Data protection impact assessment process

Data Protection Impact Assessments (DPIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

A DPIA is a process which assists organisations in identifying and minimising the privacy risks of new projects or policies.

A DPIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.

An effective DPIA will allow East Dunbartonshire Council (“the Council”) to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

DPIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. A DPIA can also be useful when the Council is planning changes to an existing system.

A DPIA can be used to review an existing system, but the Council needs to ensure that there is a realistic opportunity for the DPIA conclusions to implement necessary changes to the system.

The Policy will be reviewed annually to reflect operational improvements and changes to best practice.

This Policy takes the recommendations set out in the Information Commissioner’s Privacy Impact Code of Practice and applies them to the Council. This procedure applies to all employees, and all processes that include a new or changed use of Personal Confidential Data and/or Business sensitive data in any format.

This includes

• Introduction of a new paper or electronic information system to collect and hold personal/business sensitive data
• Introduction of new service or a change to existing process, which may impact on an existing information system
• Update or revision of a key system that might alter the way in which the Council uses, monitors, and reports personal/business sensitive information
• Replacement of an existing data system with new software
• Changes to an existing system where additional personal/business sensitive data will be collected
• Proposal to collect personal data from a new source or for a new activity
• Plans to outsource business processes involving storing and processing personal/ business sensitive data
• Plans to transfer services from one provider to another that include the transfer of information assets
• Any change to or introduction of new data sharing agreements.

The Information Commissioners Office promotes DPIAs as a tool which will help organisations to comply with their GDPR obligations, as well as bringing further benefits.

Carrying out an effective DPIA will benefit the individual Data Subjects affected by a project and the Council. It is likely to be the most effective way to demonstrate how personal data processing complies with GDPR.

The first benefit to individual Data Subjects will be that they can be reassured that the Council has followed best practice. A project which has been subject to a DPIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way.

A second benefit to individual Data Subjects is that a DPIA will improve transparency and make it easier for them to understand how and why their information is being used.

The process of conducting the assessment will improve how the Council uses information which impacts on individual privacy. This should in turn reduce the likelihood of the Council failing to meet
its legal obligations under GDPR and of a breach of the legislation occurring.

The DPIA process is a flexible one that can be integrated with the Council’s existing approach to managing projects. The time and resources dedicated to a DPIA should be scaled to fit the nature of the project.  

A DPIA should begin early in the life of a project, and should develop as the project develops. The assessment will incorporate the following steps:

Identify the need for a DPIA:

• Answer screening questions to identify a proposal’s potential impact on privacy
• Begin to think about how project management activity can address privacy issues
• Start discussing privacy issues with stakeholders.

Describe the information flows:

• Explain how information will be obtained, used, and retained – there may be several options to consider. This step can be based on, or form part of, a wider project plan
• This process can help to identify potential ‘function creep’ - unforeseen or unintended uses of the data (for example data sharing).

Identify the privacy and related risks:

• Record the risks to individuals, including possible intrusions on privacy where appropriate
• Assess the corporate risks, including regulatory action, reputational damage, and loss of public trust
• Conduct a compliance check against GDPR and other relevant legislation
• Maintain a record of the identified risks.

Identify and evaluate the privacy solutions

• Devise ways to reduce or eliminate privacy risks
• Assess the costs and benefits of each approach, looking at the impact on privacy and the effect on the project outcomes
• Refer back to the privacy risk register until satisfied with the overall Data Protection Impact Assessment.

Sign off and record the DPIA outcomes

• Obtain appropriate signoff within the Council
• Produce a DPIA report, drawing on material produced earlier during the PIA
• Consider publishing the report or other relevant information about the process.

Integrate the outcomes into the project plan:

• Ensure that the steps recommended by the DPIA are implemented
• Continue to use the DPIA throughout the project lifecycle when appropriate.

Consult with internal and external stakeholders as needed throughout the process.

The Council has put in place a process to manage and review Data Protection Assessments across the Authority.

When considering if a project may require a DPIA the service area will complete and submit to the Council’s Information Management Team a completed ‘Data Protection Assessment Screening Form (Appendix 1 in the documents section of this page).

Where the Information Management Team confirms that a DPIA is required, the Service will work with the Information Management Team to complete a DPIA Form (Appendix 2 in the documents section of this page).

A further form will be completed linking the proposal to the requirements of the principles of GDPR (Appendix 3 in the documents section of this page).