Uor Report Uor Staff Member

UoR Report–UoR Staff member:

dATA PROTECTION IMPACT ASSESSMENTS

This document sets out the requirements for identifying when a Data Protection Impact Assessment may be required, and actions for staff to take when a need is identified.

These requirements sit under the University Data Protection Policy.

Purpose

A data protection impact assessment (DPIA) is a process used to help identify and minimise any data protection risks of a project.A DPIA may be required for any uses of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, hereafter referred to as ‘processing’.

The General Data Protection Regulation 2016 (the GDPR) requires organisations to:

Conduct a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests.
Refer processing activities to the Information Commissioners Office if we cannot mitigate against any of those high risks.

This document provides a list of pre-screening questions (within Appendix A) for staff to complete whenever embarking on a new project that involves the processing of personal data.

For the purposes of this document ‘Projects’ can include the following:

- Procurement of IT and/or new means of hosting personal data, including use of external suppliers

- Collaborative working arrangements that involve the sharing of personal data, internally or externally

- Activities that involve the collection of additional or new pieces of personal data

- Activities that involve the processing of special category data or criminal conviction data

- Activities that involve the processing of the personal data of vulnerable individuals or children

- Activities that involve the combining of existing sets of personal data to produce more detailed individual records

- Activities that involve increasing access permissions to existing sets of personal data

- Activities that involve any uses of personal data that are not going to be communicated to the data subjects (those whose data it involves)

- Activities that involve profiling, monitoring, or surveillance of individuals

- Activities that involve decisions being made about individuals based on purely automated means (those that do not involve any human interventions)

- Activities that involve any uses of personal data within test environments

*See Appendix B for definitions of personal and special category data

This list is not exhaustive, if in doubt contact your Data Protection Officer at

Pre screening checklist

Appendix A contains a pre-screening checklist that should be completed for any new projects involving the processing of personal data.

Completion of this form will help to identify if a DPIA is required.

It will give you instructions on when you are required to notify the University Data Protection Officer who will assist you with the process of conducting a DPIA.

The University Data Protection Officer must be involved in any DPIA unless you are informed otherwise.

What happens next

If a need for a DPIA is identified, you will need to arrange a time to conduct the assessment with the University Data Protection Officer and may be asked to providesome additional information ahead of the meeting.

The DPIA will:

•describe the nature, scope, context and purposes of the processing;

•assess necessity, proportionality and compliance measures;

•identify and assess risks to individuals; and

•identify any additional measures to mitigate those risks.

If any risks are suitably mitigated, the DPIA will be signed off by both the business area (department or project lead) and the Data Protection Officer, and each will store a copy. You will need to revisit the screening questions if the scope of the activities later change.

If the risks cannot be mitigated, the Data Protection Officer will arrange for referral to the Information Commissioners Office where required, and advise on next steps.

What can you do to prepare for a DPIA

- Identify your key stakeholders and involve them in the DPIA process. This will be those managing the project or overseeing the activity, but could also extend to: departments or individuals that are assisting with any technical requirements; third parties that will be accessing or receiving the personal data, and other departments that are responsible for, or the custodians of, the data involved (for example HR for data within Trent, or Student Services for data within RISIS)

In some instances representation from the data subjects will be beneficial, for example the student body or staff networks – where applicable the Data Protection Officer will advise. The process will be a quicker one if you have considered all parties involved and arranged for them to attend the DPIA meetings.

- Find a suitable location to hold the DPIA and allow for a minimum of one hour for the initial assessment.

- Be clear on who will be ultimately responsible for ensuring any recommendations or requirements are followed. The DPIA will need sign off from a senior member of the project team, and in some circumstances a head of School or Service (Data Protection Officer to advise). This person will also be responsible for handing over the DPIA obligations if they leave the University.

- Take into account whether it would be helpful to bring along any supporting project documentation, such as a business case if you have one, any draft contracts, or security assessments that have already been conducted.

Where can I find more information

Additional information on DPIA’s and our obligations can be found at:

Or contact the Information Management and Policy Services team at

Version control

Version / Keeper / Reviewed / Approved by / Approval date
1.0 / IMPS / Annually / GDPRWG / May 2018

appendix a: dpia sCREENING QUESTIONS

Pre screening questions completed by (please complete)
Name / Click here to enter text. / Date of completion / Click here to enter a date. /
Employee/staff number / Click here to enter text. /
School/Function / Click here to enter text. /
Job Title / Click here to enter text. /
Executive Summary of project(for research projects use Lay Summary) / Click here to enter text. /

Please indicate where any of the below statements apply to your project.All statements should be considered and more than one may apply. Please refer to the explanatory notes for guidance on terms used.

Where any of the below statements apply, forward a copy of this document, marked for the attention of the Data Protection Officer to .

This project will involve undertaking activities that:

(Select all that apply)

☐Use systematic and extensive profiling or automated decision-making to make significant decisions about people. For example gathering data about individuals from varying sources in order to create a profile of that individual and use that profile as a means to make decisions that affect that individual (such as services they are offered or not offered). This can include where data is collected from external sources or publically available information. Automated decisions include any of these activities that do not involve any human intervention, for example where a decision is made purely by a piece of computer software based on the information provided by the individual.

☐Process special category data or criminal offence data on a large scale.

☐Systematically monitor a publicly accessible place on a large scale.

☐Use new technologies.

☐Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.

☐Carry out profiling on a large scale.

☐Process biometric or genetic data.

☐Combine, compare or match data from multiple sources.

☐Process personal data without providing a privacy notice directly to the individual.

☐Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.

☐Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them. This can extend to any persons of 17 years and below. Information society services (social media or networking platforms) tools or apps aimed at children 13 or under have specific requirements and must be referred.

☐Process personal data which could result in a risk of physical harm in the event of a security breach.

☐Involve automated decision-making with significant effects (for example whether someone is accepted onto a course).

☐Involve processing of sensitive data. Sensitive data includes ethnicity, sexual orientation, mental or physical health, racial origin, trade union membership, genetic and biometric data.

☐Involve processing of data on a large scale, for example where very large volumes of data are involved.

☐Processing of data concerning vulnerable data subjects. For example, children, those with mental impairment or reduced capacity for understanding how their data may be used, or individuals that may be at risk of harm.

☐Involve innovative technological or organisational solutions. For example, fingerprint scanners for identity or access management or software that enables very large volumes of data to be manipulated easily.

☐Processing involving preventing data subjects from exercising a Data Subject Right or using a service or contract.

APPENDIX B: DEFINITIONS AND EXPLANTORY NOTES

Personal Data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Special Category Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation

Criminal Offence Data

This will include any declarations of having a spent or unspent criminal conviction, any details of those convictions, as well as any data that refers to the alleged commission of criminal offences.

Large Scale

Affecting in excess of 500 individuals

New Technologies

For example surveillance tools, biometric ID scanners, location trackers, data analytics software and profiling tools(not exhaustive)

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

Automated Decision Making

An activity by which a decision could be made about an individual based solely on automated processing without any human intervention

Vulnerable data subjects

Could include children or children or adults with learning disability, those lacking in the capacity to make their own decisions, those that may have more difficulty understanding or exercising their Data Subject Rights (not exhaustive)

Data Subject Right

See information on Data Subject Rights, here.