Data Protection Impact Assessment Procedure
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks. It is an important tool for building and demonstrating compliance with the GDPR (i.e. accountability).
Under the General Data Protection Regulation (GDPR) the University must carry out a DPIA where a planned or existing processing operation is “likely to result in a high risk” to individuals. Although GDPR provides examples of data processing that would fall into this category, this is a non- exhaustive list.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
The purpose of this procedure is to enable UCC staff to:
- identify when a DPIA is mandatory
- carry out a DPIA.
All new projects and significant changes to existing systems/processes which require the processing of personal data must perform at least step 1 of this procedure to determine if a full DPIA is required.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of data subjects, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.
Step 1: Identify the Need for a DPIA/whether a DPIA is mandatory
The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 GDPR). The GDPR provides (a non-exhaustive list of) some examples of processing that would fall into this category and supervisory authorities are tasked with publishing a list of the kind of processing which are subject to the requirement for a DPIA. Based on guidance from the regulators to date, the following should be taken into account when determining is processing “high risk” and therefore requiring a DPIA
You must do a DPIA if you plan to carry out one or more of the following:
- Evaluation and scoring (including profiling and predicting), especially concerning a data subject’s performance at work, economic situation, health, personal preferences, reliability or behaviour, location or movements. An example would be offering genetic tests in order to assess or predict disease/health risks or gathering social media profile data for generating profiles for contact directories or marketing.
- Automated decision-making with legal or similar significant effects - Is a decision made by automated means without any human involvement? An example would be an online decision to award a loan or a recruitment aptitude test that uses pre-programmed algorithms and criteria.
- Systematic monitoring - including through a publicly accessible place on a large scale. For example, using a camera to monitor driving behaviours on a road.
- Sensitive data or data of highly personal nature – this includes special categories of data as defined in Article 9:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- data concerning health
- data concerning a person’s sex life or sexual orientation
- genetic data
- biometric data
- as well as criminal data as defined in Article 10. An example would be a hospital keeping patient medical records or an organisation keeping offender’s details.
- Data processed on a large scale – while the term ‘large scale’ is not defined, the regulators recommend the following is taken into account: (a) the number of data subjects concerned; (b) the volume and range of data been processed; (c) the duration and permanence of the processing; (d) the geographic extent of the processing activity.
- Datasets have been matched or combined – for example, two or more data processing operations performed for different purposes and/or by different data controllers been combined in way that would exceed reasonable expectation of the data subject.
- Data concerning vulnerable data subjects – For example children are considered as not able to knowingly oppose or consent to processing of personal data. Patients, elderly people and asylum seekers would also be considered vulnerable data subjects.
- Innovative use or applying technological or organisational solutions – for example combining use of finger print and face recognition for improved physical access control, using a video analysis system to single out cars and recognise licence plates.
- When processing prevents the data subject from exercising a right or using a service or a contract – for example, processing a public area that people passing cannot avoid or processing that aims to refuse data subjects access to a service or contract (bank screens its customers against a credit reference database in order to decide whether to offer a loan)
In cases where it is not clear if a DPIA should be carried out, the guidance from the regulators is that a DPIA should be carried out as it is a useful tool to comply with GDPR. Advice on whether a DPIA should be carried out can be sought from UCC’s Information Compliance Manager.
Step 2: Describe the Processing in a Systematic Way
Describe how and why you plan to use the personal data. Your description must include “the nature, scope, context and purposes of the processing”.
The nature of the processing
This is what you plan to do with the personal data. This must include:
- how you collect the data;
- how you store the data;
- how you use the data;
- who has access to the data;
- who you share the data with
- whether you use any processors;
- retention periods;
- security measures;
- whether you are using any new technologies;
- whether you are using any novel types of processing;
- which screening criteria you flagged as likely high risk.
The scope of the processing
This is what the processing covers. This must include:
- the nature of the personal data;
- the volume and variety of the personal data;
- the sensitivity of the personal data;
- the extent and frequency of the processing;
- the duration of the processing;
- the number of data subjects involved;
- the geographical area covered.
The context of the processing
This is the wider picture, including internal and external factors which might affect expectations or impact.
This might include, for example:
- the source of the data;
- the nature of your relationship with the individuals;
- the extent to which individuals have control over their data;
- the extent to which individuals are likely to expect the processing;
- whether they include children or other vulnerable people;
- any previous experience of this type of processing;
- any relevant advances in technology or security;
- any current issues of public concern;
- whether you have considered and complied with relevant codes of practice.
The purpose of the processing
This is the reason why you want to process the personal data. This must include:
- your legitimate interests, where relevant;
- the intended outcome for individuals;
- the expected benefits for you or for society as a whole
Step 3: Assess Necessity and Proportionality
You should consider:
- Do your plans help to achieve your purpose?
- Is there any other reasonable way to achieve the same result?
- your lawful basis for the processing;
- how you will prevent function creep i.e. using the data for more than the original purpose;
- how you intend to ensure data quality;
- how you intend to ensure data minimisation;
- how you intend to provide privacy information to individuals;
- how you implement and support individual’s rights;
- measures to ensure your processors comply;
- safeguards for international transfers.
Step 4: Consult with Stakeholders
You should seek the views of data subjects (or their representatives) unless there is a good reason not to. In most cases it should be possible to consult individuals in some form. For example, internal stakeholders such as project management team, IT, procurement, potential suppliers (processors), communications teams, customer facing roles, researchers and senior management. External stakeholders could include: people who will be affected by the project and members of the public.
However, if you decide that it is not appropriate to consult individuals then you should record this decision as part of your DPIA, with a clear explanation. For example, you might be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.
If the DPIA covers the processing of personal data of existing contacts (for example, existing students or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.
If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public consultation process, or targeted research. This could take the form of carrying out market research with a certain demographic or contacting relevant campaign or consumer groups for their views. If your DPIA decision is at odds with the views of individuals, you need to document your reasons for disregarding their views.
If you use a data processor, you may need to ask them for information and assistance. You should consult all relevant internal stakeholders, in particular anyone with responsibility for information security.
Step 5: Identify and Assess Risks
Identify the potential risks that may arise. Consider the potential impact on individuals and any harm or damage that might be caused by your processing – whether physical, emotional or material. In particular look at whether the processing could possibly contribute to:
- inability to exercise rights (including but not limited to privacy rights);
- inability to access services or opportunities;
- loss of control over the use of personal data;
- identity theft or fraud;
- financial loss;
- reputational damage;
- physical harm;
- loss of confidentiality;
- re-identification of pseudonymised data;
- any other significant economic or social disadvantage
You should include an assessment of the security risks, including sources of risk and the potential impact of each type of breach (including illegitimate access to, modification of or loss of personal data).
Having identified the risks, it is then necessary to assess which are going to pose the greatest threat by looking at both the likelihood of the risk occurring and the impact that might result. This provides the overall risk rating.
Step 6: Identify Controls and Actions
Against each risk identified, you should then consider options for reducing that risk. Identify the current controls (how you currently manage the risk) and what further actions you will take to reduce the impact/likelihood and mitigate the risk. For example, some actions and controls that could be implemented are:
- deciding not to collect certain types of data;
- reducing the scope of the processing;
- reducing retention periods;
- taking additional technological security measures;
- training staff to ensure risks are anticipated and managed;
- anonymising or pseudonymising data where possible;
- writing internal guidance or processes to avoid risks;
- adding a human element to review automated decisions;
- using a different technology;
- putting clear data sharing agreements into place;
- making changes to privacy notices;
- offering individuals the chance to opt out where appropriate;
- implementing new systems to help individuals to exercise their rights.
This is not an exhaustive list, and you may be able to devise other ways to help reduce or avoid the risks. You should ask the Information Compliance Office for advice.
Step 7: Document Results
You should then record:
- what additional measures you plan to take;
- whether each risk has been eliminated, reduced, or accepted;
- the overall level of ‘residual risk’ after taking additional measures;
- whether the Data Protection Commission needs to be consulted.
You do not always have to eliminate every risk. You may decide that some risks, and even a high risk, are acceptable given the benefits of the processing and the difficulties of mitigation. However, if there is still a high risk, you need to contact the Information Compliance Manager who will consult with the Data Commissioner before you can go ahead with the processing. As part of the sign-off process, you should ask the Information Compliance Manager to advise on whether the processing is compliant and can go ahead. If you decide not to follow their advice, you need to record your reasons. You should also record any reasons for going against the views of individuals or other consultees.
Step 8: Implement and Review
You must integrate the outcomes of your DPIA back into your project plans. You should identify any action points and who is responsible for implementing them. You should monitor the ongoing performance of the DPIA. You may need to cycle through the process again before your plans are finalised. If you have decided to accept a high risk, either because it is not possible to mitigate or because the costs of mitigation are too high, you need to consult the Data Commissioner before you can go ahead with the processing.
It is good practice to publish your DPIA to aid transparency and accountability. This could help foster trust in your processing activities, and improve individuals’ ability to exercise their rights. If you are concerned that publication might reveal commercially sensitive information, undermine security or cause other risks, you should consider whether you can redact (black out) or remove sensitive details, or publish a summary. You need to keep your DPIA under review, at a minimum every 3 years. You may need to repeat it if there is a substantial change to the nature, scope, context or purposes of your processing