Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a key component of a 'Privacy by design' approach to a project or other personal data processing activity (hereafter referred to as an 'initiative'). 'Privacy by design' is an essential tool in minimising privacy risks and building trust. The Information Commissioner's Office (ICO) encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any initiative, and then throughout its lifecycle.
This guidance is devised to help you determine whether a DPIA is required for your initiative and if so, explains how to complete the assessment.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a structured approach to identifying the privacy risks associated with the processing of personal data and for implementing appropriate controls to manage those risks. The process comprises eight steps, discussed below:
Why conduct a DPIA?
Key benefits of conducting a DPIA are:
- Fulfilling the University's legislative, statutory and contractual obligations, particularly those under data protection legislation in relation to data processing activities
- Contributing towards effective risk management and increased privacy and data protection awareness across the institution
- Giving individuals confidence that the University is taking steps to safeguard their privacy, and a better understanding of the ways in which their personal data are being used
- Taking actions which are less likely to be privacy intrusive and have a negative impact on individuals
- Increasing the likelihood that the initiative is more successful because privacy risks are identified early, allowing controls to be designed in at less cost and with less impact on delivery.
Is a DPIA required?
A DPIA should be completed for any initiative that involves the processing of personal data or any other activity that could impact the privacy of individuals. Examples are:
- Building a new IT system for storing or accessing staff personal data
- Implementing surveillance technology in a building, such as a CCTV system
- Using a cloud service for the storage of research data
- Developing policies or strategies that have privacy implications.
A DPIA should be completed for new initiatives, for changes to existing systems or processes or for contract renewals where there is a data processing element. It may also be a recommended outcome from a formal investigation into an information security incident or weakness at the University.
The first step in conducting a DPIA is a screening process to decide whether the detailed work in the subsequent steps will be required.
A DPIA must be completed for all research projects that may impact the privacy of individuals and/or involve the use of personal data.
When should a DPIA be undertaken?
Ideally, a DPIA should be undertaken in the early stages of an initiative. The earlier a DPIA is completed, the easier it is likely to be to address any privacy risks identified.
Who should conduct a DPIA?
The University Data Protection Officer has overall accountability for ensuring that DPIAs are completed for personal data processing initiatives.
Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible for the initiative, such as:
- The project sponsor
- The information asset owner
- The lead for a research project.
Who should hold the completed DPIA?
The individual responsible for the initiative should retain the master copy of the completed DPIA for audit purposes and to be able to demonstrate compliance with legislative requirements should a query be raised. The University's Data Protection Officer or Information Governance Unit may request copies of DPIAs for monitoring and reporting purposes.
The University's DPIA template
Please use the University's standard Data Protection Impact Assessment Template found here.
Please note that in the case of research projects, the DPIA template is not mandatory; the assessment can be recorded in the project’s Data Management Plan instead.
Conducting a DPIA
Step One - Identify the need for a DPA
1. Will the project involve the processing of new (or additional) types of information about individuals?
2. Is the project already processing personal data about
individuals without a DPIA having been carried out?
3. Will the project compel individuals to provide information
about themselves before they can make use of the service
4. Will information about individuals be disclosed to
organisations or people who have not previously had routine
access to the information, including third party processors?
5. Are you using information about individuals for a purpose for
which it is not currently used, or in a way it is not currently
6. Does the project involve processing sensitive (“Special
Category”) personal data?
7. Does the project involve the personal data of vulnerable
8. Does the project involve processing personal data on a large
9. Does the project involve systematic monitoring?
10. Does the project involve the use or application of innovative
technological or organisational solutions?
11. Does the project involve automated decision-making that
may have a significant effect on an individual?
12. Does the project involve evaluating or scoring individuals
(including profiling and predicting)?
13. Does the project involve datasets that have been matched or
14. Is the data transferred internationally?
Step Two - Describe the processing
Record the following in the DPIA template:
- How personal data will be obtained
- How personal data will be processed (including potential future uses)
- How personal data will be stored
- To whom personal data will be disclosed (individuals or organisations, if any).
Step Three - Consultation process
Consultation serves many purposes throughout the DPIA process, such as:
- Explaining the initiative to stakeholders
- Explaining to stakeholders how the DPIA process will be used within the initiative to manage privacy risks
- Establishing current working practices that the initiative aims to update or replace
- Establishing how the new system or process is likely to be used in practice and in the case of general purpose facilities, their likely purpose
- Establishing the privacy concerns of stakeholders
- Soliciting suggestions for controls
- Explaining identified controls to stakeholders.
Key stakeholders are likely to include:
- Individuals who understand the initiative from a technical point of view and in terms of personal data processing
- Individuals who will be using the new system or process
- Individuals whose personal data will be processed by the new system or process
- Collaborative partners
- The suppliers of a system
- The University's Information Governance Unit, Computing and Information Services (CIS) and Legal Services.
Step Four – Assess necessity and proportionality
Describe the proportionality and compliance measures that are being considered. In particular:
- What is your lawful basis for processing. These are contained within Article 5 GDPR for personal data and an Article 9 basis will need to be established in addition to Article 5 where Special Category Data is being processed?
- Ensure good data quality
- Provide individuals the support they need to act on their rights as data subjects
- Consider the risk of any international data transfer
Step Five - Identify and assess the privacy risks
Record the identified risks in the DPIA template. This forms the core of the DPIA process. The aim is to compile a comprehensive list of all of the privacy risks associated with the initiative, whether or not the risks require action.
For each privacy risk identified, the following should be recorded:
- A unique identifier
- A description of the risk
- An assessment of the impact of the risk (severe, major, moderate, minor, insignificant)
- An assessment of the likelihood of the risk (very likely, likely, neither likely nor unlikely, unlikely, very unlikely).
Step Six - Identify and approve the controls
Identify controls to mitigate the risks and record them in the DPIA template. The aim is to identify sufficient controls to eliminate each of the risks identified in Step Three, or to reduce them to a level which is acceptable to the University. For some identified risks, no controls may be required because the likelihood is so low and/or the impact so small that the risks are acceptable to the University.
Controls may take many forms, such as:
- Additional terms and conditions in a contract
- A privacy notice
- Documented operational procedures
- Disabling certain product features
- User training
- Technical controls, such as encryption.
Once a control is identified, the expected result of its implementation should be recorded i.e. whether it is likely to:
- Eliminate the risk
- Reduce the risk to an acceptable level
- Require acceptance as there is no reasonable control to eliminate or reduce it.
Proposed controls should then be approved by an appropriate individual. Normally this should be the information asset owner or their nominated delegate, but it could also be:
- The project sponsor
- The chair of a relevant committee.
Step Seven - Sign off and record outcomes
After the controls have been implemented, re-assess the risks and record the outcome in the DPIA template. The risks then need to be accepted by an appropriate individual. Normally this should be the information asset owner or their nominated delegate, but it could also be:
- The project sponsor
- The chair of a relevant committee.
The University’s Data Protection Officer will either approve or reject the processing based on the residual risk, adding relevant commentary to the document. Where the proposal is rejected, the DPIA rejected, the DPIA can then be escalated to the University’s Senior Information Risk Owner for consideration.