A data protection impact assessment (DPIA) should be completed at the outset of any project, or change to an existing system or process, that involves the collection or handling of personal information. As set of screening questions will determine whether a full assessment is required.
The Information Commissioner’s Office (ICO) advises that they should be built into an organisation’s processes as an “integral part of taking a privacy by design approach”. DPIAs help to identify and remedy privacy and security issues at an early stage, as fixing issues reactively further down the line can often be expensive or technically impossible.
From ICO Privacy Impact Assessment Code of Practice:
“The purpose of the DPIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible. Risks can be identified and addressed at an early stage by analysing how the proposed uses of personal information and technology will work in practice. This analysis can be tested by consulting with people who will be working on, or affected by, the project.”
The University's Data Protection Impact Assessment Policy - IGP-08 (PDF, 475kB) provides guidance on why DPIAs are important, when they need to be conducted, responsibilities, and the process for undertaking DPIAs and having them approved.
As well as guidance, it includes a set of screening questions which will determine whether a full DPIA is needed, and a form to use to conduct a full DPIA.
The screening questions and DPIA form can both be accessed as a separate documents:
Data Protection Impact Assessment Screening Questions (Office document, 47kB)
Data Protection Impact Assessment (DPIA) Form (Office document, 58kB)
Further advice and guidance on completing a DPIA can be obtained from the Information Governance Manager and/or Information Security Manager.
DPIAs may be required for some of the University's research activities, as well as projects and initiatives involving Professional Services/the University's corporate divisions. Ethics approval procedures should incorporate the requirements of a DPIA as far as possible, but for higher risk research activities it may be necessary to conduct a separate DPIA.
The DPIA process may require the involvement of some of the following roles:
For further information on the University's project management processes, please see the Strategic Planning and Projects SharePoint (only accessible by University staff).