WHAT IS A DATA PROTECTION IMPACT ASSESSMENT (DPIA)?

A DPIA is a process designed to help the practice systematically analyse, identify, and minimise the data protection risks of a project or plan. It is a key part of the practice’s accountability obligations under the Data Protection Act 2018, and when done properly helps to assess and demonstrate compliance with all of the practice’s data protection obligations.

It does not have to eradicate all risk but should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

DPIAs are designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects. Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.

IS A DPIA A LEGAL REQUIREMENT?

Yes, is the simple answer, where the processing of personal (including pseudonymised) data is required. The legal responsibility sits with the Practice (the Data Controller). Failure to carry out a DPIA when required may leave the Practice open to enforcement action, including significant fines (10 million euros or 2% global annual turnover if higher). 

By considering the risks related to the intended processing before you begin, you also support compliance with another general obligation under Data protection: Data Protection by Design and Default. 

In general, consistent use of DPIAs increases the awareness of privacy and data protection issues within the practice. It also ensures that all relevant staff involved in designing projects think about privacy at the early stages and adopt a ‘data protection by design’ approach.

A DPIA also brings broader compliance benefits, as it can be an effective way to assess and demonstrate your compliance with all data protection principles and obligations.

However, DPIAs are not just a compliance exercise. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.

WHO COMPLETES THE DPIA?

The practice IG Lead will take the lead on completion of the DPIA.  The DPIA will need to be reviewed by multiple people including the Data Protection Officer, Caldicott Guardian and Senior Information Risk Owner for the Data Controller so it is important that it is in plain English and jargon free. DPIAs are also available to the public under the Freedom of Information Act (a list of completed DPIAs should be included on each data controllers website) and so needs to be understandable to a member of the public who has no knowledge of the service or project!

Once you have provided an overview of what you plan to do this should be submitted to mlcsu.ig@nhs.net On receipt the compliance team will review to ensure that we have all information required. If any further information is needed or clarification, they will come back to you and work through this with you. Once all information is recorded and in a plain English and in an easy to understand form this will be transferred to the Primary Care Information Governance Business Partners. 

The Business Partners will work with the project lead at the practice to complete the technical, legal and security requirements. This may require the project lead to discuss further with customers for more information or even system suppliers to answer some of the more technical questions. 

Once the Business Partner is happy that the DPIA is filled out as fully as possible they will then send this on to the relevant Data Protection Officer (DPO) who will complete a peer review. The Data Protection Officer will either come back requiring more information or clarification before recommending for approval.

Once the DPO is happy they will recommend that the DPIA is approved by the practice Caldicott Guardian and Senior Information Risk Owner (if applicable). 

The Data Protection Officer will review the DPIA through a Data Protection lens, the Caldicott Guardian will review it taking into account the rights and privacy of the individuals whose data is being processed and the Senior Information Risk Owner will review with the risks to the organisation of processing the data for this purpose or conversely the risk of not processing it as their main concern. This gives the Data Controller the greatest depth of review that should something then go wrong they can evidence that all the required steps were taken. 

Any information which an individual can be identified or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information (in yours or their possession). 

• Are you planning to process personal or pseudonymised data or make changes to how you process it? If the answer is yes, then you need to speak to IG to see whether a DPIA is required.

• Is your project description easy to understand? Does it meet the ‘family test’ – could a member of your family understand the project description?

• I cannot answer all the questions – what shall I do? A DPIA may not have all the answers! It may identify where further information is needed and may be approved subject to things being implemented in a certain way therefore helping you to design with privacy central to the plans

• Are you carrying out any of the following activities? If the answer is yes to one or more, you need to be aware of when to carry out a DPIA. The IG service can offer full DPIA training to teams that need to know this!

• Evaluation or scoring.
• Automated decision-making with significant effects.
• Systematic monitoring.
• Processing of sensitive data (health data) or data of a highly personal nature. 
• Processing on a large scale. 
• Processing of data concerning vulnerable data subjects.
• Innovative technological or organisation solutions.
• Processing that involves preventing data subjects from exercising a right or using a service contract