Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a key component of a 'Privacy by design' approach to a project or other personal data processing activity (hereafter referred to as an 'initiative'). 'Privacy by design' is an essential tool in minimising privacy risks and building trust.The Information Commissioner's Office (ICO) encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any initiative, and then throughout its lifecycle.
This guidance explains how to carry out a Data Protection Impact Assessment (DPIA). It builds on the more general guidance on Privacy Impact Assessments issued by the Information Commissioner's Office (see link on the right of this page).
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a structured approach to idenitifying the privacy risks associated with the processing of personal data and for implementing appropriate controls to manage those risks. The process comprises the following six distinct steps and a parallel stream of consultation:
- Identify the need for a DPIA
- Describe the information flows
- Identify and assess the privacy risks
- Identify and approve controls
- Assign responsibility for implementing controls
- Re-assess and accept the risks.
Why conduct a DPIA?
Key benefits of conducting a DPIA are:
- Fulfilling the University's legislative,statutory and contractual obligations, particularly those under data protection legislation in relation to data processing activities
- Contributing towards effective risk management and increased privacy and data protection awareness across the institution
- Giving individuals confidence that the University is taking steps to safeguard their privacy, and a better understanding of the ways in which their personal data are being used
- Taking actions which are less likely to be privacy intrusive and have a negative impact on individuals
- Increasing the likelihood that the initiative is more successful because privacy risks are identified early, allowing controls to be designed in at less cost and with less impact on delivery.
Is a DPIA required?
A DPIA should be completed for any initiative that involves the processing of personal data or any other activity that could impact the privacy of individuals. Examples are:
- Building a new IT system for storing or accessing staff personal data
- Implementing surveillance technology in a building, such as a CCTV system
- Using a cloud service for the storage of research data
- Developing policies or strategies that have privacy implications.
A DPIA should be completed for new initiatives or for changes to existing systems or processes. It may also be a recommended outcome from a formal investigation into an information security incident or weakness at the University.
The first step in conducting a DPIA is a screening process to decide whether the detailed work in the subsequent steps will be required.
A DPIA must be completed for all research projects that may impact the privacy of indviduals and/or involve the use of personal data.
When should a DPIA be undertaken?
Ideally, a DPIA should be undertaken in the early stages of an initiative. The earlier a DPIA is completed, the easier it is likely to be to address any privacy risks identified.
Who should conduct a DPIA?
The University Data Protection Officer has overall accountability for ensuring that DPIAs are completed for high risk personal data processing initiatives.
Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible for the initiative, such as:
- The project sponsor
- The information asset owner
- The lead for a research project.
Who should hold the completed DPIA?
The individual responsible for the initiative should retain the master copy of the completed DPIA for audit purposes and to be able to demonstrate compliance with legislative requirements should a query be raised. The University's Data Protection Officer or Information Governance Unit may request copies of DPIAs for monitoring and reporting purposes.
The University's DPIA template
Please use the University's standard Data Protection Impact Assessment Template (see Resources section at the bottom of this page).
Please note that in the case of research projects, the DPIA template is not mandatory; the assessment can be recorded in the project's Data Management Plan instead.
Conducting a DPIA
Step One - Identify the need for a DPIA
Complete the DPIA screening questions in the DPIA template. If the answer to any of the screening questions is 'Yes', a DPIA is required. Below are the screening questions, with some additional context and examples to help determine answers.
|1||Does the initiative involve evaluating or scoring individuals (including profiling and predicting)?||This is particularly important when personal data processing relates to an individual's performance, economic situation, health, personal preferences or interests, relaibility or behaviour, location or movements.||Building behavioural or marketing profiles of individuals based on their web activity.|
|2||Does the initiative involve automated decision-making that may have a significant effect on an individual?||This is personal data processing that aims to make automated decisions about individuals that produce legal effects or similarly significant effects upon the individual.||Asking an individual to submit personal data that is then analysed by a computer system, with the result that the individual's request to use a service is either accepted or refused.|
|3||Does the initiative involve systematic monitoring?||This is personal data processing used to observe, monitor or control individuals.||Installing a CCTV system on University premises.|
|4||Does the initiative involve the processing of 'sensitive personal data'?||Sensitive personal data is a particular set of personal data, as defined by data protection legislation (see the Information Governance Glossary).||Processing the health data of research participants in a research project.|
|5||Does the initiative involve processing personal data on a large scale?||
There is no specific definition of 'large scale' but the following should be considered:
|Implementing a new student record system.|
|6||Does the initiative involve datasets that have been matched or combined?||This relates to combining personal data originating from two or more personal data processing operations performed for different purposes or by different data controllers in a way that would exceed the reasonable expectations of the individual.||Matching alumni and supporters personal data against personal data held by a third party for profiling purposes.|
|7||Does the initiative involve the personal data of vulnerable people?||This relates to the processing of personal data where there is an imbalance of power between the individual and the University, or the processing involves a vulnerable section of society.||Processing children's personal data as part of a 'widening participation' activity in the University.|
|8||Does the initiative involve the use or application of innovative technological or organisational solutions?||New technology can often involve novel ways of collecting and using personal data that individuals may not reasonably expect.||Using fingerprint recognition technology to control access to a building.|
|9||Does the initiative involve the transfer of personal data outside of the European Union?||This relates to sending personal data to countries outside of the European Union.||Storing personal data in a cloud service hosted in the USA.|
|10||Does the initiative prevent individuals from exercising a right or using a service or contract?||This includes personal data processing that takes place in a public area that passers-by cannot avoid, or processing that aims to allow or refuse an indidvidual's access to a service.||Screening applicants before allowing them to use a web service.|
Step Two - Describe the information flows
Record the following in the DPIA template:
- How personal data will be obtained
- How personal data will be processed (including potential future uses)
- How personal data will be stored
- To whom personal data will be disclosed (individuals or organisations, if any).
Consultation should begin during this step (see Consultation section beneath Step 6 below).
Step Three - Identify and assess the privacy risks
Record the identified risks in the DPIA template. This forms the core of the DPIA process. The aim is to compile a comprehensive list of all of the privacy risks associated with the initiative, whether or not the risks require action.
For each privacy risk identified, the following should be recorded:
- A unique identifier
- A description of the risk
- An assessment of the impact of the risk (severe, major, moderate, minor, insignificant)
- An assessment of the likelihood of the risk (very likely, likely, neither likely nor unlikely, unlikely, very unlikely).
Step Four - Identify and approve the controls
Identify controls to mitigate the risks and record them in the DPIA template. The aim is to identify sufficient controls to eliminate each of the risks identified in Step Three, or to reduce them to a level which is acceptable to the University. For some identified risks, no controls may be required because the likelihood is so low and/or the impact so small that the risks are acceptable to the University.
Controls may take many forms, such as:
- Additional terms and conditions in a contract
- A privacy notice
- Documented operational procedures
- Disabling certain product features
- User training
- Technical controls, such as encryption.
Once a control is identified, the expected result of its implementation should be recorded i.e. whether it is likely to:
- Eliminate the risk
- Reduce the risk to an acceptable level
- Require acceptance as there is no reasonable control to eliminate or reduce it.
Proposed controls should then be approved by an appropriate individual. Normally this should be the information asset owner or their nominated delagate, but it could also be:
- The project sponsor
- The chair of a relevant committee.
Step Five - Assign responsibility for implementing controls
Allocate the controls to appropriate individuals and record an agreed deadline for implementation.
In the case of formal University projects, the implementation of many of the controls will fall within the scope of the project, so should be managed in the same way as any other project task. However, the implementation of some controls will be beyond the scope of the project (such as a change to University policy) so related tasks should be assigned through the University's normal management processes and added to the list of project dependencies. Where initiatives are being run informally, or as 'business as usual' activities, the University's normal management processes should be used to identify who will implement the controls and agree an appropriate deadline. In all cases, a named individual and deadline for completion should be assigned and recorded.
In the absence of formal project management documentation, the DPIA should be used to record when controls are implemented.
Step Six - Re-assess and accept the risks
After the controls have been implemented, re-assess the risks and record the outcome in the DPIA template. The risks then need to be accepted by an appropriate individual. Normally this should be the information asset owner or their nominated delagate, but it could also be:
- The project sponsor
- The chair of a relevant committee.
The individual who signs off the risks should have a clear understanding of the initiative, particularly the privacy risks and how the controls address them. If any risk has not been reduced to an acceptable level after implementation of the controls identified in Step Four, additional controls will need to be identified and Step Five and Step Six will need to be repeated.
Consultation serves many purposes throughout the DPIA process, such as:
- Explaining the initiative to stakeholders
- Explaining to stakeholders how the DPIA process will be used within the initiative to manage privacy risks
- Establishing current working practices that the initiative aims to update or replace
- Establishing how the new system or process is likely to be used in practice and in the case of general purpose facilities, their likely purpose
- Establishing the privacy concerns of stakeholders
- Soliciting suggestions for controls
- Explaining identified controls to stakeholders.
Key stakeholders are likely to include:
- Individuals who understand the initiative from a techical point of view and in terms of personal data processing
- Individuals who will be using the new system or process
- Individuals whose personal data will be processed by the new system or process
- Collaborative partners
- The suppliers of a system
- The University's Information Governance Unit, Computing and Information Services (CIS) and Legal Services.
In cases where the impact of a risk identified at Step Three is assessed to be either severe or major and likelihood is assessed to be either likely or very likely, the University's Data Protection Officer must be consulted. If any risk remains at this level after the implementation of controls, the University may be required to consult the Information Commissioner's Office.
- Data Protection Impact Assessment Template (last modified: 15 January 2018)