Data Protection Impact Assessment (DPIA) Procedure


1. Introduction

The General Data Protection Regulation (GDPR) introduced a new obligation upon organisations to conduct a Data Protection Impact Assessment (DPIA) before carrying out types of processing that are likely to result in high risk to individuals’ rights. This procedure details how The Westerham Practice will achieve this requirement.

Projects that involve personal or special category information (including pseudonymised data) or new technologies to process personal data give rise to privacy issue and concerns. Privacy includes ‘confidentiality’ and ‘consent’ as an overarching principle. This procedure advocates that respect for privacy and dignity must be considered at the outset of any project. To enable organisations to address any privacy concerns and risks, a technique referred to as a DPIA endorsed by the Information Commissioner’s Office (ICO) must be used.

Data protection by design is also endorsed by the Data Security and Protection Toolkit to ensure that only the minimum necessary personal data is processed, that pseudonymisation is used where possible, that processing is transparent and where feasible allows individuals to monitor what is being done with their data. Together the procedure enables an organisation to improve data protection and security of personal information. New Systems or processes should not ‘go live’ until the ‘data protection by design’ work has been completed.


2. Scope

This procedure applies to those members of staff that are directly employed by the practice and for whom the Practice has legal responsibility, as well as any Processors/contractors/subcontractors/third parties processing Practice data or accessing systems, or anyone authorised to undertake work on behalf of the Practice. For those staff covered by a letter of authority/honorary contract or work experience, the organisation’s policies are also applicable whilst undertaking duties for or on behalf of the Practice.

This procedure provides guidance to staff and provides assurances to individual’s data whose personal data is being processed, and covers all aspects of information within the organisation, including (list is not exhaustive):

  • Patient/client/service user information
  • Employee personal information
  • Corporate information
  • Commercially sensitive information

3. Principles

Data Protection by Design and Default gives personal information the same importance in business cases and planning as finance, human resources and capital and physical assets. Information governance can sometime come across as a barrier because data protection and privacy considerations have not been built in from the design of a project.

To ensure IG doesn’t become a barrier, the Practice has data protection and individuals’ privacy built into its business approval and procurement processes ensuring that any concerns are addressed in the early stages of procuring or commissioning any new system, service, product or process. This method guarantees that appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights are in place prior to mobilisation. This involves but is not limited to:

  • Only using Processors that provide sufficient guarantees of their technical and organisational measures for data protection by design;
  • Anticipating risks and privacy-invasive events before they occur, and taking steps to prevent harm to individuals;
  • Making data protection an essential component of the core functionality of our processing systems and services.

If a DPIA identifies a high risk that is unable to be mitigated, the Practice must consult the ICO before the project can go ahead.


4. Equality Statement

The Practice is committed to a policy of equality in all its employment practices in accordance with the Equality Act and principles and strives to eliminate unfair discrimination, harassment, bullying and victimisation. The practice will not unlawfully, unfairly or unreasonably discriminate or treat individuals less favourably on the grounds of gender or gender reassignment, marriage or civil partnership, pregnancy or maternity, sexual orientation, religion or belief, disability, age, race, nationality or ethnic origin.


5. Roles and Responsibilities

Overall accountability for procedural documents across the organisation lies with the Accountable Officer who has overall responsibility for establishing and maintaining an effective document management system, for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents.

The Practice lead for Information Governance will provide advice and guidance to all staff on all elements of Information Governance and Data Security (IG/DS). They are responsible for:

  • Providing advice and guidance on IG/DS to all staff;
  • Ensuring the consistency of IG/DS across the organisation;
  • Developing IG/DS policies, procedures, strategies and guidance;
  • Establishing protocols on how information is to be shared;
  • Developing IG/DS awareness and training programmes;
  • Ensuring compliance with Data Protection, and other information security related legislation;
  • Handling and responding to Freedom of Information requests; and
  • Implementing system wide IG/DS guidance and policy, taking into account national guidance, for example from NHS England, and the Department of Health, as well as legislative and regulatory changes.

The Kent and Medway GP Data Protection Officers (DPO) as employed by the CCG. The DPO is responsible for Data Protection compliance within The Westerham Practice and ‘reviews’ all DPIAs for recommendation of endorsement to the SIRO. The DPO can provide advice on:

  • whether a DPIA is required;
  • how the DPIA should be conducted;
  • what measures and safeguards can be taken to mitigate risks;
  • whether the DPIA has been carried out correctly; and
  • the outcome of the DPIA and whether the processing can go ahead.

The DPO’s advice to Project Managers is recorded on the final version of the DPIA. If you do not follow the DPO’s advice, you should record your reasons for not doing so, ensuring that you are able to justify your decision and inform the DPO.

The DPO also monitors updates from the project managers regarding the ongoing performance of the DPIA, including how well the planned actions have been implemented to address the risks.

The Practice Manager will take responsibility for ensuring that the Practice’s ‘data flow map’ is updated for their Practice following the completion of a DPIA where applicable.

All staff - employed by the practice must follow the requirements of this procedure and associated policies, particularly those relating to processing of patients’ Information. All health professionals must also meet their own professional codes of conduct in relation to confidentiality. Where breaches of confidentiality, security alerts etc. are identified relating to an information system, a DPIA must be undertaken to provide assurance that information risk is being managed.


6. The Process

A DPIA must be completed at an early stage of the project or planned modification to an existing process or information asset. Please see reception for the Completion of a DPIA Screening Checklist; see
Appendix, during the initial scoping phase of a Project, will establish whether your Project is likely to require a Full-Scale DPIA; see Appendix B.

In response to Covid 19 a short form DPIA was developed; see Appendix C. Please note this should only be used when the practice is required to complete work required for a limited time whilst the business continuity event takes place such as during the COVID pandemic.

Stage One – Identify the need

A DPIA is not needed for every project, however, to determine whether one is needed you need to answer a set of screening questions; see Appendix A. The key times when a DPIA is likely to be needed is on projects where:

The ICO advise you must do a DPIA if you plan to:

  • use systematic and extensive profiling with significant effects;
  • process special category or criminal offence data on a large scale; or
  • systematically monitor publicly accessible places on a large scale.

The ICO also requires you to do a DPIA if you plan to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing themwith a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the eventof a security breach.

You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new project involving the use of personal data. This screening process assesses the threshold and determines whether a full DPIA is needed. The decision not to proceed to a full DPIA must be recorded and stored with the relevant project documentation within the practice. As the Practices are data controllers in their own rights the Kent and Medway CCG DPO’s will advise however the final decision will fall with the practices.

Stage Two – Background, Assessment and Data Flow Capture

If the screening questions indicate that a full DPIA is needed, proceed to stage two, which captures details of the personal information the project will process and is divided into 3 sections in the DPIA. The template is set out in Appendix B.

At this time the Project lead should also confirm that:

  • Ensure that relevant contracts can be reviewed if required by the practice IG leads;
  • All data flows must be captured. This process identifies how we obtain information, where we store it, and who may access it.

Stage Three – Establish the need for the data processing and its basis in law

Establish the purposes for which the data is to be used and the basis for this in law, against the GDPR and other legislation or regulations if appropriate.

  • Assess whether all the data that is recorded will be adequate for the purposes it is being used and relevant to these purposes and record this.
  • Assess whether the data that is recorded will be proportionate to the purposes for which it is being used and record this.

All of this information is included in the templates, please ask reception for details.

Stage Four – Identify Privacy and related risks

Record the risks to individuals, including possible intrusions on privacy where appropriate.

Assess the risks to individuals against each possible risks including, but not limited to:

  1. Illegitimate access to data;
  2. Unauthorised modification of data; and
  3. Loss of data.
  • Identify the specific threats which could possibly lead to each risk and the likelihood of these occurring.
  • Assess the corporate risks, including regulatory action, reputational and financial damage, and loss of public trust.
  • With the help of the practice IG lead and the Kent and Medway CCG DPO function, conduct a compliance check against the GDPR and other relevant legislation such as the Data Protection Act 2018.
  • The practice will keep a record of the identified risks

Stage Five – Identify and evaluate privacy solutions

Explain how you could address and overcome each risk:

  • Some might be eliminated altogether, other risks might be reduced. Most projects will require you to accept some level of risk, and will have some impact on privacy.
  • Evaluate the likely costs and benefits of each approach. Think about the available resources, and the need to deliver a project which is still effective.

HIGH RISK - Stage six – Consult the ICO

If you have identified a high risk and no measures can be taken to reduce the risk, you must consult the ICO.

  • This is completed by the DPO.
  • No further steps must be taken until you have received a response from the ICO.

Stage seven – Sign off the outcomes

Once all of the paperwork has been completed the Information Governance lead will review along with the SIRO and Caldicott Guardian for the practice will review and the Kent and Medway CCG DPO team will provide independent advice. The outcome will be recorded.

Stage eight – Integrate the outcome back into the project

The DPIA findings and actions should be integrated within the project plan. It might be necessary to return to the DPIA at various stages of the project’s development and implementation. Larger projects are more likely to benefit from a more formal review process. A DPIA might generate actions which will continue after the assessment has finished, so you should ensure that these are monitored. The ownership of this element falls to the IAO for the project as it becomes “business-as-usual”.


7. Training and Support

The Kent and Medway GP DPO team is available to offer support and guidance to Project Managers and Information Asset Owners in completing DPIAs. The practice will periodically provide DPIA Training Workshops for staff whose roles involve project management, the objectives of the training provision are:

  • To improve staff knowledge of the importance of DPIAs;
  • To provide an opportunity for staff to develop skills in completing Data Flow Maps and full scale DPIAs;
  • To provide an opportunity for staff to ask questions on DPIA;
  • To improve understanding and confidence in completing DPIA in the future;
  • To improve the practices DPIA process’.

8. Audit and Monitoring Criteria

The Practice will continually review and monitor how its Information Assets are being handled.

This procedure will be reviewed annually. Earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation or guidance.

Compliance with this procedure is monitored:

  • Annually as part of the Practice’s reporting on its compliance with the standards of the NHS DSP Toolkit.

Failure to adhere to the procedure may lead to an investigation of data protection regulations compliance and potential fines of up to £17.5 million for the Practice.


9. Implementation and Dissemination

Published on teamnet (practice intranet). Annual policy review document sent for all employees to review and sign.


10. References

This following statutory and national guidance has been used to develop this document:

  • Data Protection Act 2018
  • Data Protection Impact Assessments (ICO Website)
  • Data Protection Impact Assessments (DPIA) (ICO Guidance)
  • Guide to the General Data Protection Regulation (ICO Guidance)
  • Data Sharing Code of Practice (ICO Guidance)

This procedure meets the requirements of the National Data Guardian’s Data Security Standard 1; Assertion 1.6 of NHS Digital Data Security and Protection Toolkit, i.e. ‘The use of personal information is subject to data protection by design and by default’.

For further details including form templates named Appendix A. B, and C please contact Reception