Data Protection Assessment Procedure

Data Protection Assessment Procedure

Policy statement

This procedure defines the University’s approach to data protection assessment and directly supports the following policy statement from the Data Protection Policy: ‘The University will implement a data protection by default and design approach to processing personal data through integrating data protection assessments into business processes and projects’.

Data protection by design is about considering data protection and privacy issues up front, at a stage where it is still possible to shape design and outcomes. It can help to ensure that we comply with the General Data Protection Regulation’s (GDPR) fundamental principles and requirements, and satisfies the need for demonstrable compliance.

Assessment helps identify and minimise data protection risks in new or amended processing of personal data, whether: a new system or process, change to an existing system or a new use of an existing data set by identifying and managing privacy risks at an early stage. This will help to meet individuals’ expectations of privacy and avoid regulatory enforcement action and reputational damage, which might otherwise occur.

This procedure reflects the Information Commissioner’s Office (ICO) ‘Guide to the GDPR’ and ‘Data Protection Impact Assessment’ (DPIA) Guidance.

Audience

This procedure is primarily intended for Information Asset Owners (IAOs), Information Asset Managers (IAMs), those involved in change or project based roles, such as project managers and any other staff who lead work to process personal data in new or amended ways.

Procedure aim

This procedure, associated templates, and further guidance document have been developed to ensure a data protection by default and design approach which is flexible and scalable to new or amended processing, furthermore the procedure aims to:

  • Inspire confidence that the University appropriately protects personal data.
  • Ensure and demonstrate that the University is compliant with data protection legislation.
  • Ensure the University adopts a proportionate approach to data protection assessment.
  • Ensure that privacy risks are considered in a timely and cost effective manner.
  • Avoid regulatory enforcement action, fines and reputational damage.

Review

A review of this procedure will be undertaken by the Data Protection Officer, or a representative of, every two years or more frequently as required, and will be approved by the Information Governance Board.

What is data protection assessment?

Data protection assessment is a process designed to help us systematically identify, analyse and minimise data protection risk as well as demonstrate compliance with data protection legislation. The scale, time and resources of the assessment should be proportionate to the size of the project and the data protection risk involved. You can also scale the time and resources needed for a DPIA to fit the nature of the project. Wherever there is new or amended processing of personal data there should be a data protection assessment. This will be in the form of either a: Basic Assessment or Full DPIA.

ICO Screening Questions - Basic Assessment or Full DPIA?

We should conduct a Full DPIA for processing that “is likely to result in a high risk to the rights and freedoms of natural persons.” I.e. a high risk to their privacy. Article 35 of the GDPR and related guidance from the Information Commissioner’s Office (ICO) provides some non-exhaustive examples of when processing is likely to result in high risks:

  • Use systematic and extensive profiling or automated decision-making to make decisions about data subjects. I.e. someone’s access to service, opportunity or benefit.
  • Process special category data or criminal offence data on a large scale.
  • Systematically monitor a publicly accessible place on a large scale.
  • Use new technologies.
  • Carry out profiling on a large scale.
  • Process biometric or genetic data.
  • Combine, compare or match data from multiple sources.
  • Process personal data without providing a privacy notice directly to the individual.
  • Process personal data in a way, which involves tracking individuals’ online or offline location or behaviour.
  • Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
  • Process personal data which could result in a risk of physical harm in the event of a security breach.

We should also consider a Full DPIA if we plan to carry out any other:

  • Evaluation or scoring.
  • Automated decision-making with significant effects.
  • Systematic processing of sensitive data or data of a highly personal nature.
  • Processing on a large scale.
  • Processing of data concerning vulnerable data subjects.
  • Innovative technological or organisational solutions.
  • Processing involving preventing data subjects from exercising a right or using a service or contract.
  • Any major project involving the processing of personal data.

Where it is unclear whether there is a high risk it shall be for the relevant IAO(s) to ultimately make the decision. The decision not to conduct a Full DPIA should be documented within the Basic Assessment.

The Data Protection Advice Line can be contacted for advice whether to conduct a Full DPIA or Basic Assessment.

When to conduct an assessment

The assessment should be carried out ‘prior to the processing’ (GDPR Articles 35(1) and 35(10), recitals 90 and 93). It is generally good practice to carry out an assessment as early as practical in the design of the processing. It may not be possible to conduct an assessment at the very inception of the project, as project goals and some understanding of how the project will operate must be identified before it will be possible to assess the data protection risks involved.

For some projects the assessment may need to be a continuous process, and be updated as the project moves forward. The fact that an assessment may need to be updated once processing has actually started is not a valid reason for postponing or not carrying out an assessment.

Responsibility for conducting the assessment

The IAO is ultimately responsible for ensuring that an assessment takes place, though the activity may be delegated to an IAM, the Project Manager or another project resource who will be responsible for ensuring that appropriate consultation has taken place.

The IAO or delegated IAM will be the owner of any residual risk. It is important to ensure that the IAO and IAM are identified at the early stage of the project as they will need to have an overview of, involvement in and signoff of the a process.

Conducting a Basic Assessment

The Basic Assessment is a principle-based assessment. The Basic Assessment Template guides completion by asking questions, which should be considered to ensure that the fundamental principles of the GDPR are satisfied. Completion will ensure that important data protection issues are considered and documented by the project. It does not need to be a time-consuming process in every case.

There is no specific need to consult the Data Protection Officer (DPO) when conducting a Basic Assessment, however the DPO or a representative can provide advice and assistance to support the assessment if required. 

The assessment can be signed off by either the relevant IAO or IAM.

For detailed guidance about completing a Basic Assessment please see the Data Protection Assessment Intranet Resources. Upon completion the assessment should be sent to dataprotection@mmu.ac.uk for central storage and quality assurance dip sampling by the Information Governance (Legal) Team.

Conducting a Full DPIA

The Full DPIA process should document the intended processing in plain English, and ensure appropriate consultation takes place to identify and manage privacy risks. The Full DPIA Template and the Conducting a Data Protection Impact Assessment Intranet Page guides completion with headings and by asking questions to be considered as part of the process.

The GDPR sets out the minimum features of the assessment (Article 35(7), and recitals 84 and 90).

The Full DPIA should:

  • Provide background and context information about the project.
  • Identify the need for the Full DPIA.
  • Describe the nature, scope, context and purposes of processing.
  • Identify whether the processing is necessary and proportionate, and establish the lawful basis for the processing.
  • Seek to consult with data subjects (or their representatives) and other relevant stakeholders (as appropriate).
  • Consult with the DPO or a nominated representative of the DPO for advice and consultancy; this is a mandatory GDPR requirement.
  • Consult with the Information Records Manager and Head of Information Security as appropriate and where advised by the DPO.
  • Involve an objective assessment of the likelihood and severity of any risks to data subjects, compliance risks and the University.  Risks should be measured as per the Risk Management Policy.
  • Identify measures that the University can put in place to eliminate or reduce these risks.
  • Record the outcome of the DPIA process, including any difference of opinion with the DPO or individuals consulted.

Step 1 – Identifying the need for the DPIA

  • Explain broadly what the project aims to achieve.
  • Provide background and context information about the project. You may find it helpful to refer or link to other documents, such as a project proposal.
  • Pick out the relevant ICO’s Screening Questions, which indicate high risk and explain why these are relevant to your project.

Step 2 – Describe the processing

  • Describe the processing lifecycle. Include process flow diagrams to assist.
  • Describe the personal data to be processed.
  • Document any prior concerns

For further guidance see the Conducting a Data Protection Assessment Intranet Page.

Step 3 – Consultation

Consulting the Data Protection Officer

Before consulting the University Data Protection Officer you should:

  • Read the Data Protection Assessment Procedure.
  • Read the Data Protection Assessment Intranet Page.
  • Consider whether the project is likely to be high risk as per the ICO’s screening questions.
  • Complete the Basic Assessment as seen at Appendix A of the Template to gain an initial understanding of data protection issues and risks/gaps to the project.

The DPO is unlikely to recommend that a project proceed if there are any medium rated risks after controls and safeguards have been implemented. The DPO will strongly advise against a project proceeding where there are remaining high risks.

The DPO acts in a consultancy, advisory and support role in respect of DPIAs. The advice of the DPO is formally recorded within the DPIA. If the DPO’s advice is not followed the reasons for not following the advice should be recorded and the decision made must be justified.

Wider consultation

Consultation leading to the identification and assessment of privacy risk forms the core part of the DPIA. Consultation serves many purposes throughout the DPIA process, such as:

  • Explaining the initiative to stakeholders.
  • Explaining to stakeholders how the DPIA process will be used within the initiative to manage privacy risks.
  • Establishing current working practices that the initiative aims to update or replace.
  • Establishing how the new system or process is likely to be used in practice and in the case of general purpose facilities, their likely purpose.
  • Establishing the privacy concerns of stakeholders.
  • Soliciting suggestions for controls.
  • Explaining identified controls to stakeholders.

Key stakeholders are likely to include:

  • Individuals or representatives whose personal data will be processed by the new system or process.
  • Individuals who understand the initiative from a technical perspective.
  • Individuals who will be using the new system or process.
  • Collaborative partners.
  • The suppliers of a system.
  • The University Data Protection Officer or a representative.
  • The Information and Records Manager.
  • The Assistant Director for Information Security or a representative.

Step 4 – Data protection compliance

  • Document the lawful basis for processing for both personal data and ‘special category personal data if relevant.
  • Describe why the processing is necessary and proportionate. Have alternative means been considered which may be less privacy intrusive?
  • Document how privacy notice requirements will be fulfilled.
  • Document how data minimisation requirements have been considered.
  • Document how data quality requirement have been considered.
  • Document how will data subject rights be supported?

For further guidance please see the Conducting a Data Protection Assessment Intranet Page.

Step 5 - Identifying and assessing privacy risks

This forms the core part of the DPIA.

As per the Information Risk Management Policy “our information risks should be identified, managed and treated according to an agreed risk tolerance”. We must make an objective assessment of the privacy risks. To assess the level of privacy risk, we must consider both the likelihood of harm and the severity of any impact using the Impact and Likelihood Matrix seen at Appendix A.

Harm does not have to be inevitable to qualify as a risk but it must be more than remote. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. We assess the severity of our privacy risks on a five-point scale using the following matrix, which is consistent with the University’s high level Risk Management Policy and Information Risk Management Policy.

Critical

5

10

15

20

25

Major

4

8

12

16

20

Medium

3

6

9

12

15

Low

2

4

6

8

10

Minor

1

2

3

4

5

Impact/Likelihood

Very Low

Low

Medium

High

Very high

The Conducting a Data Protection Assessment Intranet Page contains a non-exhaustive list of possible privacy risks.

iStep 6 - Identifying mitigating measures

This forms the core part of the DPIA.

As per the Information Risk Management Policy, “the implementation of controls to protect information must be based on an assessment of the risk posed to the University”. For each risk identified we should consider the options for eliminating, reducing or accepting the risk. The Conducting a Data Protection Impact Assessment Intranet Page contains a non-exhaustive list of privacy measures which can likely be used to eliminate and mitigate the identified privacy risks.

Assuming the privacy measures have been implemented the privacy risks should be re-assessed to determine whether it has been eliminated, reduced and / or accepted by the IAO. The extent of any residual risk should be identified.

The IAO is able to accept risk taking into account the benefits of the processing and proceeding with the project, system or initiative.

High risk which cannot be mitigated

If a high risk is identified which cannot be mitigated we must consult the ICO before commencing the processing. The appropriate IAO must make the decision to approach the ICO with a high risk to establish whether the processing can proceed as planned rather than seek alternative means which may lower the privacy risk. The DPO must be contacted prior to approaching the ICO and will aid any consultation.

The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.

Step 7 - Data Protection Assessment Signoff

The DPO or a representative will offer comments about whether:

  • The DPIA has been undertaken correctly.
  • In the DPO’s opinion the project should proceed.

If the IAO decides not to follow the advice of the DPO the reasons for doing so should be recorded.

It is for the relevant IAO(s) to sign off a DPIA, accept residual risk, approve the actions to take place and the controls to be implemented, and ultimately approve that the processing proceed.

Final actions

Actions and measures accepted as part of the DPIA should be integrated into the relevant project plans.

The DPIA should be maintained and revisited as actions are completed. This will be an on-going process as the project proceeds. It is advised that someone is given the role and accountability for maintaining the DPIA.

The final version of the DPIA should be sent to dataprotection@mmu.ac.uk for central storage.

As a result of the new processing there may be necessary amendments to the University Record of Processing Activity (ROPA) / Information Asset Register (IAR). The DPIA should be linked to the relevant section of the ROPA.

Conducting retrospective assessments

Our priorities should be risk based. We have to be compliant with data protection legislation in respect of all processing of personal data whether new processing or an initiative which has operated for many years. Furthermore, we must be able to demonstrate how we are compliant with the legislation. The best way to ensure we are compliant and to be able to demonstrate that compliance is through the completion of data protection assessments.

Commonly, the highest risk with most processing is when it is new, particularly if there has not been appropriate consultation and data protection risks have not been considered up front. It is right to prioritise assessments of new processing. Article 35 of the GDPR specifically requires that assessments are completed for new high risk processing. However, where we assess that existing processing also represents a higher risk we should conduct retrospective assessments. The fact that certain processing has operated for many years without issue or complaint could be an indication of lower risk, but this should form part of a complete assessment of risk including the ICO’s screening questions.