Data Protection Impact Assessment

Carrying out a DPIA at Anglia Ruskin University

Data Protection Impact Assessments (DPIA) (formerly known as Privacy Impact Assessments) have been a best practice requirement but since the introduction of GDPR from 25th May 2018, under Article 35 there is now a statutory requirement to undertake these where necessary.

The law states that DPIAs are required where an organisation is proposing to process personal data in a way that could present a ‘high-risk’ to data subjects. The law does not define ‘high-risk’ particularly well therefore until detailed regulator guidance is produced or case law provides guidance there is an element of judgement to be exercised when deciding whether a DPIA is required.

ARU therefore makes an initial assessment of proposed new or changes to existing data processing a key part of IT project and Procurement management processes.

The first step in conducting an initial DPIA screening process to decide whether a full detailed DPIA is required. The Initial Assessment form should be completed by the initiator.

The DPO will discuss further with the initiator if required and will then decide whether a full scale assessment is required. The Data Protection Officer will complete the full DPIA process if it is required to be undertaken.

What is a DPIA?

DPIAs are a tool to help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced.

Why should I do a DPIA?

A DPIA is a key component of a 'Privacy by design' approach to a project or other personal data processing activity. 'Privacy by design' is an essential tool in minimising privacy risks and building trust with Data Subjects and partners. The Information Commissioner's Office (ICO) encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any initiative, and then throughout its lifecycle. DPIAs also support the accountability principle, as they help organisations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.

Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million – whichever is greater.

When should a DPIA be conducted?

The GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:

  • A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special categories of data.
  • Systematic monitoring of a publicly accessible area on a large scale.

Examples are:

  • Building a new IT system for storing or accessing staff personal data
  • Implementing a new piece of software to manage student contacts.
  • Implementing surveillance technology in a building, such as a CCTV system
  • Using a cloud service for the storage of research data
  • Developing policies or strategies that have data privacy implications.
  • Processing staff health data in conjunction with an occupational health service provider.
  • The archiving of pseudonymised personal sensitive data from research projects or clinical trials.
  • Systematically monitoring employee activities, including workstations and Internet activity.
  • The gathering of public social media data for generating profiles or making decisions (profiling).

A DPIA should be completed for new initiatives or for changes to existing systems or processes. It may also be a recommended outcome from a formal investigation into an information security incident or weakness at the University. A DPIA must be considered for all research projects that use special category data or involve the processing of large volumes of data.

Embedding data privacy features into the design of projects can have the following benefits:

  • Potential problems are identified at an early stage.
  • Addressing problems early will often be simpler and less costly.
  • Increased awareness of privacy and data protection across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.

Who should conduct a DPIA?

ARU’s Data Protection Officer has overall accountability for ensuring that DPIAs are completed for high risk personal data processing initiatives. Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible for the initiative, such as:

  • The project sponsor
  • The information asset owner
  • The lead for a research project.

Who should hold the completed DPIA?

The Data Protection Officer will retain a central log detailing all completed DPIAs. The individual responsible for the initiative should retain a copy of the completed DPIA with the master being held by Secretary & Clerks Office for audit purposes and to be able to demonstrate compliance with legislative requirements should a query be raised. This must be approved by the Data Protection Officer to be considered valid.