Data Protection Impact Assessments
Why do I need to carry out a DPIA?
The purpose of a Data Protection Impact Assessment is to determine the data protection risks of processing personal data about individuals and the impact to individuals as well as to determine if the concept of ‘privacy by design’ is adequately embedded into processes, systems or projects that will affect or bring about the risk. The DPIA should consider whether the processing is necessary and proportionate and also include an assessment of all the risks involved in the processing.
Even if a DPIA is not required a risk assessment should be carried out on any new processing activity.
The following should be considered prior to and during any activity or project which involves the processing of personal data:
• Only collect personal data that is necessary;
• Build data retention capability into any new systems processing personal data;
• Build information security into any new systems processing personal data;
• Identify any critical or sensitive data and apply proportionate security measures;
• Anonymise data where the identity of the individual is not required for the processing;
• Ensure data privacy training relevant to the new system or process is provided;
• Ensure personal data is readily accessible and data subject rights are supported;
• Include an audit trail to ensure the integrity of personal data.
When is a DPIA mandatory?
- If the processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purposes of the type of processing. This is likely to be the case if the processing involves new technologies.
- If the activity involves automated decision making based on personal data profiling, large scale processing of sensitive data or systematic monitoring of publicly accessible areas on a large scale.
- If using new technology that is likely to result in a high risk to the rights and freedoms of individuals, and when conducted for law enforcement purposes.
- The Data Protection Commission has determined that the following types of processing require a mandatory DPIA:
- Large scale data processing for a new purpose;
- Profiling of children or vulnerable individuals for marketing or online services;
- Use of profiling, senstive data or algorithms to determine access to services;
- Monitoring or tracking of location data;
- Processing of biometric data to identify or verify the identity of individuals;
- Large scale profiling of individuals;
- Processing of genetic data together with identifiers;
- When processing data obtained indirectly where individuals may not have been advised that their data will be processed in this way;
- When combining or linking datasets for profiling or behavioural analysis;
- Large scale processing of personal data where suitable and specific measures are required under the Data Protection Act 2018, these include-
- Large scale processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- Large scale processing of special categories of personal data for purposes of employment and social welfare law.
- Large scale processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission.
- Large scale processing of special categories of personal data for insurance and pension purposes.
- Large scale processing of special categories of personal data for reasons of substantial public interest.
- Large scale processing of special categories of personal data for the purposes of health or social care.
- Large scale processing of special categories of personal data for purposes of public interest in the area of public health.
- Large scale processing of personal data relating to criminal convictions and offences.
Examples of when a DPIA should be completed.
The list below includes examples of when a DPIA must be carried out however it is not exhaustive. If you are unsure whether you need a DPIA you can contact email@example.com.
- If you are working on a research project using a high volume of sensitive personal data such as health data or if working with genetic data.
- If you are developing or acquiring a new system than involves processing large volumes of personal data e.g. a new HR database.
- If you are processing a high volume of personal data relating to trade union membership, political opinions, racial or ethnic origin, sexual orientation etc.
- If you are carrying out a new direct marketing or communications campaign using a database acquired from a third party or a new database compiled from resources such as publicly available personal data.
- If you plan to carry out any type of monitoring or surveillance of individuals including of staff, students and members of the public e.g. CCTV.
- If you plan to use technologies such as biometric or facial recognition for security access systems or otherwise.
- If you are working with new and potentially privacy invasive technology including smart technology, AI and Internet of Things.
Once you have completed all the questions on the DPIA you should forward to the Data protection Officer who will provide feedback on any risks identified and recommendations on the actions or controls needed to address those risks.
It is the responsibility of the project owner, Head of School or Head of Unit to ensure the required controls are put in place and to sign off on any risks arising from the processing.
Data Protection Impact Assessments for Researchers
Research projects will frequently meet the above criteria for requiring the completion of a DPIA. Researchers should complete the DPIA in addition to any relevant ethics applications and data management plans and should consider the requirements of the Policy on Good Research Practice and the Health Research Regulations 2018 when implementing controls around the use of personal and senstive personal data.
The DPIA should be updated to reflect any material changes to the processing as the project or activity progresses and should be retained by the process or data owner as evidence that data protection risks were assessed and appropriate controls established.