Data Protection Impact Assessments
What is a DPIA and when must one be completed?
A Data Protection Impact Assessment (DPIA) is an assessment we must carry out in order to identify the potential effects on an individuals’ privacy, as well as meeting the legal and compliance implications on any project which handles personal data. If your project does not contain personal data a DPIA does not need to be completed, although it is expected the project be risk assessed and fully documented.
Ideally, the DPIA would be carried out in the early stages of an activity, as soon as a reasonable idea of the data flows involved is known. This would normally be during project initiation, or the first management stage. The later the DPIA is conducted, the harder, and more expensive, it is likely to be to address any privacy risks identified, and the less effective it will be in addressing any concerns that stakeholders might have.
DPIAs’ are recognised as a valuable, often mandatory, tool that organisations can use to assess and reduce the potential impact on individuals’ data privacy. This includes assessing the security of the data and mitigating risks associated with data processing.
It is City, University of London policy to undertake a DPIA wherever a project will be dealing with or manipulating personal data, this includes the situation where existing systems are being updated or changed. The following are examples of projects where a DPIA should be carried out.
- Personal data being collected in a new way (such as a new online form, or for a new project)
- Personal data being utilised in a new way (such as data being shared when it had not been previously)
- Personal data being matched or cross-referenced, particularly where this relates to data collected in different departments (such as being used to detect fraud)
- Personal data being stored in a new system (commissioning a new system which will hold personal data)
- Personal data being managed or accessed in a new way (a building move or a new remote working process)
This template has been drafted in accordance with the ICO’s Code of Practice which outlines the standards set within the Data Protection Act 2018.
In addition, it considers the provisions of the General Data Protection Regulation (GDPR) which make DPIAs’ mandatory for all projects where the data processing is considered “high risk” particularly in relation to new technologies. High risk projects are those:
- Where there is large scale processing and/or processing of “special categories” of data (formerly known as sensitive data)
- Where processing involves data matching, evaluation or scoring, including profiling of data subjects
- Any project involving automated decision making or systemic monitoring (e.g. CCTV)
Under the General Data Protection Regulations where a project is identified after the DPIA is completed as being “high risk”, advice must be sought from the Information Commissioner’s Office (ICO) as to how risks can be mitigated as far as is possible
Accurate records should be maintained of any referrals to the ICO.
What is personal data?
- Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised
Please note that we are happy to have a meeting with you to go through your draft DPIAs, if you believe this would be helpful. We recommend that people have thought through their data flows and the type and nature of the data to be collected before they attend the meeting. (Suggest CSUSAD model as a basis for this: create, store, use, share, archive, destroy).
How do I complete a DPIA?
If you believe you need to undertake a DPIA, or are unsure about whether a DPIA is required, we suggest you undertake a DPIA Threshold Test.
To do conduct a DPIA Threshold Test, you will need to:
- Click on THIS link.
- You should be taken to a login page, enter your email address (it should not ask you for a password).
- You should be taken to a portal page with the DPIA Threshold Test displayed (there are further instructions here too).