Under the GDPR, Data Protection Impact Assessments (DPIAs) are mandatory where the processing poses a high risk to the rights and freedoms of individuals. While they can also be carried out in other situations, councils need to be able to evaluate when a DPIA is required.

This checklist helps you make that assessment and provides a springboard for some of the issues you will need to consider in more detail if you do need to carry out a DPIA.

Do you need to carry out a DPIA?

  • What is the objective/intended outcome of the project?
  • Is it a significant piece of work affecting how services/operations are currently provided?
  • Who is the audience or who will be affected by the project?
  • Will the project involve the collection of new personal data about people? e.g. new identifiers or behavioural information relating to individuals
  • Will the project involve combining anonymised data sources in a way that may give rise to a risk that individuals could be identified?
  • Will the project involve combining datasets originating from different processing operations or data controllers in a way which would exceed the reasonable expectations of the individuals?
  • Is data being processed on a large scale?
  • Will the project compel individuals to provide personal data about themselves?
  • Will personal data about individuals be disclosed to organisations or people who have not previously had routine access to the personal data?
  • Will personal data be transferred outside the EEA?
  • Is personal data about individuals to be used for a purpose it is not currently used for, or in a way it is not currently used?
  • Will personal data about children under 13 or other vulnerable persons be collected or otherwise processed?
  • Will new technology be used which might be seen as privacy intrusive? (e.g. tracking, surveillance, observation or monitoring software, capture of image, video or audio or location)
  • Is monitoring or tracking or profiling of individuals taking place?
    Is data being used for automated decision making with legal or similar significant effect?
  • Is data being used for evaluation or scoring? (e.g. performance at work, economic situation, health, interests or behaviour)
  • Is sensitive data being collected including:
  1. Race  
  2. Ethnic origin
  3. Political opinions
  4. Religious or philosophical beliefs
  5. Trade union membership
  6. Genetic data
  7. Biometric data (e.g. facial recognition, finger print data)
  8.  Health data
  9. Data about sex life or sexual orientation?
  • Will the processing itself prevent data subjects from exercising a right or using a service or contract?
  • Is the personal data about individuals of a kind likely to raise privacy concerns or is it personal data people would consider to be particularly private or confidential?
  • Will the project require contact to be made with individuals in ways they may find intrusive?

 

Other issues to consider when carrying out a DPIA

In addition to considering the above issues in greater detail, when conducting a DPIA, you will also need to look at issues including:

  1. The lawful grounds for processing and the capture of consent where appropriate
  2. The purposes the data will be used for, how this will be communicated to the data subjects and the lawful grounds for processing
  3. Who the data will be disclosed to
  4. Where the data will be hosted and its geographical journey (including how data subjects will be kept informed about this)
  5. The internal process for risk assessment
  6. Who needs to be consulted (DPO, data subjects, the Information Commissioners Office (“ICO”)
  7. Data minimisation (including whether data can be anonymised)
  8. How accuracy of data will be maintained
  9. How long the data will be retained and what the processes are for deletion of data
  10. Data storage measures
  11. Data security measures including what is appropriate relative to risk and whether measures such as encryption or pseudonymisation can be used to reduce risk
  12. Opportunities for data subject to exercise their rights
  13. What staff or, as appropriate, councillor training is being undertaken to help minimise risk
  14. The technical and organisational measures used to reduce risk (including allowing different levels of access to data and red flagging unusual behaviour or incidents)

The GDPR requires that councils carry out a DPIA when processing is likely to result in a high risk to the rights and freedoms of data subjects. For a council, examples might include using CCTV to monitor public areas.

If two or more of the following apply, it is likely that you will be required to carry out a DPIA. This does not apply to existing systems but would apply if you introduced a new system.

  1. Profiling is in use. Example: you monitor website clicks or behaviour and record people’s interests.
  2. Automated-decision making. Example: when processing leads to the potential exclusion of individuals.
  3. CCTV surveillance of public areas. Processing used to observe, monitor or control data subjects.
  4. Sensitive personal data as well as personal data relating to criminal convictions or offences.
  5. Large scale data processing. There is no definition of “large scale”. However consider: the number of data subjects concerned, the volume of data and/or the range of different data items being processed.
  6. Linked databases - in other words, data aggregation. Example: two datasets merged together, which could “exceed the reasonable expectations of the user” e.g. you merge your mailing list with another council, club or association.
  7. Data concerning vulnerable data subjects, especially when power imbalances arise, e.g. staff-employer, where consent may be vague, data of children, mentally ill, asylum seekers, elderly, patients.
  8. “New technologies are in use”. E.g. use of social media, etc.
  9. Data transfers outside of the EEA.
  10. “Unavoidable and unexpected processing”. For example, processing performed on a public area that people passing by cannot avoid. Example: Wi-Fi tracking.