Data protection impact assessments
Under data protection legislation, where a new processing activity is proposed and results in a high degree of risk for data subjects, we must first conduct a data protection impact assessment (DPIA). You may see this occasionally referred to as a data privacy impact assessment. The aim of a DPIA is to systematically analyse the processing and help you to identify and minimise data protection risks.
What is a DPIA?
A DPIA is a process you can use to analyse your data processing. It must
- Describe the processing and your purposes;
- Assess necessity and proportionality;
- Identify and assess risks to individuals; and
- Identify any measures to mitigate those risks and protect the data.
When do I need to do a DPIA?
Whenever a type of processing is likely to result in high risk for data subjects. This means that although the actual level of risk has not been assessed yet, you need to screen for factors which point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
Further examples of activities which may require a DPIA include if you plan to:
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
It is good practice to carry out a DPIA for any major new project involving the use of personal data. If you identify a high risk which you cannot mitigate, the College will have to consult the ICO before beginning the processing.
How do I do a DPIA?
Option 1: For activities not involving research within the Faculty of Medicine:
Please refer to the Data Protection Impact Assessment Template [WORD] and DPIA guidance. If you have any questions on DPIAs, please contact the Data Protection Officer via firstname.lastname@example.org.
For activities within the Faculty of Natural Sciences please also contact Amanda G Hamilton email@example.com for assistance
Option 2: Faculty of Medicine Research Activities:
To facilitate compliance, the Faculty of Medicine has developed a Research Data Privacy Impact Assessment (DPIA) Tool based in SharePoint. The Faculty mandates a completion of this tool for research projects that handle health and social care data.
By registering your projects in this tool you will:
- Complete an impact assessment of your project and associated datasets to identify potential gaps and, with help of appropriate teams, agree how to address these gaps. This, in turn, will help you comply with relevant legal obligations, thus protecting your research project.
- To note, completion of this his assessment via the tool will act as a Data Privacy Impact Assessment (DPIA) - hence completion of a separate standalone DPIA for the College will not be necessary.
- Get help from an appropriate Faculty Data Advisor who will attempt to address your specific queries or direct them to the appropriate team(s).
- Ensure your research data is also registered in College’s Information Asset Register.
To find out more about it and start registration process please go to the FoM IG SharePoint site - https://imperiallondon.sharepoint.com/sites/fom/operations/fomig/SitePages/RDPIA-tool.aspx and contact firstname.lastname@example.org.