What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment (DPIA) is an essential part of the Council’s accountability obligations under the General Data Protection Regulation (GDPR) enabling the Council to assess and demonstrate compliance with its data protection obligations.
These assessments should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large.
They can cover a single processing operation or a group of similar processing operations and in certain circumstances a group of joint controllers can do a joint assessment.
The Council has embedded these assessments into its business processes not only to demonstrate compliance and accountability but to also build trust and engagement with our customers.
Why are Data Protection Impact Assessments needed?
Under the GDPR, these assessments are a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a ‘high risk to an individual’s rights and freedoms’.
Risk is about the potential for any significant physical, material or non-material harm to individuals. Although GDPR does not define what is meant by ‘likely to result in high risk’, it is clear that the Council needs to consider both the likelihood and severity of any potential harm to individuals.
‘Risk’ implies a more than remote chance of some harm whilst ‘high risk’ implies a higher threshold, either because harm is more likely or because the potential harm is more severe or a combination of the two.
The GDPR lists three examples shown below of types of processing that automatically require a DPIA:
- systematic and extensive profiling with significant effects;
- large scale use of sensitive data; and
- public monitoring
Further to these examples, the Information Commissioners Office (ICO) initial screen questions and European Union guidelines have been designed to help organisations identify if the processing is likely to result in ‘high risk’.
Failure to carry out a DPIA when required may lead to enforcement action by the ICO which can include a fine of up to £8.6m.
How does the Council use a Data Protection Impact Assessment to reduce privacy risks?
An assessment begins in the early life of a project, prior to the start of using the data and runs alongside the planning and development process. It will include the following steps:
- identifying the need for an assessment;
- description of the processing;
- consideration of consultation;
- assessment of necessity and proportionality;
- identification and assessment of risks;
- identification of measures to mitigate the risks; and
- approval and recording of outcomes.
Throughout the assessment process involvement will be sought from the business lead, the Data Protection Officer, information security staff, organisations contracted with the Council, legal advisors or other experts and where relevant members of the public.
In identifying possible risks, a DPIA will look at whether the processing could result in:
- inability to exercise rights;
- inability to access services;
- loss of control over the use of personal data;
- identity theft or fraud;
- reputational damage;
- physical harm;
- loss of confidentiality;
- re-identification of ‘pseudonymised’ data; or
- significant economic or social disadvantage.
Against each risk identified will be a measure that reduces that risk. These measures may include but are not limited to:
- deciding not to collect certain types of data;
- reducing the scope of the processing;
- adding additional security measures;
- anonymising or ‘pseudonymising’ data where possible;
- writing internal guidance or processes to avoid risks; or
- making changes to privacy notices and/or putting data-sharing agreements in place.
It is vital that the outcomes of assessments are integrated back into any project plan. Data Protection Impact Assessments are not a one-off exercise, they are a ‘living’ process to help in managing and reviewing the risks of the processing and the measures put in place on an ongoing basis. This is in particular where there are significant changes to how and why personal data has been processed, the amount of data collected, a new security flaw identified, and new technology available or a new public concern is raised over the type of processing.
Although assessment cannot completely remove all risk, they should be used to identify and minimise data protection risks to a level that is acceptable.
However, in circumstances where the council are not able to reduce high risks, the ICO will be consulted.
How do Data Protection Impact Assessments promote transparency and demonstrate the Council’s GDPR compliance?
In considering the risks prior to using personal information, the Council is able to demonstrate compliance with the ‘data protection by design and default obligation’. A consistent use of these assessments not only increases the awareness of privacy and data protection issues but also ensures that all Council staff involved in the process adopt the ‘data protection by design’ approach.
Although these assessments are effective in assessing compliance with all the data protection principles and obligations, they are not just a compliance exercise. Data Protection Impact Assessments enable problems to identified and fixed at an early stage which in turn can provide our customers with reassurance that their privacy is being protected and any negative impact can be reduced as much as possible. In some cases customers will be consulted giving them an opportunity to input on the way their information is used, whilst at the same time allowing them to understand how and why their personal information is being used. In turn, this will enable relationships to be developed with our customers and improve the Council’s understanding of their needs, concerns and expectations.
More detailed information on Data Protection Impact Assessments can be found on the ICO’s website.
Middlesbrough Council approved Data Protection Impact Assessments
Below is a list of the DPIAs undertaken and approved by the Council since 25 May 2018.
|Mind of My Own app for child consultation||August 2018|
|Driver licensing checks||September 2018|
|Google Street View camera||October 2018|
|Blue Badge system||December 2018|
|Facebook Pixel||December 2018|
|Library management system||December 2018|
|Transfer of business services to council management||January 2019|
|Digital mail and print project||April 2019|
|Adverse childhood experiences||May 2019|
|South Tees Multi-Agency Children's Hub||June 2019|
|Parking Penalty Charge Notice and permit system||July 2019|
|South Tees Safeguarding Children Partnership||September 2019|
|Town centre Wi-Fi||October 2019|
|Single Point of Access Adult Social Care phase 2||November 2019|
|Mobile messaging and telephone/video app||April 2020|
|Commissioning model and shared case management system||May 2020|
|Geographic Information System mapping||May 2020|
|Residential care system||June 2020|
|Governance and meeting management system||July 2020|
|Staff safety badge||September 2020|
|TS1 Public Space Protection Order (PSPO)||September 2020|
|Automated telephone dialler for Council Tax debt recovery||September 2020|
|Mental health assessment booking system||September 2020|
If you have any queries or would like to discuss any of these Data Protection Impact Assessments, please contact:
The Data Protection Officer
PO Box 500, Middlesbrough TS1 9FT
Phone: 01642 245432