University of Edinburgh: Data Protection Impact Assessment guidance

How to conduct a Data Protection Impact Assessment (DPIA)

This guidance is for any member of University staff tasked with completing a DPIA. It
accompanies the University’s DPIA template and explains how to complete that template.

You will need to use this guidance:

• When intending to start a new project involving personal data

• When using personal data already collected for a new purpose incompatible with
the purpose for which they were collected.

Definitions

• Personal data
• Sensitive personal data
• Data subject
• Processing
• Data processor
• Data controller

Completing the DPIA template

The DPIA template provides you with a mechanism to accompany the entire life cycle of the
project from the original concept to the actual implementation and first use. Thus, the DPIA
does not constitute a one-off exercise but rather will be relevant throughout the
implementation of your project.

DPIA template

1. What is a DPIA?

A DPIA is:

• A tool/process to assist organisations in identifying and minimising the privacy risks

of new projects, systems or policies

• A type of impact assessment conducted by an organisation, auditing its own

processes to see how these processes affect or might compromise the privacy of the
individuals whose data it holds, collects, or processes

A DPIA is designed to accomplish three goals:

• Ensure conformance with applicable legal, regulatory, and policy requirements for
privacy;

1
University of Edinburgh: Data Protection Impact Assessment guidance

• Determine the risks and effects; and

• Evaluate protections and alternative processes to mitigate potential privacy risks.

2. When do I need to carry out a DPIA?

When you plan to:

• embark on a new project involving the collection of personal data;

• introduce new IT systems for storing and accessing personal information;

• participate in a new data-sharing initiative with other organisations;

• initiate actions based on a policy of identifying particular demographics;

• use existing data for a “new and unexpected or more intrusive purpose”.

Examples:
• Sensors under assigned staff desks to monitor frequency of use.

• Body-worn cameras for security staff.

• Automatic video and audio recording of lectures.

• Amalgamation of HR and Payroll computer systems and digitisation of HR records.

• Sharing student data with new third parties.

• Installing a CCTV system in the University Library reading room.

3. What are the risks of not carrying out a DPIA

• The need to redesign all or major parts of the system/project.

• Collapse of the project due to adverse publicity.

• Loss of trust or reputation.

• Breach of data protection legislation and significant fines.

• Subsequent regulatory action by the Information Commissioner’s Office (ICO) as a

result of complaints received from data subjects.

• Individuals subjected to fraud, identity theft and distress.

• Legal action taken by individuals to sue the University.

2
University of Edinburgh: Data Protection Impact Assessment guidance

4. How to carry out a DPIA

Stage 1: Preparing for screening

The purpose of the screening process is to work out whether a DPIA is necessary and, if that
is the case, how it should be scaled. This process should ensure that the time and effort you
put into carrying out a DPIA is proportionate to the risks. If you conclude that no DPIA is
necessary, the screening process will also help you determine whether you should, at least,
check compliance with privacy laws.

Begin by outlining the project and listing the purpose and objectives and benefits to the
University or the staff/students/etc. affected by the project. As well as providing a clear and
well-argued case for the project as a whole, it should also highlight those features that may
have the potential for the biggest impact upon privacy.

Next, make a preliminary assessment for data usage by mapping data flows:

• How is the information collected, stored, used and deleted?

• What information is used?

• What it is used for?

• Who will have access to it?

This gives you an understanding how the information is going to be used. The mapping can
be done in the form of a flow chart, an information register, or a project design brief.

Then, begin to identify internal stakeholders (for example project team and software
provider) and external stakeholders (those affected by the project, such as students, staff or
visitors) - Note that internal stakeholders are NOT the DPIA team. Rather, they can be:

• school/College/Department using the project;

• project officers;
• IS, if involved, or:
• external organisations.

Finally, conduct an environmental scan. Look around - both within and outside the
University – to gather information from previous projects of a similar nature (particularly
where the same or similar technology has been used) to see whether there are any lessons
you can draw upon.

Stage 2: Compliance with privacy laws

Although the privacy law compliance process will have to be initiated and performed as far
as possible at this stage, it cannot be finalised until late in the project life-cycle when the
design is complete. This is why you will need to revisit the compliance section immediately
before implementation.

3
University of Edinburgh: Data Protection Impact Assessment guidance

Not all the legislation listed in the template will apply to your project – however, the GDPR
most certainly will. By checking the legislation, you ensure that your project is compliant with
all the relevant privacy and data protection legislation that apply. This is particularly relevant
for data sharing – here you must ensure compliance with the data protection principles.

If you have any doubt, obtain advice from the Data Protection Officer or Legal Services.

Data Protection Officer contact details

Stage 3: Screening

Answer all questions with ‘yes’ or ‘no’. Should you need to provide more detailed information
to explain the project, do so.

If you have answered one or more of the questions with ‘yes’, you will need to carry out a full
DPIA. Looking at the answers you’ve given, you should get an understanding of where the
privacy risks are. Always keep in mind: the purpose of the DPIA is to minimise privacy risk to
the highest possible extent!

If all questions are answered with ‘no’ and you don’t need to do a DPIA, remember that the
privacy law compliance check will need to be living document until the project is
implemented and a final check will need to be conducted at implementation stage.

If you have concluded that a DPIA is warranted, the next stage is to make the preparations
for the all-important consultation and risk analysis stages. These stages are at the core of
any DPIA and are what distinguishes it from a straightforward legal compliance check.

Stage 4: Internal stakeholder consultation

One of the first actions to complete now is to look back at the preliminary list of stakeholders.
This builds on the work you did during the preparation for the screening stage. You now
need to consider in more detail what the interest of the various stakeholders are and the
level of involvement they will have in the DPIA. You need to conduct an initial consultation
to identify any potential risks to the data subjects and record the risks.
Turning to Appendix B, you will now begin noting the risks the internal stakeholders have
identified in the risk analysis template. This will help to clarify the basis of your decision and
help to inform the planning you do in the next stage, and it should ensure the framework and
resourcing for the DPIA are in proportion to the perceived risks. This preliminary
identification of the risks should be treated very much as a work in progress – the whole
purpose of the consultation phase of the DPIA is to find ways to avoid or reduce the effects
of these risks, as well as to surface any other risks that may exist.

The risks you have identified should be recorded according to the categories: risks to
individuals, corporate risks and compliance risks:

• Risks to individuals: risks affecting people directly, e.g. new surveillance methods,
disclosure of sensitive personal data.
• Corporate risks: sanctions, fines, loss of reputation.
• Compliance risks: non-compliance with specific legislation.

4
University of Edinburgh: Data Protection Impact Assessment guidance

Should it become obvious at this stage that the risks are likely to be low to medium, an
external stakeholder consultation will not need to be conducted. If this is the case, note
down the decision and the rationale behind the decision and proceed to stage 6. If the
risks are likely to be medium to high, proceed to stage 5.

Stage 5: External stakeholder consultation

Identify and list all external stakeholders, e.g. the people affected by the project, for
example, these could be:

• students,
• staff,
• research participants,
• library subscribers,
• …

IMPORTANT: You will save time by involving the right internal stakeholders in your meetings
with external stakeholders. For example, what a stakeholder might think is a good solution
might not be so if your IT people tell you it is not technically feasible. Remember, your aim
all the way through is to find ways to enhance privacy.

Ensure that the time and effort spent consulting each stakeholder is proportionate to the
seriousness of the risks they are helping you address - as with the management of all risks
proportionality should be the watchword.

From the work you have completed so far, you should have an initial view of the privacy risks
which you can use to guide you in drawing up a consultation plan.

Next, you will need to decide who shall conduct the consultation. Then decide whether you
can carry out the consultation with representatives of, or advocates for, some stakeholder
groups and agree what the perspective, or interests, of all the stakeholders are. Then make
a decision how best to consult with them:

• face to face meetings,

• phone calls,
• correspondence,
• focus groups,
• workshops,
• online consultation.

Keep in mind that an effective consultation depends on all stakeholders being sufficiently
well-informed about the project, having the opportunity to convey their perspectives and their
concerns, and developing confidence that their perspectives are being reflected in the
design.

Describe the project to the stakeholders, explain the data flows and the benefits to them.
Then hand the discussion over to them and ask them for their view:

• Where do they see privacy risks?

• Where do they see possibilities for improvement?

5
University of Edinburgh: Data Protection Impact Assessment guidance

• Do they have any suggestions for improvement?

Some useful ways of ensuring effective consultation include:

• priming of discussions by providing some initial information about the project;

• facilitated interactions among the participants;
• making sure that there is sufficient diversity among those groups or individuals
being consulted, to ensure that all relevant perspectives are represented, and all
relevant information is gathered;
• making sure that each group has the opportunity to provide information and
comment, even including multiple rounds of consultation where necessary;
• making sure that the method of consultation suits the consultation group, for
example using workshops or focus groups as an alternative to, or even as well
as, formal written consultation;
• making sure that the information provided by all parties to the consultation is fed
into the subsequent rounds of design and implementation activities; and
• ensuring that the perspectives, concerns and issues raised during the
consultation process are seen to be reflected in the outcomes of the DPIA
process.

Stage 6: Risk analysis

Begin this process by adding the risks identified by the stakeholders to the list of risks you
have made in Stage 3 in the first column of Appendix B. From this, you should start to form a
clear picture about how significant the risks that you previously identified are, and whether
there are previously unseen risks. This work and the stakeholder consultation are a cyclical
process. As you clarify what the risks mean you should work with the stakeholders – internal
and external – to find ways to avoid or mitigate those risks.

For each of the next three columns – impact of the risk on individuals, likelihood of it
happening, likelihood of the situation escalating to reputational loss through exposure –
decide whether the risk is high, medium or low and enter this in the respective column.

Next, list all measures you can take to either eliminate or mitigate the risks. There could well
be more than one potential solution for each risk.

There are two types of solutions to privacy risks: avoidance measures and mitigation
measures.

An avoidance measure is a means of dissipating a risk. It refers to the exclusion of

technologies, processes, data or decision criteria, in order to avoid particular privacy issues
arising. Examples are:

• Minimisation of personal data collection.

• Non-collection of contentious data items.
• Active measures to preclude the use of particular data items in the making of
particular decisions.
• Active measures to preclude the disclosure of particular data items.

6
University of Edinburgh: Data Protection Impact Assessment guidance

A mitigation measure is a feature that compensates for other, privacy intrusive aspects of a
design. A mitigation measure may compensate partially or wholly for a negative impact.
Examples are:

• Minimisation of personal data retention by not recording it, or by destroying it as soon

as the transaction for which it is needed is completed.

• Destruction schedules for personal information which are audited and enforced.

• Limits on the use of information for a very specific purpose, which strong legal,
organisational and technical safeguards preventing its application to any other
purpose design, implementation and resourcing of a responsive complaints-handling
system, backed by serious sanctions and enforcement powers.

Under some circumstances it may be appropriate to recognise and accept the privacy risk
where the likelihood of it being realised or the impact would be low. However, this must be
carefully considered, and must not be done simply as an alternative to taking action.

Finally, decide who will be responsible for each risk and list whether the risk will still be high,
medium, low or eliminated after you have implemented the solution you have found. Do this
for all three categories.

Stage 7: Approval

Having completed the consultation, legal compliance checks and risk analysis, you should
be in a position to clearly set out the options and to make a recommendation about how best
to proceed. If significant risks remain, you should explain what the problems are and why the
risk analysis and project amendment process failed to resolve them. In extreme cases, your
recommendation may be that the project needs to be re-thought because there is no viable
solution that does not present an unacceptably high risk to the privacy of individuals.

Stage 8: Readiness for service

Once the project has been formally approved by the relevant budget holder, you should be
ready to implement the agreed solution. This stage may involve procurement of an IT system
and the subsequent detailed design and build stages. It is important to ensure throughout
these stages that the mitigating and/or avoiding measures that were worked up during the
DPIA are carried through into implementation.

And finally, before going live, you should double-check that these measures are working in
the way intended, and that the final system or process does still comply with privacy laws. If
not, you may need to go back a stage to see whether the approved solution has been
implemented correctly.

7
University of Edinburgh: Data Protection Impact Assessment guidance

Stage 9: Review

As you close the DPIA you should consider when it will be reviewed and how the review will
be carried out.

The purpose of a review is to ensure that the measures introduced as part of the DPIA are
working effectively. It is expected that such a review, particularly in the case of major DPIAs,
will be carried out as part of the wider review into the effectiveness of the project or
programme deliverables. For smaller DPIAs, the review may be carried out as a standalone
process. Either way, upon completion of the DPIA you should record how this review will be
carried out, by whom, and when.

Email a copy of the completed DPIA to the University Data Protection Officer at
[email protected].

About this guidance

Version control Author/editor Date Edits made

5 Claire Friend May 2018 Review section,
renamed from
Review or Audit
4 Claire Friend March 2018 DPO edits actioned.
3 Claire Friend March 2018 Document edited to
conform to
accessibility
guidelines. Also
edited numbering to
make it run
concurrently.
2 Data Protection February 2018 Initial publication
Officer version (formatted
by DICM)

If you require the guidance in an alternative format, please

contact Records Management: [email protected]
or 0131 651 4099