Data Protection Impact Assessment

Data Protection Impact Assessment

[Insert name of project]

[Insert name of project officer/proposer]

[Insert name of department]

[Insert date of completion]

Introduction

Please complete this Data Protection Impact Assessment (DPIA) form if you are considering undertaking any new form of personal data processing.

Working through the form will enable you to assess whether a mandatory DPIA is required but even if it isn’t it is good practice to carry out a DPIA to help you scope out the data protection considerations you need to take into account.

The completed DPIA should be shared with the IT and Procurement departments as early as possible in the project to allow them to provide you with the appropriate support and advice.

Each section of the form is prefaced with text explaining that section’s purpose. The questions to be completed are set out in boxes with the subject line highlighted in purple.

1.Identifying the need for a Data Protection Impact Assessment

1.1Under data protection legislation (GDPR (Article 24(1)) and the UK Data Protection Act 2018) organisations are required to implement organisational and technical measures to ensure, and to be able to demonstrate, that processing is performed in accordance with the legislation.The Information Commissioners Office (ICO) has published guidance on DPIAs

1.2In addition, Article 35 GDPR makes Data Protection Impact Assessments (DPIAs) mandatory in certain circumstances and sets out the requirements for the content of DPIAs. The ICO guidance states

“You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests… it is also good practice to do a DPIA for any other major project which requires the processing of personal data.”[1].

1.3It is mandatory under GDPR for a DPIA to be undertaken in circumstances where the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”, or in three specific situations:

• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of personal darta referred to in Article 9(1), or of personal datarelating to criminal convictions and offences referred to in Article 10; or
• a systematic monitoring of a publicly accessible area on a large scale.

Additionally, the ICO Guidance requires a DPIA to be carried out in certain circumstances. If you answer yes to any of the below questions, you must carry out a DPIA.[2]

Yes/No
Will the project use systematic and extensive profiling or automated decision-making to make significant decisions about people?
Will you process special category data or criminal offence data on a large scale?
Will you systematically monitor a publicly accessible place on a large scale?
Does the project involve the use of new technologies?
Will you use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit?
Does the project involve you carrying out profiling on a large scale?
Will the project require you to process biometric or genetic data?
Will the project require you to combine, compare or match data from multiple sources?
Will you process personal data without providing a privacy notice directly to the individual?
Will you process personal data in a way which involves tracking individuals’ online or offline location or behaviour?
Will you process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them?
Will you process personal data which could result in a risk of physical harm in the event of a security breach?

1.4In addition, guidance adopted by the Art29 WP suggests that the below factors should be taken into account when determining whether a project presents a ‘high risk’, and also that in most cases, where processing meets two or more of the criteria below, a DPIA should be carried out.

Yes/No
Will the project require you to contact individuals in ways that they may find intrusive?
Will the project involve evaluation or scoring, including profiling and predicting?
Will the project involve automated decision making with legal or similar significant effect?
Will the project involve systematic monitoring to observe, monitor or control data subjects?
Will the project involve the collection of sensitive PERSONAL DATA, or PERSONAL DATA of a highly personal nature?
Will the data be processed on a ‘large scale’[3]?
Will the processing involve matching or combining datasets?
Will the processing involve the PERSONAL DATA of vulnerable data subjects?
Will the processing involve the innovative use or applying of new technological or organisational solutions (e.g. combining the use of finger print and face recognition for improved physical access)?
Will the processing itself prevent data subjects from exercising a right or using a service or a contract?

1.5The ICO draft guidance also recommends that data controllers ‘should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

2.Consultation

2.1Under the ICO Guidance you are required to consult the Data Protection Officer and, where appropriate, individuals and relevant experts including any relevant data processors.

2.2Please set out below the individuals that you have consulted regarding this project.

Role, interest / Nature of consultation outcome or, if not consulted reasons why. / Advice accepted or overruled? If overruled, identify the decision maker and explain why.
[Relevant internal staff]
[Data processor]
Data Protection Officer
Data Subjects
External advisors
[Insert additional roles]

2.3.Where the project proposer’s opinion differs from that of the data subjects this should be documented, together with reasons for this difference.

2.4The University, via the Data Protection Officer, may seek the views of data subjects or their representatives.

3.Description of the envisaged processing operations and the purposes of the processing

3.1Article 35(7) GDPR requires at least a ‘systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller’.

In answering the below questions the project proposer will be able to establish the nature and extent of the data processing anticipated within the project.

The answers to the below questions may be expanded as the project develops if necessary.

Question / Response
The Nature and Scope of the processing
Describe what PERSONAL DATA will be processed (including, but not limited to, forename, surname, address, postcode, DoB, age, gender, another unique identifier)
Describe, if any, what sensitive data will be processed (racial or ethnic origin, biometric data, genetic data, trade union membership, political opinion, physical or mental health, religious belief, sexual life, financial data, location data, commission or alleged commission of an offence, proceedings for any offence committed or alleged). [4]
How will the PERSONAL DATA and other data be collected?[5]
How much PERSONAL DATA will be collected? How many data subjects will be involved? What geographical area is covered?[6]
How long will the project last?[7]
How often will PERSONAL DATA be collected and used?
How and where will the PERSONAL DATA and other data be stored and for how long?[8]
Who will have access to the PERSONAL DATA and other data?[9]
What security and audit measures have been/will be implemented to secure access to and limit use of personal and/or special categories of PERSONAL DATA?[10]
Is there an ability to audit access to the PERSONAL DATA?
Are other organisations involved in processing the PERSONAL DATA? If yes, please list.[11]
Has a data flow mapping exercise[12] been undertaken? If yes, please provide a copy, if no, please undertake.[13]
Will this PERSONAL DATA and other data be shared outside the organisations listed above in question 5? If yes, describe who and why.
Describe in as much detail as possible, how the PERSONAL DATA and other data will be used.[14]
Are there any new or additional reporting requirements for this project? If so, please describe what roles will be able to run reports, and whether the reports will be in person-identifiable, pseudonymised or anonymised format?[15]
Are you using new technologies?[16]
Are you using any novel types of processing?[17]
What screening criteria did you flag as likely high risk?[18]
What assets will be relied on to process the PERSONAL DATA? (For example hardware, software, networks, people, paper, paper transmission channels)[19]
The Context of the Processing
What is the source of the PERSONAL DATA?[20]
What is the nature of your relationship with the data subjects?[21]
To what extent will the data subjects have control over their PERSONAL DATA?[22]
To what extent are the data subjects likely to expect the processing?[23]
Will the project involve the processing of the PERSONAL DATA of children or other vulnerable people?[24]
Do you have any previous experience of this type of processing?[25]
Have any relevant advances in technology or security affected the project?[26]
Is the project relevant to any current issues of public concern?[27]
If relevant, have you complied with any relevant GDPR codes of conduct or certification schemes?[28]
Have you considered and complied with the ICO codes of practice?[29]
The Purposes of the Processing
Describe in as much detail as possible, why the PERSONAL DATA and other data is being collected / used.[30]
List the business reasons for which the PERSONAL DATAis being processed.[31]
Could the purposes outlined at [30& 31] above be achieved without processing the PERSONAL DATA as outlined above?[32]
What legitimate interests (if relevant), are you processing the data for?
What is the intended outcome for the individuals?[33]
What are the expected benefits for you, or society as a whole?[34]

4.Assessment of the necessity and the proportionality of the processing operations in relation to the purposes

4.1Guidance suggests that in assessing the necessity and proportionality of processing operations, the project proposer should take into account ‘measures envisaged to comply with the Regulation’.

4.2It is envisaged that the below section will be modified as risks are identified and solutions to these risks proposed. The below questions relate to specific aspects of the GDPR. Answering these questions will assist the project proposer to demonstrate to the ICO its compliance with the GDPR. The answers to the below questions may be expanded as the project develops if necessary.

4.2.1Measures contributing to the rights and freedoms of data subjects

What arrangements are in place to provide information to data subjects when their personal data is collected?[35]

• [Insert detail as to what privacy notices exist and are in use, and will exist, including when they are supplied to data subjects]

What arrangements are in place for recognising and responding to requests for access to personal data, and comply with data portability requirements?[36]

• [Insert details of organisation’s internal process for handling such requests]

What arrangements are in place to respond to requests for rectification and erasure?[37]

• [Insert: details of department/organisation’s internal process for handling such requests]

What arrangements are in place to respond to objections to processing and to restrict processing?[38]

• [Insert: details of department/orgnaisation’sinternal process for handling such objections]

What arrangements are in place to ensure that the relationship between the Universityand the data processor complies with article 28 GDPR?[39]

• [Insert: details of agreement(s) between the University and its data processor(s) governing processing of personal data and the University’’s internal process]

What safeguards are in place in relation to international transfers of
personal data and other data (if appropriate)[40]

• [Insert: details of arrangements under which international transfers of data will be made]

Is prior consultation with the ICO necessary?[41] N.B. The ICO Guidance states; “If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.”
How will the project proposerensure that personal datais processed in a transparent manner throughout all communications with data subjects?[42]

• [Insert: details]

4.2.2.Measures contributing to the proportionality and necessity of the processing

Is the purpose of the processing specified, explicit, and legitimate? Is the processing no more than necessary to achieve this?[43]
Is the collection and processing adequate, relevant and limited to what is necessary?[44]
Are there sufficient measures to ensure that personal data is accurate and where necessary kept up to date?[45]
Is the personal data kept for no longer than is necessary?[46]
Is the personal data processing proportionate to the identified purposes and aims of the project?
How will you prevent function creep?[47]
How do you intend to ensure data minimisation?[48]

1. Identification of legal basis of processing

5.1 In relation to personal data other than ‘special category personal data’ (as defined in article 9(1) GDPR), the project proposermust ensure that the processing is covered by a basis set out in article 6 GDPR. [49] These are:

(a)The data subject has given consent to the processing of his or her PD for one or more specific purposes.[50]

(b)The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.[51]

(c)Processing is necessary for compliance with a legal obligation to which the controller is subject.[52]

(d)Processing is necessary in order to protect the vital interests of the data subject or another natural person.[53]

(e)Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.[54]

(f)Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.[55][N.B. this does not apply to public authorities in the performance of their tasks]

We envisage that the below boxes will demonstrate that the project proposer has considered the lawfulness of its data processing and identified the applicable legal basis.

Details as to how the legal basis has been achieved (for example, if the project proposer relies on consent as the lawful basis for processing, how have they ensured that the data subject’s consent is freely given, specific, informed and unambiguous[56]) should also be provided as well as how it isproposed to record the lawful basis of the processing, in order to be able to demonstrate it (if required) in any investigation by the ICO.

The answers to the below questions may be expanded as the project develops if necessary.

Description of the legal basis for the processing

[Insert details of the legal basis]

[NB. Legitimate interests may be available to public bodies for use depending upon the progress of the Data Protection Bill 2017. It may, therefore, be appropriate in the future to add that ground to this assessment].

[N.B. in the employment context, Art29 WP guidance suggests that consent may be an inappropriate basis on which to process personal data: “WP29 deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such processing at work, the lawful basis cannot and should not be the consent of the employees Article 6(1a) due to the nature of the relationship between employer and employee” [57].

The GDPR allows organisations to continue to rely on consent obtained prior to the GDPR coming into force, provided that they are GDPR compliant. ]

5.2The processing of ‘special category personal data’ (as defined in article 9(1) GDPR) is prohibited, unless a lawful basis in article 9(2) applies:

(a)the data subject has given explicit consent to the processing of those PD for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b)processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c)processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d)processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the PD are not disclosed outside that body without the consent of the data subjects;

(e)processing relates to PD which are manifestly made public by the data subject;

(f)processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g)processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. This ground for processing should be read in conjunction with section 10 and schedule 1 of the Data Protection Bill, which provides more detail on the application of the exemption.