Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) must be completed at the outset of any project, or change to an existing system or process, which involves or may involve the collection or handling of personal information and that is considered high risk.
It identifies risks to individuals’ privacy rights and/or corporate risks (such as failure to comply with relevant data protection legislation), and where relevant identifies measures required to mitigate those risks.
In order to identify whether the processing is high risk and requires a mandatory DPIA there are a number of screening questions you must first answer which will assist you with identifying the level of risk associated to your project.
Conducting a data protection impact assessment
Please use the following template to record your DPIA process or outcome:
Download the Data Protection Impact Assessment template.
Responses to the DPIA screening questions and/or completed DPIAs should be sent by email to the Data Protection Office: firstname.lastname@example.org
Advice and guidance on completing a DPIA can be obtained from the Data Protection Office.
Further guidance is also available from the Information Commissioner's Office.
Examples of where a DPIA must be completed:
- implementation of new systems or projects that process high volumes of personal data, such as HR Online and the student records system
- systems or projects that process particularly sensitive (‘special category’) personal information on a large or systematic scale (eg health clinics)
- profiling of special category data or criminal offence data to decide on access to services, opportunity or benefit (eg asking all applicants to declare criminal convictions)
- processing of personal data that could be considered 'profiling' of individuals (eg learning analytics)
- processing where data is matched or combined from multiple sources and/or is processed without providing a Privacy Notice directly to individuals (eg wealth screening of alumni as potential donors or scraping or mining personal data from external sources for research)
- any automated personal data processing that results in decisions being made about individuals without human input
- processing perceived to be particularly intrusive by society (eg CCTV)
- processing personal data involving children or vulnerable adults
- where a contract/agreement or grant requires us to conduct a Data Protection Impact Assessment
- any processing of biometric data, such as fingerprints or face recognition
- processing data that might endanger the individual’s physical or mental health and safety in the event of a security breach, examples include Wellbeing Records.