Stage 2 - Privacy Impact Assessment

A full Privacy Impact Assessment should be undertaken if it has been determined in Stage 1 that the project will have implications for privacy. The Information Governance lead will confirm whether a full PIA is required in the outcome section of stage 1. The following template should be completed in full. Appendix A details how the privacy impact assessment should be linked to the Data Protection Act principles and the questions within this section may help to think about how privacy will be affected by the project.

Project Name
Reviewer
Directorate
Date of Completion
Any Associated Projects / Programmes

Part One – Identify the need for a PIA

  1. Briefly explain what the purpose of the project is and what it aims to achieve and the expected benefits (or provide link to project mandate).
  1. Summarise why the need for a PIA was identified (can be copied from outcome of Stage 1 form)

Part Two – Describe the Information Flows

  1. Describe what information/data is going to be collected how it is going to be used and how long it will be kept for (this may be information collected as part of the project or within the system/process that the project is implementing on an ongoing basis).
  1. How many individuals are likely to be affected by the project?
  1. Provide an information flow diagram

Part Three – Consultation Requirements

  1. What steps will be taken to ensure that all privacy risks are identified and addressed? Who will be consulted (internally and externally) and how will this be carried out? (Refer to stakeholder analysis documentation from PMO)

Part Four –Identify the Privacy Risks

  1. Identify the key privacy risks. These risks should be recorded on the corporate or project risk register and linked to this document.

Risk No. / What is the Privacy Issue? / What is the risk to individuals? / Is this a compliance risk (with Data Protection)? / Is there an associated organization /Corporate Risk?

Part Five – Identify Privacy Solutions

  1. Describe the actions which can be taken to reduce the identified risks and any future steps which will be necessary (e.g. creation of new guidance/future security testing for systems).

Risk No. / Solution(s) / Result: risk eliminated, reduced or accepted? / Evaluation: is the final impact (after implementing solutions) justified, compliant and proportionate to the aims of the project?

Part Six – Sign Off and Record PIA Outcomes

  1. Who has approved the privacy risks outlined above? What solutions need to be implemented? (Approval will normally be provided by the project owner or project board for high/business critical projects)

Risk No. / Approved Solution / Approved By and Date

Part Seven – Integrate the outcomes back into the project plan

  1. Confirm who is responsible for integrating the outcomes and approved actions back into the project plan.
  1. Who is the contact for any future privacy concerns regarding this project and its outcomes?

Once completed, store a copy of this Privacy Impact Assessment within the project folder in the PMO workgroup on the G drive and email the Information Governance Lead to assess the outcomes :G:\WorkGroups\PMO