Data Protection Impact Assessment Procedure

Data Protection Impact Assessment Procedure and Template

Table of Contents

 

1    Background

2    Purpose

3    Scope

4    DPIA Procedure

  1. 1 Step 1: Identify the Need for a DPIA/whether a DPIA is mandatory
  2. 2 Step 2: Describe the Processing in a Systematic Way
  3. 3 Step 3: Assess Necessity and Proportionalit4
  4. 4 Step 4: Consult with Stakeholder
  5. 5 Step 5: Identify and Assess Risk
  6. 6 Step 6: Identify Controls and Actions
  7. 7 Step 7: Document Results
  8. 8 Step 8: Implement and Review

5    DPIA Template

6    Document History


 

1         Background

 

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks. It is an important tool for building and demonstrating compliance with the GDPR (i.e. accountability).

Under the General Data Protection Regulation (GDPR) the University must carry out a DPIA where a planned or existing processing operation is “likely to result in a high risk” to individuals. Although GDPR provides examples of data processing that would fall into this category, this is a non- exhaustive list.

It is also necessary to carry out a DPIA where it is proposed to apply to the Health Research Consent Declaration Committee for a declaration that the public research in carrying out health research significantly outweighs the public interest in requiring the explicit consent of the data subject (Regulations 5(3) and 6(3) of the Irish Health Research Regulations 2018).

It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

2         Purpose

The purpose of this procedure is to enable UCC staff to:

  1. identify when a DPIA is mandatory
  2. carry out a DPIA.
  3. Evaluation and scoring (including profiling and predicting), especially concerning a data subject’s performance at work, economic situation, health, personal preferences, reliability or behaviour, location or movements. An example would be offering genetic tests in order to assess or predict disease/health risks or gathering social media profile data for generating profiles for contact directories or marketing.

3         Scope

All new projects and significant changes to existing systems/processes which require the processing of personal data must perform at least step 1 of this procedure to determine if a full DPIA is required.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of data subjects, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.

 

4         DPIA Procedure

4.1        Step 1: Identify the Need for a DPIA/whether a DPIA is mandatory

The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is mandatory where processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 GDPR and Regulation 3(1)(c)(ii) of the Irish Health Research Regulations 2018) and/or  it is proposed to apply to the Health Research Consent Declaration Committee for a declaration that the public research in carrying out health research significantly outweighs the public interest in requiring the explicit consent of the data subject (Regulations 5(3) and 6(3) of the Irish Health Research Regulations 2018).

GDPR provides (a non-exhaustive list of) some examples of processing that would fall into this category and supervisory authorities are tasked with publishing a list of the kind of processing which are subject to the requirement for a DPIA. Based on guidance from the regulators to date, the following should be taken into account when determining is processing “high risk” and therefore requiring a DPIA

You must do a DPIA if you plan to carry out one or more of the following:

1. Evaluation and scoring (including profiling and predicting), especially concerning a data subject’s performance at work, economic situation, health, personal preferences, reliability or behaviour, location or movements. An example would be offering genetic tests in order to assess or predict disease/health risks or gathering social media profile data for generating profiles for contact directories or marketing.

2. Automated decision-making with legal or similar significant effects - Is a decision made by automated means without any human involvement? An example would be an online decision to award a loan or a recruitment aptitude test that uses pre-programmed algorithms and criteria.

3. Systematic monitoring - including through a publicly accessible place on a large scale. For example, using a camera to monitor driving behaviours on a road.

4. Sensitive data or data of highly personal nature – this includes special categories of data as defined in Article 9:

    1. racial or ethnic origin
    2. political opinions
    3. religious or philosophical beliefs
    4. trade union membership
    5. data concerning health
    6. data concerning a person’s sex life or sexual orientation
    7. genetic data
    8. biometric data

as well as criminal data as defined in Article 10. An example would be a hospital keeping patient medical records or an organisation keeping offender’s details.

5. Data processed on a large scale – while the term ‘large scale’ is not defined, the regulators recommend the following is taken into account: (a) the number of data subjects concerned; (b) the volume and range of data been processed; (c) the duration and permanence of the processing; (d) the geographic extent of the processing activity.

6. Datasets have been matched or combined – for example, two or more data processing operations performed for different purposes and/or by different data controllers been combined in way that would exceed reasonable expectation of the data subject.

7. Data concerning vulnerable data subjects – For example children are considered as not able to knowingly oppose or consent to processing of personal data. Patients, elderly people and asylum seekers would also be considered vulnerable data subjects.

8. Innovative use or applying technological or organisational solutions – for example combining use of finger print and face recognition for improved physical access control, using a video analysis system to single out cars and recognise licence plates.

9. When processing prevents the data subject from exercising a right or using a service or a contract – for example, processing a public area that people passing cannot avoid or processing that aims to refuse data subjects access to a service or contract (bank screens its customers against a credit reference database in order to decide whether to offer a loan)

 

In cases where it is not clear if a DPIA should be carried out, the guidance from the regulators is that a DPIA should be carried out as it is a useful tool to comply with GDPR.  Advice on whether a DPIA should be carried out can be sought from UCC’s Information Compliance Manager.

4.2        Step 2: Describe the Processing in a Systematic Way

Describe how and why you plan to use the personal data. Your description must include “the nature, scope, context and purposes of the processing”.

4.2.1        The nature of the processing

This is what you plan to do with the personal data. This must include:

  • how you collect the data;
  • how you store the data;
  • how you use the data;
  • who has access to the data;
  • who you share the data with;
  • whether you use any processors;
  • retention periods;
  • security measures;
  • whether you are using any new technologies;
  • whether you are using any novel types of processing;
  • which screening criteria you flagged as likely high risk.

4.2.2        The scope of the processing

This is what the processing covers. This must include:

  • the nature of the personal data;
  • the volume and variety of the personal data;
  • the sensitivity of the personal data;
  • the extent and frequency of the processing;
  • the duration of the processing;
  • the number of data subjects involved;
  • the geographical area covered

4.2.3        The context of the processing

This is the wider picture, including internal and external factors which might affect expectations or impact.

This might include, for example:

  • the source of the data;
  • the nature of your relationship with the individuals;
  • the extent to which individuals have control over their data;
  • the extent to which individuals are likely to expect the processing;
  • whether they include children or other vulnerable people;
  • any previous experience of this type of processing;
  • any relevant advances in technology or security;
  • any current issues of public concern;
  • whether you have considered and complied with relevant codes of practice.

4.2.4        The purpose of the processing

This is the reason why you want to process the personal data. This must include:

  • your legitimate interests, where relevant;
  • the intended outcome for individuals;
  • the expected benefits for you or for society as a whole

4.3        Step 3: Assess Necessity and Proportionality

You should consider:

  • Do your plans help to achieve your purpose?
  • Is there any other reasonable way to achieve the same result?
  • your lawful basis for the processing;
  • how you will prevent function creep i.e. using the data for more than the original purpose;
  • how you intend to ensure data quality;
  • how you intend to ensure data minimisation;
  • how you intend to provide privacy information to individuals;
  • how you implement and support individual’s rights;
  • measures to ensure your processors comply;
  • safeguards for international transfers.

 

 

4.4        Step 4: Consult with Stakeholders

You should seek the views of data subjects (or their representatives) unless there is a good reason not to. In most cases it should be possible to consult individuals in some form. For example, internal stakeholders such as project management team, IT, procurement, potential suppliers (processors), communications teams, customer facing roles, researchers and senior management. External stakeholders could include: people who will be affected by the project and members of the public.

However, if you decide that it is not appropriate to consult individuals then you should record this decision as part of your DPIA, with a clear explanation. For example, you might be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.

If the DPIA covers the processing of personal data of existing contacts (for example, existing students or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.

If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public consultation process, or targeted research. This could take the form of carrying out market research with a certain demographic or contacting relevant campaign or consumer groups for their views. If your DPIA decision is at odds with the views of individuals, you need to document your reasons for disregarding their views.

If you use a data processor, you may need to ask them for information and assistance. You should consult all relevant internal stakeholders, in particular anyone with responsibility for information security.

4.5        Step 5: Identify and Assess Risks

Identify the potential risks that may arise.  Consider the potential impact on individuals and any harm or damage that might be caused by your processing – whether physical, emotional or material. In particular look at whether the processing could possibly contribute to:

  • inability to exercise rights (including but not limited to privacy rights);
  • inability to access services or opportunities;
  • loss of control over the use of personal data;
  • discrimination;
  • identity theft or fraud;
  • financial loss;
  • reputational damage;
  • physical harm;
  • loss of confidentiality;
  • re-identification of pseudonymised data;
  • any other significant economic or social disadvantage

You should include an assessment of the security risks, including sources of risk and the potential impact of each type of breach (including illegitimate access to, modification of or loss of personal data).

Having identified the risks, it is then necessary to assess which are going to pose the greatest threat by looking at both the likelihood of the risk occurring and the impact that might result.  This provides the overall risk rating.

4.6        Step 6: Identify Controls and Actions

Against each risk identified, you should then consider options for reducing that risk. Identify the current controls (how you currently manage the risk) and what further actions you will take to reduce the impact/likelihood and mitigate the risk.  For example, some actions and controls that could be implemented are:

  • deciding not to collect certain types of data;
  • reducing the scope of the processing;
  • reducing retention periods;
  • taking additional technological security measures;
  • training staff to ensure risks are anticipated and managed;
  • anonymising or pseudonymising data where possible;
  • writing internal guidance or processes to avoid risks;
  • adding a human element to review automated decisions;
  • using a different technology;
  • putting clear data sharing agreements into place;
  • making changes to privacy notices;
  • offering individuals the chance to opt out where appropriate;
  • implementing new systems to help individuals to exercise their rights.

This is not an exhaustive list, and you may be able to devise other ways to help reduce or avoid the risks. You should ask the Information Compliance Office for advice.

4.7        Step 7: Document Results

You should then record:

  • what additional measures you plan to take;
  • whether each risk has been eliminated, reduced, or accepted;
  • the overall level of ‘residual risk’ after taking additional measures;
  • whether the Data Protection Commission needs to be consulted.

You do not always have to eliminate every risk. You may decide that some risks, and even a high risk, are acceptable given the benefits of the processing and the difficulties of mitigation. However, if there is still a high risk, you need to contact the Information Compliance Manager who will consult with the Data Commissioner before you can go ahead with the processing. As part of the sign-off process, you should ask the Information Compliance Manager to advise on whether the processing is compliant and can go ahead. If you decide not to follow their advice, you need to record your reasons. You should also record any reasons for going against the views of individuals or other consultees.

4.8        Step 8: Implement and Review

 

You must integrate the outcomes of your DPIA back into your project plans. You should identify any action points and who is responsible for implementing them. You should monitor the ongoing performance of the DPIA. You may need to cycle through the process again before your plans are finalised. If you have decided to accept a high risk, either because it is not possible to mitigate or because the costs of mitigation are too high, you need to consult the Data Commissioner before you can go ahead with the processing.

It is good practice to publish your DPIA to aid transparency and accountability. This could help foster trust in your processing activities, and improve individuals’ ability to exercise their rights. If you are concerned that publication might reveal commercially sensitive information, undermine security or cause other risks, you should consider whether you can redact (black out) or remove sensitive details, or publish a summary.  You need to keep your DPIA under review, at a minimum every 3 years.   You may need to repeat it if there is a substantial change to the nature, scope, context or purposes of your processing

 

 

5. DPIA Template

 

PROJECT NAME: INSERT DETAILS

PROJECT OWNER NAME: INSERT DETAILS

UCC UNIT: INSERT DETAILS

COMPLETED BY: INSERT DETAILS

JOB TITLE: INSERT DETAILS

DATE COMPLETED: INSERT DETAILS

 

 

Step 1: DPIA Screening Checklist/Identifying Need for DPIA

 

Does your project involve:

Yes

No

 

 

 

Evaluation or scoring of personal data (including profiling and predicting)

 

 

Automated decision-making with legal or similar significant effects

 

 

Systematic monitoring including through a publicly accessible place on a large scale

 

 

Sensitive data or data of a highly personal nature (including special categories of data and criminal data)

 

 

Data processed on a large scale

 

 

Matching or combining data sets

 

 

Data concerning vulnerable people (including children)

 

 

Innovative use or applying technological or organisational solutions

 

 

Processing preventing data subjects from exercising a right or using a service or contract

 

 

 

 

 

Is it proposed to apply to the Health Research Consent Declaration Committee for a declaration that the public research in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject

 

 

 

If you have answered yes to any of the above questions, you must carry out a DPIA.  Please see the DPIA Procedure for further information. https://www.ucc.ie/en/gdpr/dataprotectionimpactassessmentsdpias/

Summarise why you identified the need for a DPIA (this can draw on your answers to the screening questions).

 

 

 

 

 

 

Step 2: Describe the Processing

 

Outline the project and explain what the project aims to achieve.

 

Please note that where possible data should be anonymised. If not, please explain why personal data cannot be anonymised and use of personal data is necessary for the activity

 

 

 

Describe the nature of the processing. Please describe the personal data that will be collected/sourced, used, stored, accessed and/or shared with for the purpose of the project.

 

Provide details of the parties and third parties involved, including data controllers and data processors.

Guidance Note: Please see Section 9 (Definitions) of UCC’s Data Protection Policy for further information https://www.ucc.ie/en/ocla/comp/data/dataprotection/

 

Please refer to a flow diagram or other way of describing the data flow if relevant

 

 

 

 

 

Describe the scope of the processing: please explain the nature of the personal data including its sensitivity and does it include any special category?

Guidance Note: Please see Section 9 (Definitions) of UCC’s Data Protection Policy for further information https://www.ucc.ie/en/ocla/comp/data/dataprotection/

 

How much personal data will you be collecting and using?

 

How often?

 

How long will the University keep it?

 

How many individuals are affected?

 

What geographical area does it cover?

 

 

 

Describe the context of the processing: what is the nature of the University relationship with the individuals?

 

Does the project involve use of existing personal data for new purposes? Is this new purpose aligned with the original purpose of collection?

 

Would they expect the University to use their data in this way? Is it novel in any way?

 

Do they include children or other vulnerable groups?

 

How much control will they have?

 

Describe what the security measures will be in place to protect personal data including, but not limited to, access controls, encryption, pseudonymisation?

 

What is the current state of technology in this area?

 

Are there prior concerns over this type of processing or security flaws?

 

What guidance/training will be provided to individuals involved in this project or activity to enable them to understand their data protection responsibilities

 

Are there any current issues of public concern that should be factored in?

 

Are you signed up to any approved code of conduct or certification scheme or is there any national, sector specific or other guidance applicable to your project/activity?

 

Describe the purposes of the processing: do you want to achieve by the processing of processing personal data within the project within the project or activity?

 

What is the intended outcome/effect on individuals?

 

Could the use of personal data for this activity result in any harm for the data subjects?

 

What are the benefits of the processing for the University, data subjects and more broadly e.g. for society?

 

 

 

Step 3: Assessment of Necessity and Proportionality of Processing

 

Describe compliance and proportionality measures, in particular:

 

Consider all processing activities in your project – evaluate is each of them necessary to actually achieve your purpose?

 

Is there another less intrusive way to achieve the same outcome?

 

How will you prevent function creep i.e. gradual widening of the use of the data, technology or system beyond the purpose it was originally intended especially when it leads to potential invasion of privacy?

 

Have you ensured that you will only collect the minimum data that you need or that is necessary for the activity. Provide details

 

What is the lawful basis for processing?

Guidance Note -  Please see Appendix A and Appendix B of UCC’s Data Protection Policy

https://www.ucc.ie/en/ocla/comp/data/dataprotection/#APPENDIX A: LAWFUL BASES FOR PROCESSING (Article 6)

 

What information will you give individuals?

Guidance Note – Please provide details of any patient information leaflets and/or privacy statements informing data subjects what is happening their personal data

 

How will you help to support their rights?

Guidance Note – Please see 5.6 of UCC’s Data Protection Policy

provide details of what due diligence has been carried out and contractual arrangements in place and confirm

 

What measures do you take to ensure data processors comply with data protection obligations?

Guidance Note – provide details of what due diligence has been carried out and contractual arrangements in place and confirm

 

Will personal data be transferred or stored outside the EEA at any point? Provide details

 

How do you safeguard any international transfers outside the EEA (if applicable)?

Guidance Note -  Please see 5.8 of UCC’s Data Protection Policy

https://www.ucc.ie/en/ocla/comp/data/dataprotection/

 

 

 

 

Step 4: Consult with Stakeholders

 

Consider how to consult with relevant stakeholders: describe when and how you will seek  views (of internal and external stakeholders) to identify privacy and any other risks

 

Have you consulted with individuals / data subjects in some form? If not, justify why it’s not appropriate to do so.

 

 

 

 

 

 

 

 

Steps 5 & 6: Risk Assessment - Identifying Privacy Risks and Evaluating Privacy Solutions

 

Name of College/School/Service/Project:_XXXX

Risk Register Owner: XXXX

Risk ID

Risk Description

Consequence

Risk Owner                       

Current internal CONTROLS
(provide details of how you currently manage the risk)

Assessment of Risk

Describe what further ACTIONS you will take to reduce the Impact/Likelihood and
mitigate the risk.                                            
State who is the risk owner for each action

Impact
(1,2,3,4,5)

Likelihood (1,2,3,4,5)

Score

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Examples of the types of risks to be alert for in the DPIA process are outlined below.

 

Examples of risks to individuals:

  • Inappropriate disclosure of personal data internally within the University due to a lack of appropriate controls being in place.
  • Accidental loss of electronic equipment by University’s personnel may lead to risk of disclosure of personal information to third parties.
  • Breach of data held electronically by “hackers”.
  • Vulnerable individuals or individuals about whom sensitive data is kept might be affected to a very high degree by inappropriate disclosure of personal data.
  • Information released in anonymised form might lead to disclosure of personal data if anonymisation techniques chosen turn out not to be effective.
  • Personal data being used in a manner not anticipated by data subjects due to an evolution in the nature of the project.
  • Personal data being used for purposes not expected by data subjects due to failure to explain effectively how their data would be used.
  • Personal data being used for automated decision making may be seen as excessively intrusive.
  • Merging of datasets may result in a data controller having far more information about individuals than anticipated by the individuals.
  • Merging of datasets may inadvertently allow individuals to be identified from anonymised data.
  • Use of technology capable of making visual or audio recordings may be unacceptably intrusive.
  • Collection of data containing identifiers may prevent users from using a service anonymously.
  • Data may be kept longer than required in the absence of appropriate policies.
  • Data unnecessary for the project may be collected if appropriate policies not in place, leading to unnecessary risks.
  • Data may be transferred to countries with inadequate data protection regimes.

 

Examples of Corporate Risks:

  • Failure to comply with the GDPR may result in investigation, administrative fines, prosecution, or other sanctions.
  • Failure to adequately conduct a DPIA where appropriate can itself be a breach of the GDPR.
  • Data breaches or failure to live up to student, staff or other service users expectations regarding privacy and personal data are likely to cause reputational risk.
  • Public distrust of the University’s use of personal information may lead to a reluctance on the part of individuals to deal with the University.
  • Problems with project design identified late in the design process, or after completion, may be expensive and cumbersome to fix.
  • Failure to manage how the University keeps and uses information can lead to inefficient duplication, or the expensive collection and storage of unnecessary information.
  • Unnecessary processing and retention of information can also leave the University at risk of non-compliance with the GDPR.
  • Any harm caused to individuals by reason of mishandling of personal data may lead to claims for compensation against the University.

 

 

Step 7: Document DPIA Outcomes

 

Item

Name/date

Notes

Measures approved by (Data Owner):

 

 

Integrate actions back into project plan, with date and responsibility for completion

 

DPO advice provided:

 

 

DPO should advise on compliance, step 6 measures and whether processing can proceed

 

Summary of DPO advice:

 

 

 

DPO advice accepted or overruled by:

 

If overruled, you must explain your reasons

 

Comments:

 

 

 

Residual risks approved by:

 

If accepting any residual high risk, consult the Data Commissioner before going ahead

 

 

 

 

Consultation responses reviewed by:

 

If your decision departs from individuals’ views, you must explain your reasons

 

Comments:

 

 

 

This DPIA will be kept under review by:

 

The DPO should also review ongoing compliance with DPIA

 

 

 

 

 

Document History

Document Location

 

Revision History

Date of this revision:

Date of next review:

 

 

 

Version Number/Revision Number

Revision Date

Summary of Changes

0.1

05/04/2018

Initial Draft

0.2

23/04/2018

After review by AH

0.3

10/05/2018

After review by MB

0.4

31/05/2018

After review by research work stream and COS

0.5

15/05/2019

After annual review by COS/AH

 

 

 

 

Consultation History

Revision Number

Consultation Date

Names of Parties in Consultation

Summary of Changes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Approval

This document requires the following approvals:

Name

Title

Date approved

 

 

 

 

 

 

 

 

 

This procedure will be reviewed annually by the Information Compliance Manager and Corporate Secretary in light of any legislative or other relevant developments.

 

 

Office of Corporate and Legal Affairs

Oifig um Ghnóthaí Corparáideacha agus Dlíthiúla

1 st Floor, East Wing, Main Quadrangle,

Top