Scottish Candidate Numbers (Use in Research)

General Question Time – in the Scottish Parliament at on 2 May 2024.

Alert me about debates like this

Photo of Jeremy Balfour Jeremy Balfour Conservative

To ask the Scottish Government whether it has followed the advice issued by the Information Commissioner’s Office regarding appropriate governance and controls for the use of children’s Scottish candidate numbers for research in the education system. (S6O-03387)

Photo of Jeremy Balfour Jeremy Balfour Conservative

As the cabinet secretary will be aware, when the health and wellbeing census was run in 2022, no governance was put in place around the use of children’s Scottish candidate numbers. For example, candidate numbers are used as pupil email addresses in some schools. The ICO has advised the Scottish Government that it needs to address serious risks of harm to children, due to the intimate nature of the data that is gathered about pupils and their families.

Will the Scottish Government commit to review and—if found to be infringing the general data protection regulation and ethical standards for health research—to delete the data that was gathered from 134,000 children who participated in the survey without being informed of those risks?

Photo of Jenny Gilruth Jenny Gilruth Scottish National Party

As the member will be aware, in the past year or so, my officials have had a series of meetings with the Information Commissioner’s Office on that very issue. I understand that the ICO has also met local authorities to discuss the same issues with them. As a result, the Government is reviewing and enhancing our internal processes and procedures to further reduce the risks of using the Scottish candidate number for our own statistical and research purposes.

Those enhancements are also about ensuring that we have the improved technical and organisational measures that are designed to more effectively implement data protection principles. It will also ensure that improved safeguards will deliver on better meeting the requirements that are set out under United Kingdom general data protection regulation requirements.