The University is now using CNIL's DPIA tool as the default template for DPIA's. If you are on a managed device, you can download the tool from here. If you are on an unmanaged device, you can download the tool from here. Please also see the below guidance for completing DPIAs.
What is a Data Protection Impact assessment ('DPIA')?
A DPIA is a process to help the University to identify and minimise the data protection risks of a project. It also serves to prove that the University is compliant with the General Data Protection Regulation (‘GDPR’).
When is one legally required?
The University is legally obliged to undertake a DPIA for proposed processing that, on the face of it, is likely to result in a high risk to the rights and freedoms of individuals. Rights in this context are individual’s rights to the protection of their data and to privacy.
The GDPR state states that a DPIA shall, in particular, be carried out where the proposed processing involves:
- a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individuals or similarly significantly affect them;
(An example might be where a piece of software is used to assess and potentially decline applications for admission to the University or employment here)
- processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR or of personal data relating to criminal convictions and offences again as referred to in Article 10 of the GDPR; or
(Special Category Data is that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation) (An example might be where there is a medical facility on campus that housed student medical records)
- a systematic monitoring of a publicly accessible area on a large scale.
(An example might be the installation of a new CCTV system on campus)
The use of the words “in particular” demonstrates that there may be other situations where a DPIA ought to be carried out.
What about other scenarios?
The University should consider carrying out a DPIA in any major project involving the use of personal data.
*It should also consider whether to do a DPIA if the proposed processing [European Guidelines] involves:
- evaluation or scoring;
- automated decision-making with significant effects;
- systematic monitoring;
- processing of sensitive data or data of a highly personal nature;
- processing on a large scale;
- processing of data concerning vulnerable individuals;
- innovative technological or organisational solutions;
- processing that involves preventing individuals from exercising a right or using a service or contract.
- The University should also carry out a DPIA if we plan to:
- use innovative technology in combination with any of the criteria in the *European guidelines;
- use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
- carry out profiling on a large scale;
- process biometric or genetic data in combination with any of the criteria in the *European guidelines;
- combine, compare or match data from multiple sources;
- process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the *European guidelines;
- process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the *European guidelines;
- process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
- process personal data that could result in a risk of physical harm in the event of a security breach.
The University should also carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
If it decides not to carry out a DPIA, the University should document its reasons.
If in any doubt about whether a DPIA is needed or not please contact the Information and Data Compliance Team.
When should a DPIA be undertaken?
A DPIA should be carried out before any processing is undertaken. It should be started as soon as practicable in the design of processing operations. It can be reviewed and updated as the project develops. This enables the University to implement ‘data protection by design and default’.
Who else should be involved?
If the University is considering using technology then the Information Security assessments team should be consulted before any agreement to purchase occurs.
If the University is involving a data processor [an external person/ entity acting on our instructions] then they should assist us in the completion of the DPIA.
If it is appropriate to do so, we should also seek the views of the individuals whose personal data is to be processed.
You should seek the advice of the Information and Data Compliance team about your DPIA. You must do so where a DPIA is required by law.
What should a DPIA contain?
A DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- objectively identify and assess risks to individuals; and
- Identify any additional measures to mitigate those risks.
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
Any measures identified must be integrated in to the project plan.
What if the project is high risk even after measures have been identified?
If the University identifies a high risk that it cannot mitigate, The Information and Data Compliance team will consult the ICO before starting the processing. The ICO will give written advice within eight weeks, or 14 weeks in complex cases
What happens after a DPIA has been completed?
DPIAs should be kept under review and revisited when necessary.