A data protection impact assessment (DPIA) is a way to identify, analyse and mitigate against risks associated with data protection.
Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessment (DPIA) is a way to identify, analyse and mitigate against risks associated with data protection.
The University must conduct a DPIA when processing of personal data is "likely to result in a high risk" to individuals; in particular the UK GDPR says a DPIA must be completed in the following circumstances:
- Use of systematic and extensive profiling with significant effects;
- Processing of special category or criminal offence data on a large scale; and/or
- Systematically monitoring publicly accessible places on a large scale.
In addition, the ICO requires a DPIA to be completed when:
- using innovative technology;
- use of profiling or special category data to decide of access to services;
- profiling of individuals on a large scale;
- processing biometric data;
- processing genetic data;
- matching data or combining datasets from different sources;
- collecting personal data from a source other than the individual without providing them with a privacy notice - invisible processing;
- tracking individuals' location or behaviour;
- profiling children or target marketing of online services to them;
- processing data that might endanger the individual's physical health or safety in the event of a security breach.
DPIAs are also a useful tool to demonstrate compliance with data protection principles and our statutory duty of data protection by design and default. Therefore in addition to the above the University requires a DPIA to be completed when:
- Conducting research with human participants were they can be directly identified and where the risks cannot be fully considered within an ethics application;
- Collect and process new personal data and/or use personal data for a new purpose;
- Introduction of new IT systems; and/or
- Share data with other organisations or internally if this is a new and unexpected activity.
There may be other circumstances where a DPIA is beneficial. Please contact the Information Compliance Unit - info.compliance@qub.ac.uk if you are unsure whether a DPIA is required.