A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals. To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is also good practice to carry out a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.
North Tees and Hartlepool NHS Foundation Trust have been carrying out Data Protection Impact Assessments on new projects and initiatives for several years prior to the enactment of the General Data Protection Regulation and have refined our processes to ensure they meet the requirements of the new legislation and the GDPR Article 29 Working Party criteria for an acceptable DPIA.
In summary the Trust will:
- Describe the nature, scope, context and purposes of the processing
- Ask data processors to help us understand and document their processing activities and identify any associated risks
- Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
- Check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance
- Carry out an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests and identify measures we can put in place to eliminate or reduce high risks
- Record the outcome of the DPIA, including any difference of opinion with our Data Protection Officer or individuals consulted
- Implement the measures identified, and integrate them into our project plan
- Consult the Information Commissioners Office (ICO) before processing if we cannot mitigate “high risks”
- We seek advice and approval from our Data Protection Officer
- Keep all DPIAs under review and revisit them if necessary.
Here at North Tees and Hartlepool NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.
If you wish to make a request for our latest Data Protection Impact Assessments (DPIA) or would like more information about our processes please contact [email protected].