A Data Protection Impact Assessment (DPIA) is a process which helps to identify and mitigate potential risks to privacy and compliance with data protection law when processing personal data.
A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:
a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
processing of sensitive data on a large scale;
systematic monitoring of public areas on a large scale.
National Data Protection Authorities, in concertation with the European Data Protection Board, may provide lists of cases where a DPIA would be required. The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise. Where there are residual risks that can’t be mitigated by the measures put in place, the DPA must be consulted prior to the start of the processing.
DPIA required
A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behaviour.
DPIA not required
A community doctor processing personal data of his patients. In that case, there is no need for a DPIA since the processing by the community doctors isn’t done on a large scale in cases where the number of patients is limited.
Whilst there was no statutory requirement to undertake DPIAs, under previous data protection legislation, they are regarded as good practice by the UK Information Commissioner’s Office (ICO) and help to demonstrate compliance with existing data protection legislation. Under the new data protection policy template , in force from 25 May 2018, DPIAs are required for high risk processing activities.
We have developed this brief note on carrying out a DPIA, as it now forms part of our research registration process. This should assist researchers with making their own judgements for each project that they undertake which has potential privacy impacts.
Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.
You should consider conducting a DPIA during the planning stage of new projects. A DPIA may also be required if changes are made to an existing project.
DPIAs must be updated as the process develops, particularly if issues are identified which may affect the risk to the data protection rights of the affected individual.
A DPIA enables organisations to identify and reduce the privacy risks of a project by analysing how the proposed uses of personal information and technology will work in practice
Whilst there was no statutory requirement to undertake DPIAs, under previous data protection legislation, they are regarded as good practice by the UK Information Commissioner’s Office (ICO) and help to demonstrate compliance with existing data protection legislation. Under the new data protection legislation, in force from 25 May 2018, DPIAs are required for high risk processing activities.
We have developed this brief note on carrying out a DPIA, as it now forms part of our research registration process. This should assist researchers with making their own judgements for each project that they undertake which has potential privacy impacts.
Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.
You should consider conducting a DPIA during the planning stage of new projects. A DPIA may also be required if changes are made to an existing project.
DPIAs must be updated as the process develops, particularly if issues are identified which may affect the risk to the data protection rights of the affected individual
Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.
Take the screener to decide whether you need to conduct a subject request management.
DPIA Research Fillable Form February 2021
If the data in scope of this DPIA will be processed within the UCL Data Safe Haven, the following will apply when completing the DPIA template below:
c) ❎ data is not encrypted at rest within the Data Safe Haven
d) ✅ data is encrypted when transferred in to and out of the Data Safe Haven
f) ✅ in addition to UCL’s mandatory training, information governance training is required for all users of the Data Safe Haven
m) ✅ data held and processed in the Data Safe Haven remains in the EEA
q) ✅ the Data Safe Haven provides restricted access controls
In all cases, you also need to take into account any other processes your data will be subject to that do not use the Data Safe Haven, such as transcription and data transfers.