A Data Protection Impact Assessment (DPIA) is a process designed to help the University (or any organisation) identify and minimise the privacy risks presented by the development of new or changed services, procedures or policies. A DPIA can also be used for research projects.
Privacy risks include risks to individuals, in terms of damage and distress caused when personal data is mishandled, and organisational risks, such as financial and reputational damage resulting from data breaches.
The outcome of a DPIA should be a reduction in privacy risk and improved compliance with the UK's data protection law. DPIAs are a legal requirement in certain circumstances. Consideration of whether a DPIA is required is therefore an important stage in any project plan.
Under the GDPR, which came into effect on 25 May 2018, a DPIA is mandatory for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. We therefore need to consider whether a DPIA is necessary for existing uses of personal data, as well as new or planned uses.
Even where the risk to individuals is not thought to be high, DPIAs should be considered for any new projects and policy or service changes involving use of personal data.
They should be considered at an early stage, where there is the greatest scope for addressing risks and influencing project design and implementation.
Full DPIAs should always be conducted for major projects undertaken at UEA, where the information is sensitive in nature, and/or where a large amount of personal data will be involved, but the core principles can also be used for smaller projects or activities which impact on the privacy of individuals.
DPIAs can be run alongside or be integrated with other project activities.
The Information Commissioner’s Office (ICO) Code of Practice on PIAs lists the following benefits. (note: a Privacy Impact Asessment, or PIA, is another term for a DPIA. The new data protection law refers to DPIAs, so we have adopted that terminology at UEA)
- Assurance that we have followed best practice. The ICO writes ‘A project which has been subject to a PIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way.’
- Improved transparency. Makes it easier for people to understand how and why their personal data is being used.
- Reduced risk of failing to meet legal obligations.
- Increased awareness of privacy and data protection issues across the organisation.
- Financial benefits. Early identification of privacy problems can be less costly and ongoing costs can be reduced if use of personal data is minimised.
The University’s Data Protection Officer, who manages the Information Compliance team, has overall responsibility for DPIAs across the organisation. However, much of the DPIA process can be completed by the project team, using the DPIA template documents (see below for details).
Ideally, a member of the project team should be identified as having responsibility for overseeing the DPIA. The Information Compliance team will work with the project team to provide advice and guidance and ensure the necessary documents are completed.
Data Protection legislation underpins the DPIA. UEA does not require members of project teams to have in-depth knowledge of the current data protection law, however it should be noted that data protection training is mandatory for all UEA staff. Training can be online or face to face. See the data protection home page for further details.
- Identify the need for a DPIA (document A) This stage should be done for all projects, big and small, to identify what – if any – further action is required. Consult with SPC team on completion of this stage
- Describe the information flows (document B) The project team will complete this stage
- Identify the privacy and related risks (document B) The Information Compliance team will work with the project team to complete this stage
- Identify and evaluate the privacy solutions (document B) The Information Compliance team will work with the project team to complete this stage
- Sign off and record the DPIA outcomes (document B) The Information Compliance team will work with the project team to complete this stage
- Integrate the outcomes into the project plan (document B) The project team will complete this stage
At all stages: Consult with internal and external stakeholders as needed throughout the process.
All steps should be completed for large projects and those involving sensitive or large amounts of personal data. For smaller, lower-risk projects not all steps may be required. The Information Compliance team will advise, on completion of document A.
The DPIA process is flexible and scalable, therefore it is difficult to provide an estimate. However for large projects you should allow approximately 1 – 2 days for completion of the documents and discussion with the Information Compliance team. The Information Compliance team will check the documentation on your behalf, before reporting back to you. Further consultation may be required, depending on the outcome of the DPIA.
The Information Compliance team will endeavour to work to your timescale, but please provide as much notice as possible to allow us to fit the DPIA in with other work. Note that the DPIA process will be most efficient when built in to the project plan. Retrospective consideration of privacy risks is typically more time-consuming and may be less effective.
On completion of a full-scale DPIA, the project team and the Information Compliance team should have a completed set of documents.
The results of the DPIA should be fed back into the project management process (see steps 5 & 6 above) to be considered at project closure, post-project review and lessons learned. If the project aims evolve throughout the process, the project team should review step 1, to ensure the DPIA is still required or fit for purpose.
The Information Commissioner recommends organisations publish the outcome of a DPIA, and there is a section (3.5) in our publication scheme specifically for completed DPIAs. Any DPIA documentation (including associated emails) may also be requested under the Freedom of Information Act 2000. Proactive publication improves transparency and can be an important part of a project’s communication plans, however it may be that some aspects of the DPIA are commercially sensitive. Such information should be clearly identified within the documentation.