Data Activity Risk-assessment Tool (DART)

DART 2.0 is here!

To ensure we comply with data protection legislation (e.g. the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018) and to improve the management of information assets and associated risks across the university, the DART platform is being refreshed to ensure everyone can complete a data risk assessment efficiently.

We are also expanding the data scope to include non-personal data.

WHAT'S CHANGING?

  • Expanded data scope: The new DART will include both personal and non-personal data, broadening our approach to comprehensive data management.
  • Enhanced user interface: A refreshed look and feel that is designed to be more user-friendly and efficient.
  • Shift in data ownership: The responsibility for completing DART entries is with the person who owns the data, and we’ve implemented a requirement to declare any data you are using before submission.
  • Name change: The old Data Asset Registration Tool is now called Data Activity Risk-assessment Tool.

WHAT DO I NEED TO DO?

We are transferring DART entries over to the new platform in a phased approach until we can close the old platform in 2026, and therefore you will see two versions running in parallel. 

For New DART submissions after 1 December 2025

Please use the following link - DART 2.0

IMPORTANT INFORMATION

  • The first time you access DART 2.0 you will be requested to provide access/link systems that DART is built upon. Please ensure these are allowed.
  • To ensure the best possible performance, please use Google Chrome or Microsoft Edge for access DART. For Firefox, you must first ensure the 'Block pop-ups and third party redirects' is disabled via settings (Settings>Privacy & Security) entirely or by adding an exception for https://apps.powerapps.com/
DART 2.0 Guidance / User Guide;
For 'Old' DART submissions already being created / finalised

Please use the following link DART v1.0

DART 1.0 Guidance / User Guide;

Please note that following DART 2.0 going live, you will not be able to add any new DART entries but you can amend / complete / update any that are already present.

WHY DO I NEED TO DO IT?

Completing DART entries achieves the following;

  • the creation of Data Protection Impact Assessments (DPIAs), which can be downloaded as a PDF;
  • population of the university Records of Processing Activity (RoPA), to help ensure personal data is being recorded and managed in an effective manner;
  • population of the university Information Asset Register (IAR), which captures all activities involving university data – not just those activities which including personal data - for the purpose of oversight, risk identification and risk mitigation. 

WHEN TO CONDUCT A DART REGISTRATION

Any activity / project that processes (uses, stores, analyses etc.) university data, see definitions of university data via the Information Security Policy (Information Security Policy v.7.0, requires the completion of a DART registration. 

The following scenarios would automatically require the completion of a full DPIA and as such a specific DART Registration:

  • systematic and/or extensive profiling with significant affect on individuals;
  • processing special category or criminal offence data;
  • processing any data that is deemed to be ‘Restricted’, ‘Confidential’ or requiring a ‘Certified Environment’, as per the Information Security Policy;
  • systematically monitor publicly accessible places on a large scale;
  • use / implementation of new technologies and systems;
  • use of profiling or special category data to decide on access to services;
  • processing biometric or genetic data;
  • processing data that is deemed high risk or has been shared under contract;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • as part of best practice, for any new processing activities or subsequent changes in current processing activities;
  • as part of engagement activities with new or current partner organisations; and
  • when undertaking research activities.

MORE INFORMATION

To find out more and start the registration process see as follows;

Frequently Asked Questions (FAQ)

What does ‘large scale’ mean?

Whilst legislation does not define what ‘large scale’ means, you should consider;

  • the number of individuals concerned;
  • the volume of data;
  • the variety of data;
  • the duration of the processing; and
  • the geographical extent of the processing;
What happens next after I submit my DART?

Following all feedback and outcomes being implemented into the proposed registration it will be signed off and finalised. Following this completion, the entries will remain under constant review to allow for updates / amendments / new data sets to be added.

However if nothing changes then no further action will be necessary outside an annual review which will be necessary as part of the annual declaration process and managed via DART.

Do I need to complete a DART for every single thing I do, or, can it cover a number of activities?

A single DART entry may cover a broad set of activities where they share similar functions, the same technical protections, data types, purpose and legal basis. If unsure, please contact you Faculty Information Governance (IG) Support or Data Protection Office for guidance. 

I previously completed a paper version of a DPIA or filled in the (now closed down) FoM DPIA Tool, do I need to do this as well?

No, the information you provided previously will be entered onto DART by the central support / faculty teams and assigned for your awareness. Following this occurrence you will be required to keep the entry/entries updated and ensure accuracy of the registration.

What about projects / activities / data sets which have already been completed but the data has been retained for retention purposes or future process

If the data set that was collected as part of the activity is still held and/or will be used in the future you will be required to log this and the context under which the data was collected. Imperial recognises that there is a significant amount of historical / ongoing projects that process health and social care data. Whilst these must be registered, given the scale of the task Departmental Managers under the direction of the Faculty Operating Officer (FOO), associated Information Governance lead and Strategy Committee will plan this activity.  

What types of ‘risk’ are being assessed?

Whilst legislation does not define ‘risk’, the focus of risk is always on how it could or would effect individuals rights and freedoms including those relating to privacy/data protection rights and fundamental rights and interests. ‘Risk’ would therefore cover potential harm be it physical, digital  or intangible, economic, social and/or the risk on society as a whole.

Risk would also cover the potential risk to the University should the data become exposed, misused or where the use of data is governed by a contract. It is important to note that risks is not just associated to personal data but any data which university holds. For more information about Data types please see the Information Security Policy.

What will happen to the entries I made in DART version 1?

All current completed DART entries will be moved in to the new system in early 2026.

Unfinished DARTs - If you have started an entry in the old system you will still have access in order to complete it. Once completed and signed off these entries will then be moved over to the new DART platform in a phased approach.

We encourage you to complete any outstanding DART entries as soon as possible in 2026 in order for them to be moved over in the first phase of the migration.

Later in 2026, ICT will close the old DART system and you will lose access to it.

Any remaining incomplete old DART entries will then be migrated for completion in the new DART.

ICT will contact you to let you know when your entries are migrating and when the old DART is closing.

What will Imperial do with the information provided?

Data from the DART will be used to facilitate reporting on key metrics, such as: 

  • Number of registered projects;
  • Number of overdue reviews;
  • Number of high risk datasets;
  • Creation of the Records of Processing Activity (RoPA)
  • Creation of the Information Asset Register (IAR)
  • Imperial stipulates an annual review process for registered projects - these will also be managed via DART and the Annual Declaration Process.  

HoDs and DOOs will receive findings reports for information and action, as appropriate. These reports will also be provided to all relevant Governance and Data Leadership Groups.