project is funded by
the Responsible Gambling Trust.
August 2015
3.2 Personal data
Personal data including survey participant names, addresses and responses to a
selection of variables from the Scottish Health Survey will be required by the
researcher and interviewers involved in the project.
A full list of Scottish Health Survey variables to be shared is included in Annex A.
3.3 How data will be processed
Data has already been gathered. NatCen is the contractor for the Scottish Health
Survey and already securely holds the data. Access will be granted to Heather
Wardle, Research Director, and a selection of NatCen survey interviewers. Heather
Wardle will manage the dataset and use it as the basis for further research after
access has been granted.
As a first step, names, addresses and answers to selected gambling questions will
be made available to Heather and the NatCen interviewers. At a second stage, a
larger list of variables will be merged with the data from the research; names and
addresses will be removed and clustering and stratification variables will be
scrambled so they cannot be merged back to the archive Scottish Health Survey
dataset. This dataset will be made available only to Heather Wardle.
Data will be stored electronically and securely for a maximum of two years from the
date of the data sharing agreement. After this time, the data will be destroyed
securely in accordance with ISO 27001 standards. Confirmation will be provided to
Scottish Government in writing that the data have been destroyed.
Physical security standards which Natcen adhere to and are audited on are:
 all confidential data must be locked in their offices
 laptops are always locked when left
 a passcard control system is used to control access to the office
NatCen adopts a number of cryptographic processes applicable to the method of
storage, transfer and transmission of data. In summary:




Laptop computers are encrypted to FIPS 140-2 standard with PGP Whole
Disk Encryption as standard.
PGP Zip is used to encrypt email attachments and/or body text to FIPS 140-2
standard.
In cases where secure data needs to be transferred to or from the NatCen
Network, a Secure FTP Server is available.
Where confidential data needs to be moved between locations outside of the
NatCen network, IronKey encrypted memory sticks are used. These are
centrally allocated and managed.
Physical risks are assessed for each location and appropriate controls are put in
place - for fire, flood, power, temperature fluctuation, theft, unauthorised access and
accidental or deliberate damage risks.
August 2015
Response to security incidents
NatCen has in place a policy procedure to govern their response to any security
incident, ranging from the accidental loss of data, theft, corruption of data, disclosure
of personal information, introduction of malicious software, the failure of a computer
system or the failure to follow procedure in relation to information handling. Staff
members are trained to report security incidents. The procedure is summarised
below.
 The symptoms of a reported security incident are compared against a list of
incident types, which may then trigger the following actions:
o Incident validation is undertaken by an Information Security
Representative. The validation and analysis of an incident takes into
consideration factors such as the number of users affected, actions
that can be taken to contain the situation immediately, and whether
other measures, for example forensic investigation, are required.
o Security incidents are recorded in a log as soon as they are reported,
with further details added as they become available. This is overseen
by an Information Security Rep and Information Security Management
Group.
o A monthly report of incidents is generated by an IT Asset Manager and
shared with senior management for review, comment and
consideration of long-term actions to address any issues. Times for
addressing incidents will reflect the nature of the incident, with those
with a severe operational impact being handled immediately.
o The Director of Performance and Operations reviews the actions taken
to address incidents and informs the relevant manager of any further
actions that would be warranted.
In the event of a data loss in breach of the Agreement,
 the National Centre for Social Research shall inform the SG immediately
 both parties will consider remedial or mitigation action
 the SG will decide when the Information Commissioner’s Office should be
notified of the breach and whether the breach significant enough a concern to
terminate the agreement with immediate effect.
3.4 Legal basis.
The legal basis includes written and signed consent. Scottish Health Survey
participants are asked to sign a consent statement indicating whether they are willing
for their name, address, contact details and relevant survey question answers to be
passed on to the Scottish Government or other research agency acting on behalf of,
or in collaboration with, the Scottish Government for the purpose of follow-up
research. Therefore, Data Protection Act (DPA) 1998 Schedule 2 (1) condition and
Schedule 3(10)(9) applies for processing the personal data. Details will only be
shared for those respondents who signed the consent statement.
August 2015
4. Questions to identify privacy issues
Will the initiative involve multiple organisations, whether they are public service
partners, voluntary sector organisations or private sector companies?
 No, the research will be carried out entirely by the National Centre for Social
Research.
Will it be possible to identify an individual?
 Yes, personal data including names and addresses will be included in the
data share in order to allow a sample of gambling machine players and other
survey participants to form the basis of this research. Details will only be
provided for those respondents to the Scottish Health Survey who explicitly
agreed to be re-contacted for the purpose of follow-up research by signing a
consent statement.
 Published research resulting from the project will not disclose personal
information in violation of survey participants’ privacy.
Will there be new or additional information technologies that have substantial
potential for privacy intrusion?
 No.
What type of unique identifiers will be used in the project?
 Names and addresses will be included in the data share, for Scottish Health
Survey participants identified as gambling machine players and for a matched
sample of survey participants which has already been drawn from the publicly
available survey dataset based on other demographic characteristics.
Will there be new or significant changes to the handling of types of personal data
that may be of particular concern to individuals? This could include information
about racial and ethnic origin, political opinions, health, sexual life, offences and
court proceedings, finances and information that could enable identity theft.
 No. Information gathered in the Scottish Health Survey including personal
details will be made available to a researcher at NatCen Social Research, and
then brought together with follow-up research about those individuals. Only
those individuals who provided written and signed consent to be
involved in follow-up research during their Scottish Health Survey
interview will be contacted in this research. NatCen already hold the
survey data and contact details, so this privacy impact assessment relates to
the linkage of those being made available to the researcher and contact
details being made available to the interviewers conducting the follow-up
research, and this information being brought together with Scottish Health
Survey data. The variables shared will be kept to a minimum of those
required for analytical purposes. As a first step, only names, addresses and
answers to selected gambling questions will be made available to Heather
and the NatCen interviewers. At a second stage, a larger list of variables will
be merged with the data from the research; names and addresses will be
removed and clustering and stratification variables will be scrambled so they
cannot be merged back to the archive Scottish Health Survey dataset. This
dataset will be made available only to Heather Wardle.
August 2015
Will the personal details about each individual in an existing database be subject to
new or changed handling?
 Yes, access will be granted to Heather Wardle, Research Director and
NatCen, to records for a sub-sample of Scottish Health Survey participants
including names and contact details as described above.
Will there be new or significant changes to the handling of personal data about a
large number of individuals?
 Yes, for a sub-sample as described above.
Will the project involve the linkage of personal data with data in other collections, or
any significant change to existing data links or holdings?
 Yes. The project will bring together personal information from the Scottish
Health Survey with new information gathered in the follow-up research, but
will not link to any further datasets. The linkage requires personal data as the
follow-up research is yet to be undertaken.
Will there be changes to data quality assurance or processes and standards that
may be unclear or unsatisfactory?
 No.
Will there be new or changed data security access or disclosure arrangements that
may be unclear or extensive?
 No.
Will there be new or changed data retention arrangements that may be unclear or
extensive?
 Yes. There is new data retention arrangements. However, their extent and
arrangements for termination of the data have been agreed as part of a data
sharing agreement which will be reviewed after one year and terminated after
two years. The changes are not extensive, and are clear for the purposes of
this project.
Will there be changes to the medium of disclosure for publicly available information
in such a way that the data becomes more readily accessible than before?
 No.
Will the data processing be exempt in any way from the Data Protection Act or other
legislative privacy protections?
 Yes, the DPA S.33 exemption applies and therefore is exempt from Principle
2, Principle 5 (data retention) and Principle 6 (data subject access rights)
Does the project involve systematic disclosure of personal data to, or access by,
third parties that are not subject to comparable privacy regulation?
 No.
Does the project’s justification include significant contributions to public security
measures?
August 2015

No.
Is there to be public consultation?
 No public consultation is proposed as the Scottish Health Survey seeks
written and signed consent from participants to be involved in follow-up
research.
Is the justification for the new data handling unclear or unpublished?
 The purpose of this research and the handling of the data is clear. The
justification for the data share is to allow the first national representative
survey of gambling machine players to be undertaken. The research forms
part of research strategy of the Responsible Gambling trust. There is political
interest in the use of gambling machines, and the UK Minister for Gambling
has requested that research in the area be undertaken.
A copy of this Privacy Impact Assessment is available on the Scottish Government
website. Further information is available at:
http://www.scotland.gov.uk/Topics/Statistics/Browse/Health/scottish-health-survey
August 2015
5. Risks identified and appropriate solutions or mitigation actions proposed
Is the risk eliminated, reduced or accepted?
Risk
Follow up research will
generate new data which
extends the pool of
information held about survey
participants.
Physical security of new
data, in particular against fire,
flood, power, temperature
fluctuation risks, theft,
unauthorised access and
accidental or deliberate
damage
August 2015
Ref
Solution or mitigation
Result
NatCen are fully accredited to ISO 27001, the
international standard which covers data security. A
data sharing agreement is in place which requires
data to be destroyed after two years. NatCen
already hold the Scottish Health Survey data
including contact details. The variables included in
this data share will be kept to a minimum of those
required for analytical purposes.
Systems currently in place in NatCen offices:
Accept
Alarms, detection systems, fire extinguishers,
appropriate loading, UPS, air-conditioning.
access control system, mechanical door locks,
window security, CCTV, asset marking, intruder
alarm.
Accept
6. Incorporating Privacy Risks into planning
Explain how the risks and solutions or mitigation actions will be incorporated into the project/business plan, and how they will be
monitored. There must be a named official responsible for addressing and monitoring each risk.
Risk
Follow up research will
generate new data which
extends the pool of
information held about survey
participants.
Ref
How risk will be incorporated into planning
Owner
A data sharing agreement is in place which sets out Angela Campbell
clear requirements on the storage and termination of
shared data. Robust security measures, described
in this document, are in place.
This project has been planned to reduce the risks
associated with unauthorised access to data, by
‘scrambling’ variables which would allow the new
dataset to be readily matched back to the archive
Scottish Health Survey data, and by removing
names and addresses from the final research
dataset after Scottish Health Survey data has been
linked.
Physical security of new
data, in particular against fire,
flood, power, temperature
fluctuation risks, theft,
unauthorised access and
accidental or deliberate
damage
August 2015
Systems currently in place in NatCen offices for
Scottish Health Survey data management will apply
to this project. These include:
Alarms, detection systems, fire extinguishers,
appropriate loading, UPS, air-conditioning.
access control system, mechanical door locks,
window security, CCTV, asset marking, intruder
alarm.
Angela Campbell
7. Authorisation and publication
I confirm that the impact of undertaking the data share has been sufficiently
assessed against the needs of the privacy duty:
Name
Date
25th August 2014
August 2015
Annex A: Personal data
Heather Wardle and Natcen interviewers will both be provided access to names,
contact details and answers to gambling survey questions for two sub-samples of
Scottish Health Survey 2012 participants. The first sub-sample will be gambling
machine players, and the second will be a matched sample.
As a second step, Heather Wardle will be provided with tee attached larger list of
variables. Before this stage, names and contact details will be removed from the
dataset, and strata and psu variables will be ‘scrambled’ so they are not identifiable
with the archived Scottish Health Survey dataset.
SHeS variables.zip
August 2015