Data Protection (Privacy) Impact Assessment Policy and Procedure
Version: V3
Ratified by: Finance Investment Committee
Date ratified: 05/02/2025
Job Title of author:
Data Protection Officer IG and IT Projects Manager
Reviewed by Committee or Expert Group Technology Project Group
Equality Impact Assessed by: IG and IT Projects Manager
Related procedural documents
IGPOL31 Data Protection Policy
IGPOL53 Information Security Policy
IGPOL65 Transferring Confidential Information
Review date: 05/02/2027
It is the responsibility of users to ensure that you are using the most up to date document – i.e. obtained via the intranet.
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date Author Status Comment
V1 February2018 Information Governance and IT Projects Manager Final NEW POLICY. This Policy has been written in response to the requirements of the new Data Protection Regulations. It effectively replaces the procedures described in IGPRE28 –Assuring the Information Governance of New and Changed Systems, Processes and Services.
V2 August2021
V3 November 2024
DataProtection Officer& Information Governance and IT Projects Manager
DataProtection Officer& Information Governance and IT Projects Manager
2yearreview
1. Introduction
Introduction of new systems, services or modifications to existing ways of working can have a major impact on data protection and privacy processes and systems already in place, and it is vitally important that all proposed changes to service delivery and organisational processes are able to maintain the confidentiality, integrity and accessibility of information, in both paper and electronic formats.
The UK General Data Protection Regulation (UK GDPR) introduces the requirement of ‘Privacy by design’ and ‘Privacy by default’. This is an approach that considers privacy and data protection compliance from the start of any project or processing involving personal data and not as an afterthought. Trying to bolt on security or privacy controls later down the line can not only be costly to implement but can leave the organisation open to regulatory and reputational risks.
Article 25 of the UK GDPR requires that a Data Protection Impact Assessments is carried out prior to data processing which is ‘likely to result in high risk to the rights and freedoms of natural persons’ Failure to do this may risk a delay in starting the processing activity associated with your project or activity Any exceptions must be approved by the SIRO
The aim of this policy is to provide staff with information that promotes good practice and compliance with Data Protection Laws and other statutory requirements provided by the Information Commissioner's Office (ICO).
Not completing a Privacy Impact Assessment where one should have been completed can lead to fines of approximately £8.5m or 2% of annual turnover (whichever is higher) with the possibility of proceedings imposed by the ICO
2. Purpose
The purpose of this policy is to ensure that risks to the rights and privacy of individuals are considered and minimised while allowing the aims of the project or processing activity to be met.
This document helps identify when a DPIA is required and it provides a standardised approach towards identifying, assessing and mitigating data protection and privacy risk and assists towards the delivery of compliance with legal statutory requirements.
Risks can be identified and addressed at an early stage by analysing how the proposed uses of data, technology and processes will work in practice. This analysis can be tested by consulting with the stakeholders who will be working on, or affected by, the project.
3. Definitions
Data Protection Impact Assessment (DPIA): previously referred to as a Privacy Impact Assessment, is a tool to help the organisation and staff identify and reduce any data protection or privacy risks prior to any planned data processing activity or before a
project or change is delivered It is a major part of Provide Group’s accountability obligations under the UK GDPR.
Caldicott Guardian: Is the organisation’s Medical Advisor and the senior person responsible for protecting the confidentiality of personal confidential data (PCD) information. The Caldicott Guardian plays a key role in ensuring that the organisation abides by the highest level of standards for handling Personal Confidential Data and Personal identifiable Data.
Data Protection Officer (DPO): Is an independent legal role required by the Data Protection legislation (UK GDPR). This person is responsible for overseeingthe Data Protection Compliance of the organisation, informing and advising the organisation on its Data Protection obligations, providing advice to all staff across the organisation and acting as a contact point for data subjects and the information Commissioners Office (ICO).
Information Asset Owners: Are typically departmental heads and senior managers involved in running the relevant business services. Their role is to understand what information is held, how it is used, who has access and why. As a result they can understand and address risks to the Information Assets they 'own', providing assurance to the SIRO.
Responsible Project/ Initiative Lead or process owner: Is any member of staff, including flexible, permanent, new starters, locum, temporary, student and contract staff members who are tasked with and responsible for accomplishing "project"/process objectives and outcomes.
Senior Information Risk Owner (SIRO): The SIRO owns the information risk and incident management framework, overall information risk policy and risk assessment processes, ensuring they are implemented consistently throughout the business by the Information Asset Owners. Provide’s SIRO is the Group Chief Finance Officer & Company Secretary on behalf of the Board.
Data Security and Protection Toolkit (DSPT): Formally known as the IG Toolkit, the tool is an online system which allows Provide to measure compliance against the National Data guardian’s 10 data security standards. The toolkit is used to provide assurance that we are practicing good data security and that personal information is handled correctly. It is a requirement of our NHS contracts that we complete the toolkit on an annual basis.
Information Asset: A body of information defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
Personal Data: Any information relating to an identified or identifiable natural person (data subject)
Project: Shall mean any plan, process or proposal, which involves the use of information, data or technology. This shall also include any change that will amend the way in which the information, data or technology is handled.
Processing Activity: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
Must: The responsibilities and or actions from NHS England, Department of Health (DoH), and the Information Commissioners Office (ICO) required to be carried out as the minimum mandatory and statutory measure.
Should: The responsibilities and/or actions recommended to follow as good practice.
Technology: A term used to describe systems, tools, techniques and processes embedded in machines or devices which then store, study, retrieve, transmit, and manipulate data or information.
4. Scope
A DPIA is is a process used to identify and minimise the data protection risks of a project or activity that involves the processing of personal data. It is an integral part of the development and implementation of such projects and activities.
A DPIA is mandatory when data processing is likely to result in a high risk to individuals
Projects and processing activities are recognised and delivered in different ways. Therefore all staff must recognise that a DPIA must be completed and the form submitted to the Information Governance team in advance of the following circumstances and situations:
• The use of a trial period of technology, systems, devices or products which use personal data or information
• The use of charitable or free technology or products which use person data or information
• Publishing personal identifiable or sensitive information or data on the internet or in other publicly available media types
• Procurement of technology, systems, devices or products which use personal data or information
• De-commissioning or disposal of technology, systems, or products which use personal data or information
• A change to existing processes or technology, systems, devices and products which will significantly amend the way personal data or information is handled
• The implementation or development of new processes, technology, systems, devices or products which involve the use of personal data or information
• Collection, retrieval, obtaining, recording or holding of new personal data or information
• Where the processing prevents data subjects from exercising a data protection right or using a service.
• Evaluation and scoring using personal data (including profiling and predicting)
5. Duties
5.1 The SIRO and Senior Managers must ensure that this policy is adhered to by all staff.
5.2 The “responsible project lead”/process owner must:
5.2.1 Examine the project at earliest possible stage and make an initial assessment of data protection and privacy risks, by ensuring a DPIA is completed and submitted to the IG team by e-mail. (see section 6 Procedure)
5.2.2 Accept accountability where some of the screening questions within the DPIA apply to the project; therefore, it is likely that a full DPIA must be undertaken.
5.2.3 Recognise that should a full DPIA deemed to be necessary, there is a legal obligation for the Data Protection Officer to be consulted, where necessary, to advise on any complex data processing matters, and the DPIA outcome must be integrated into the project plan before the project is developed and implemented.
5.2.4 Manage potential sources of risk and concerns as they arise, escalating to the relevant senior business manager or technical roles as required.
5.2.5 Should a full (Stage 2 and/or 3) DPIA be necessary, communicate with IG team for support and guidance if needed and to work towards finalising any conclusions and recommendations.
5.2.6 Where the conclusions and recommendations have been provided by the IG team and the DPO (where consulted), and are:
ACCEPTED: Demonstration that consideration has been given to the sources of potential risk through the completion of a DPIA. Additionally conclusions and recommendations are integrated into the main project plan.
NOT ACCEPTED: Demonstration that consideration has been given to the sources of potential risk through formally providing the rationale of non-acceptance. Additionally conclusions and recommendations are integrated into the main project plan.
5.2.7 Co-operate and provide the ICO evidence of the updated project plan and DPIA, if requested via the IG Team
5.3 It is the responsibility of the IG team to:
5.3.1 Provide the responsible project/ initiative lead with guidance and support in completing the DPIA, if required.
5.3.2 Carry out an evaluation of the submitted DPIA and declaration, to address the initial sources of potential risk.
5.3.3 Provide the responsible project lead and/or IAO with any recommendations and conclusions that seem necessary from the evaluation
5.3.4 The IG Manager must carry out a review of the submitted DPIA to ensure it is fit for purpose before signing it off as approval.
5.3.5 Escalate any uncooperative actions such as not accepting the risks, not
carrying out mitigating tasks etc. first to the relevant line manager and subsequently Head of IG, where necessary
5.4 The Data Protection Officer must:
5.4.1 Offer advice and support, where requested, on matters to do with completing the DPIA
5.4.2 Monitor the performance of DPIAs
5.4.3 Escalate any uncooperative actions to the SIRO and Caldicott Guardian
5.4.4 Escalate unaccepted conclusions and recommendations to the SIRO.
5.4.5 Communicate with the IG team and the responsible project lead, SIRO and IAO with the frequency and formality where deemed necessary.
5.4.6 Where high risks are identified and cannot be mitigated, the DPO shall consult with the ICO for advice (prior consultation). Feed the relevant communication from the ICO to the responsible project lead, IG Manager and SIRO.
5.5 It is the responsibility of the Technology Team to:
5.5.1 Review the technical and security documentation to the project and associated technical risks and provide the project lead/process owner and IG team with data and cyber security recommendation(s) and conclusion(s).
5.6 It is the responsibility of the IAO to:
5.6.1 Incorporate any recommendations and actions into Business-as-Usual Processes.
5.6.2 Maintain any new information assets and flows into their Information Asset register.
6. Procedure
There are typically 7 steps to completion of a DPIA:
1) Identify the need for the DPIA – The Responsible Project/ initiative lead/process owner (hereafter referred to as “the lead”) must complete Stage 1 (Screening Stage) of the DPIA form. This consists of five short Yes/ No questions which will determine whether a DPIA is required. The form can be downloaded on the staff intranet (DPIA form template - Provide Community Platform).
Where all questions are answered “No” in stage 1 the lead must submit this form to the Information Governance (IG) Team (provide.infogov@nhs.net) for review and sign off. If any of the questions are answered “yes” then Stage 2 of the DPIA form must be completed, following the instructions on the form.
2) Describe the data processing /information flows–describe how the information within the processing operation is collected, stored, used and deleted. Describe the nature, scope and type of personal data involved, who has access, if it will be shared and with whom and for how long it will be retained for. This step is documented in stages 2.1 and 2.2 of the DPIA form.
3) Consult with Stakeholders – Appropriate Stakeholders must be involved in the DPIA process in order to ensure all risks and requirements are adequately covered. As a minimum the following roles should be consulted:
• The person leading the project/service/process/change
• Information Asset Owner (IAO)
• IT Team for any technical/security assessments/advice
• End user of new system/device, if applicable
• The Data Protection Officer
• The IG Team
If any of the above are not consulted, you should document the reason why not
4) Assess Necessity and Proportionality – Establish your lawful basis for processing. Consider if your plans will help achieve the purpose of processing. Consider if there are other reasonable ways to achieve the results without processing the personal data
You should also document other relevant details, which are captured in Stage 2.4 of the DPIA , such as lawful basis for processing, how you intend to ensure data quality etc.
5) Identify privacy and related risks and identify and evaluate privacy solutions–The lead should complete Stage 2.5 and 2.6 in the DPIA form to determine the range of threats, and their related vulnerabilities, to the rights and freedoms of individuals whose data you collect and/or process. Some example of privacy risks are highlighted in Annex A of the form.
After completion of stage 2 the lead must forward the completed form to the IG team for review (provide.infogov@nhs.net) The IG team will at this stage review the contents of the form and consider whether a Stage 3 review is required. A stage 3 review is required for any complex or higher risk processing activities. It is also required where a third party will be supplying or supporting a new system or where data is to be hosted on the cloud. A stage 3 review will also be required where there is not enough information supplied in stage 2 to determine any risks. Where a stage 3 review is required, the IG Team will co-ordinate this.
6) Record the DPIA outcomes and get sign-off – Once the form has been completed and submitted, the IG Manager will review the information and in particular the risks identified which will result in one of the following:
i) ACCEPTED: The DPIA will be signed off if there are no risks identified or sufficient actions have been identified to mitigate the risks to an acceptable level.
ii) NOT ACCEPTED*: Where any risks are identified that are considered significant or extreme and sufficient risk treatment controls have not been identified in the action plan or the risk cannot be reduced
*Where it is the case that the risk cannot be reduced the DPO will submit the DPIA to the Information Commissioners Office for consultation, following discussions with SIRO. They will advise whether the processing can proceed. Where sufficient
controls have not be identified, the lead will be consulted with to advise of this and to request that controls are revisited.
7) Integrate the DPIA outcomes into the project plan – the lead will need to continually refer to the DPIA in order to ensure that it is being followed and that its responses to the risks have been implemented effectively. It is therefore recommended that any actions identified as part of this process are incorporated into the main project plan for the initiative, where one exists.
If any significant risks have been identified and accepted these must be transferred to the Risk Register.
A flow diagram of the above process can be found in Appendix 1 of this policy.
The IG team will be a point of contact should any lead need help or assistance in completion of the assessment
7. Training
The requirement to undertake a DPIA is included within the annual mandatory IG training.
The IG team will from time to time provide additional training and awareness where a need is identified and will provide 1:1 assistance where assistance or advice is required.
It is recommended that all Project leads, IAO, Service leads undergo a more in-depth training on how to carry out an effective DPIA.
8. Additional Requirements
In order to accomplish the process the responsible project lead/IAO/process owner will require access to the DPIA form which is available from the staff intranet.
9. Non Compliance
The accountability principle within Article 5(2) of the GDPR requires Provide to demonstrate compliance with the GDPR principles. Therefore the organisation has a legal obligation to implement technical and organisational measures such as DPIA’s to demonstrate that data protection requirements and Privacy by Design Principles are being adhered to.
Non-compliance with this policy and in particular non-completion of a Data Privacy Impact Assessment where one is warranted may lead to disciplinary action.
10.Review
All staff are responsible for monitoring their compliance with the principles and procedures detailed within this document. Line managers and supervisors should also monitor compliance on a regular basis.
This policy will be reviewed every 3 years by the Policy Author/s. Earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation.
11. Data Protection Impact Assessment Form
The DPIA assessment form is available on the Community Platform
DPIA form template - Provide Community Platform
1: DPIA Process Flow Chart
