At a glance

Purpose

• The Data Protection Impact Assessment Policy sets out the University’s approach to identifying the need for undertaking and implementing Data Protection Impact Assessments (DPIAs). The General Data Protection Regulation 2016/679 (GDPR) and Data Protection Act 2018 require the University as a data controller to consider risks to the privacy of individuals from processing of their personal data and to apply appropriate measures to minimise these risks. Necessary safeguards must be incorporated into all activities involving the processing of personal data at an early stage, before any processing takes place, to ensure that the privacy of individuals is protected. This is known as ‘Data Protection by Design’.  

Scope

• This Policy applies to everyone who has a contractual relationship with the University and sets out the principles of DPIAs – their use, review, disclosure and publication – serving as a tool to help the University to identify, evaluate and mitigate risks to individuals arising as a result of the processing of their personal data. At the same time, a DPIA should ensure compliance with data protection law. 

Responsibilities

• The Chief Information & Transformation Officer (CITO) is accountable for the implementation of this policy. The Data Protection Officer monitors how a DPIA is performed and must be consulted for the purpose of advice giving on legally required DPIAs. Heads of Departments (or nominated deputy) are accountable for the implementation of this Policy in their respective departments, and for its communication to their staff as appropriate.

Compliance

• Compliance with this policy will be monitored on an ongoing basis, with a focus on: DPIA completion, DPIA referrals to the ICO, annual review of DPIAs and any DPIAs which have been disclosed. Compliance performance will be reported by Information Asset Owners monthly to the University Information Management Committee. A failure to comply with this policy will be deemed to be a disciplinary offence, and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.

Full policy

Policy Introduction and Purpose

This policy sets out the University’s approach towards identifying the need for, undertaking and implementing Data Protection Impact Assessments (DPIA).

The General Data Protection Regulation 2016/679 (GDPR) and Data Protection Act 2018 require the University as a data controller to consider risks to the privacy of individuals from processing of their personal data and to apply appropriate measures to minimise these risks. Necessary safeguards must be incorporated into all activities involving the processing of personal data at an early stage and before any processing takes place in order to ensure that the privacy of individuals is protected. This is known as ‘Data Protection by Design’.

A key element of the GDPR’s focus on accountability and Data Protection by Design is the requirement to undertake a Data Protection Impact Assessment (DPIA) (often referred to as a Privacy Impact Assessment) where any processing of personal data is ‘likely to result in high risk’ to the rights and freedoms [their privacy] of individuals.

A DPIA therefore serves as a tool to help the University to identify, evaluate and mitigate risks to individuals arising as a result of the processing of their personal data. At the same time, a DPIA should ensure compliance with data protection law.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management. This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

The Chief Information & Transformation Officer (CITO) is accountable for the implementation of this policy.

The Data Protection Officer monitors how a DPIA is performed and must be consulted for the purpose of advice giving on legally required DPIAs.

Operational Responsibilities

Principles of this Policy

A DPIA must be undertaken before the processing of any personal data which is “likely to result in a high risk to the rights and freedoms” of individuals. As such, it is necessary to identify whether there are any factors that warrant the need for a DPIA to be undertaken.

The GDPR requires a DPIA to be undertaken where any processing activity will involve:

1. The systematic and extensive evaluation of personal data by automated means, including profiling, resulting in decisions that would have significant effects for those individuals
2. The processing of special categories of personal data (see Glossary of Terms (IM03) for a definition) or personal data relating to criminal convictions and offences on a large scale
3. The systematic monitoring of a publicly accessible area on a large scale

Where any new initiative will involve the processing of personal data, the DPIA screening questionnaire should be completed. It is the responsibility of the Information Asset Owner (IAO) to ensure the screening questionnaire is completed properly.

If there is any uncertainty regarding completion of the questionnaire or the outcome, the University’s Legal & Compliance Services at GDPR@warwick.ac.ukLink opens in a new window should be consulted.

Where the outcome of the questionnaire suggests that the processing is unlikely to result in a high risk to individuals, there may be circumstances where it is advisable to undertake a DPIA.

Where it has been concluded that a DPIA is unnecessary and will not be undertaken, the reasons for this should be clearly documented, and you should retain the screening questionnaire to evidence the decision made as this may need to be revisited and reviewed at a later date.

Undertaking a DPIA

If a DPIA is deemed necessary for a particular process, the DPIA template should be completed. Where any section is not completed because it is not applicable or not considered necessary this should be explained. The Data Protection Impact Assessment template is available here.

Part of the DPIA may involve consultation with relevant internal and external stakeholders. It may also involve consultation with third party data processors. In this scenario you should ensure that they are willing to assist you with the DPIA as it relates to their proposed involvement in processing.

Where a data processor is already used then they will be under a legal obligation to assist us in meeting our obligations to conduct a DPIA.

Consultation with the Information Commissioner’s Office

Where the outcome of a DPIA is that the processing of personal data in the context of an initiative may result in a risk, you will be required to consider measures to eliminate or mitigate that risk

However, if measures to eliminate or mitigate the risk still retain significant exposure above the defined Information Management risk appetite, then the IAO should consult with the CITO and DPO about consultation with the Information Commissioner’s Office (ICO). This consultation should only be necessary in very exceptional instances as it is expected that the University will be able to apply measures to appropriately mitigate or eliminate risk on most occasions.

Should the CITO and IAO agree that a referral to the ICO is necessary no further processing activity identified under the DPIA must be carried out until the ICO provide written confirmation it is permissible to continue. In this instance the DPO will initiate contact with the ICO.

Review of DPIAs

A DPIA should be undertaken at the earliest opportunity in the development of any process and re-assessed prior to commencement of the relevant processing activities to identify whether any changes to the initiative impact upon the outcomes of the DPIA and whether the controls and measures identified in the DPIA have been integrated into the initiative.

Once the processing of personal data has commenced in respect of an initiative, you must review the DPIA regularly having regard to the nature and risks associated with the processing activities or scope of the initiative, A review should be undertaken at least annually by the staff member or team leading or owning the initiative.

Disclosure and publication of DPIAs

You must retain a copy of the DPIA in line with the identified retention period for the data being processed (see Information & Records Management Policy IG03 for retention details).

Should there be a requirement to share a DPIA (e.g. with another institution or funding partner) then the precise arrangements should be the subject of agreement between the CITO and the relevant IAO.

DPIA’s may also be disclosable under freedom of information act laws.

The CITO may refer the matter for further legal advice.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• DPIA completion
• DPIA referrals to the ICO
• Annual review of DPIAs
• Any DPIAs which have been disclosed

Compliance performance will be reported by Information Asset Owners monthly to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence, and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.

Policy

It is University Policy that:

• information security controls must be monitored to ensure they are adequate and effective

Not in use

Not in use