An assessment begins in the early life of a project, prior to the start of using the data and runs alongside the planning and development process. It will include the following steps:
- identifying the need for an assessment;
- description of the processing;
- consideration of consultation;
- assessment of necessity and proportionality;
- identification and assessment of risks;
- identification of measures to mitigate the risks; and
- approval and recording of outcomes.
Throughout the assessment process involvement will be sought from the business lead, the Data Protection Officer, information security staff, organisations contracted with the council, legal advisors or other experts and where relevant members of the public.
In identifying possible risks, a DPIA will look at whether the processing could result in:
- inability to exercise rights;
- inability to access services;
- loss of control over the use of personal data;
- discrimination;
- identity theft or fraud;
- reputational damage;
- physical harm;
- loss of confidentiality;
- re-identification of 'pseudonymised' data; or
- significant economic or social disadvantage.
Against each risk identified will be a measure that reduces that risk. These measures may include but are not limited to:
- deciding not to collect certain types of data;
- reducing the scope of the processing;
- adding additional security measures;
- anonymising or 'pseudonymising' data where possible;
- writing internal guidance or processes to avoid risks; or
- making changes to privacy notices and/or putting data-sharing agreements in place.
It is vital that the outcomes of assessments are integrated back into any project plan. Data Protection Impact Assessments are not a one-off exercise, they are a 'living' process to help in managing and reviewing the risks of the processing and the measures put in place on an ongoing basis. This is in particular where there are significant changes to how and why personal data has been processed, the amount of data collected, a new security flaw identified, and new technology available or a new public concern is raised over the type of processing.
Although assessment cannot completely remove all risk, they should be used to identify and minimise data protection risks to a level that is acceptable.
However, in circumstances where the council are not able to reduce high risks, the ICO will be consulted.