Skip to main content

Data protection impact assessment (DPIA) procedure

Contents

1 Aim

With the ongoing published advancements in data protection legalisation, the general data protection regulation (GDPR) came into force on the 25 May 2018. The Data Protection Act (2018) makes the GDPR part of UK law and replaces the Data Protection Act (1998). This places a legal obligation on Rotherham, Doncaster and South Humber NHS Foundation Trust (RDaSH) to conduct a screening data protection impact assessment (DPIA) for all projects which includes, but is not limited to, the use of information, data and technologies.

The aim of the DPIA policy and this procedure is to provide colleagues with information that promotes good practice and compliance with the GDPR and other statutory requirements provided by our supervisory authority, the information commissioner’s office (ICO).

Additionally, the policy and procedure reflect the minimum requirements under the conditions of article 35 of the GDPR.

The data protection impact assessment procedure is to complement the data protection impact assessment (DPIA) procedure.

Under the Data Protection Act, the information commissioners office established a privacy impact assessment code of practice, the term privacy impact assessment is used within this document as equivalent to “data protection impact assessment” as referenced within the General Data Protection Regulation (EU) 2016/679.

Personal confidential data has also been referred to as patient identifiable data (PID), patient identifiable information (PII), confidential patient information (CPI) and as personally identifiable data.

Data protection impact assessments (DPIAs) serve to ensure that the organisation remains compliant with legislation and NHS requirements, which determine the use of personal confidential data (PCD). DPIA’s will aid RDaSH in determining how a particular project, process or system will affect the privacy of the individual. The DPIA screening questions and impact assessment have been developed to provide an assessment prior to new services or new information processing or sharing systems being introduced. A DPIA is less effective when key decisions have already been taken.

DPIAs identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow for the identification and remedy problems at an early stage, reducing potential distress, subsequent complaints and the associated costs and damage to reputation which might otherwise occur.

It is important to consider whether a DPIA is required once the objectives or aims of the project are identified, what is required to successfully meet these and how it is envisaged this will happen, whilst ensuring privacy of personal identifiable information.

Conducting a DPIA does not have to be complex or time consuming, if considered at an early stage.

1.1 Data protection impact assessments (DPIA)

DPIAs identify privacy risks, foresee problems and bring forward solutions. A successful DPIA will:

  • identify and manage risks in respect of privacy of personal identifiable information (see appendix A for examples)
  • avoid inadequate solutions to privacy risks
  • avoid unnecessary costs
  • avoid loss of trust and reputation
  • inform the organisation’s communication strategy (privacy notice)
  • meet or exceed legal requirement.

Consideration whether a DPIA should be completed is mandated through the General Data Protection Regulation (EU) 2016/679. DPIAs ensure that privacy concerns have been considered and serve to assure the organisation regarding the security and confidentiality of the personal identifiable information.

1.2 Purpose

A DPIA should serve to:

  • identify privacy risks to individuals
  • identify privacy and data protection compliance liabilities
  • protect the organisations reputation
  • instil public trust and confidence in your project or product
  • avoid expensive, inadequate “bolt-on” solutions
  • inform your communications strategy

2 Scope

This document applies to and is relevant across all services, departments, or care groups.

All colleagues employed by RDaSH, must work in accordance with safeguarding policies, procedures and local guidelines in relation to any safeguarding concerns they have for children or adults they are in contact with.

A DPIA must be considered where there is an introduction of new systems, data sharing or projects, and where appropriate, evidence of this consideration by the completion of the screening questions resides with the responsible project lead.

Line managers are responsible for ensuring that permanent and temporary colleagues and contractors are aware of the data protection impact assessment procedure.

There is an expectation that partner organisations or third parties involved in supplying or providing services provide technical information for the DPIA, as required.

This procedure therefore applies to all colleagues and all types of information held by the organisation. This procedure should be read in conjunction with the RDaSH IG policies:

3 Link to overarching policy

4 Procedure or implementation

4.1 Is a DPIA required for every project?

  • 1. Are you implementing a new system or data sharing arrangement or project or service, or changing the way you work?
  • 1.1 No, no need to complete the full DPIA. Retain completed DPIA screening questions with the project documentation.
  • 1.2 Yes, Does this project involve the process of personally identifiable or other high risk data?
  • 1.2.1 No, see 1.1
  • 1.2.2 Yes, A data protection impact assessment is required. Supporting information, such as contracts, system specifications and consent forms may be required

The ICO’s data sharing code of practice (opens in new window) states that DPIAs should be completed where a system, data sharing, or project includes the use of personal data, where there is otherwise a risk to the privacy of the individual, utilisation of new or intrusive technology, or where private or sensitive information which was originally collected for a limited purpose will be reused in a new and ‘unexpected’ way.

4.2 When should I start a DPIA?

DPIAs are most effective when they are started at an early stage of a project, when:

  • the project is being designed
  • you know what you want to do
  • you know how you want to do it
  • you know who else is involved

It must be completed before:

  • decisions are set
  • you have procured systems
  • you have signed contracts or memorandum of understanding or agreements
  • while you can still change your mind

The online DPIA portal (staff access only) (opens in new window) can be found at the bottom of the trust’s intranet homepage. Following the review of the screening questions, if any of the questions have been marked yes this determines that a full DPIA is required. Once the DPIA sections have been completed a member of the IG Team will be in contact with the author to assist in the review and suggest any amendments required to the form. It is required that the data protection officer, information security and, where applicable, clinical safety risk agreement is sought prior to the final DPIA being approved. Some DPIAs may be required to be submitted to the IG group for approval by the SIRO and Caldicott guardian. This is upon recommendation of the DPO.

4.3 Publishing DPIAs

All DPIAs are publishable. It is acknowledged that DPIAs may contain commercial sensitive information such as security measures or intended product development. Therefore a log of DPIAs is published via the information governance pages on the trust’s website and will be released upon request via the information governance department. Review and redaction of commercially sensitive information will be undertaken prior to release, however, as much of the document should be published as possible.

5 Appendices

5.1 Appendix A Example risks

5.1.1 Risks to individuals

  1. Inadequate disclosure controls increase the likelihood of information being shared inappropriately.
  2. The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people’s knowledge.
  3. New surveillance methods may be an unjustified intrusion on their privacy.
  4. Measures taken against individuals as a result of collecting information about them might be seen as intrusive.
  5. The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.
  6. Identifiers might be collected and linked which prevent people from using a service anonymously.
  7. Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information.
  8. Collecting information and linking identifiers might mean that an organisation is no longer using information which is safely anonymised.
  9. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk.
  10. If a retention period is not established information might be used for longer than necessary.

5.1.2 Corporate risks

  1. Non-compliance with the data protection legislation can lead to sanctions, fines and reputational damage.
  2. Problems which are only identified after the project has launched are more likely to require expensive fixes.
  3. The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation.
  4. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business.
  5. Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business.
  6. Data losses which damage individuals could lead to claims for compensation.

5.1.3 Compliance risks

  1.  Non-compliance with the Data Protection Act 2018 or General Data Protection Regulation (EU) 2016/679.
  2. Non-compliance with the Common Law Duty of Confidentiality.
  3. Non-compliance with the Privacy and Electronic Communications Regulations (PECR).
  4. Non-compliance with sector specific legislation or standards.
  5. Non-compliance with Human Rights Act 1998 and Equality Act 2010.

5.1.4 Clinical safety risks

The Standardisation Committee for Care Information standard SCCI0160 (Clinical Risk Management, Its Application in the Deployment and Use of Health IT Systems) requires health organisations to establish appropriate procedures to ensure patient safety during the implementation and management of clinical information systems.

This means clinical risk analysis of using a clinical information system must be considered before deploying a new system or before implementing a significant change to an existing system, to ensure that the best design of the system and adequate team processes are employed in the use of the system in that particular service area.

If you are planning to implement a new clinical information system, making a significant change in an existing clinical information system for an existing service, or adding a new service to an existing clinical information system which may require changes to the system to accommodate the new service, please contact the organisation’s Clinical Systems team who can advise on what further clinical risk analysis needs to be considered for your proposed change.

5.2 Appendix B Definitions or explanation of terms used

Definitions
Term Definition
Anonymity Information may be used more freely if the subject of the information is not identifiable in any way, this is anonymised data. However, even where such obvious identifiers are missing, rare diseases, drug treatments or statistical analyses which may have very small numbers within a small population may allow individuals to be identified. A combination of items increases the chances of patient identification. When anonymised data will serve the purpose, health professionals must anonymise data and whilst it is not necessary to seek consent, general information about when anonymised data will be used should be made available to patients
Authentication Requirements An identifier enables organisations to collate data about an individual. There are increasingly onerous registration processes and document production requirements imposed to ensure the correct person can have, for example, the correct access to a system or have a smart card. These are warning signs of potential privacy risks
Caldicott Seven Caldicott principles were established following the original reviewed in 1997 and further development in 2013. The principles include:

  1. justify the purpose(s)
  2. don’t use patient identifiable information unless it is necessary
  3. use the minimum necessary patient-identifiable information
  4. access to patient identifiable information should be on a strict need-to-know basis
  5. everyone with access to patient identifiable information should be aware of their responsibilities
  6. understand and comply with the law
  7. the duty to share information can be as important as the duty to protect patient confidentiality
Common Law Duty of Confidentiality This duty is derived from case law and a series of court judgements based on the key principle that information given or obtained in confidence should not be used or disclosed further except in certain circumstances:

  • where the individual to whom the information relates has consented
  • where disclosure is in the overriding public interest
  • where there is a legal duty to do so, for example a court order
  • the common law applies to information of both living and deceased patients
Data Protection Act 2018 The DPA defines the ways in which information about living people may be legally used and handled. The main intent is to protect individuals against misuse or abuse of information about them. The 6 principles of the act state the fundamental principles of DPA 2018 specify that personal data must:

  1. be processed fairly and lawfully
  2. be obtained only for lawful purposes and not processed in any manner incompatible with those purposes
  3. be adequate, relevant and not excessive
  4. be accurate and current
  5. not be retained for longer than necessary
  6. be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage
European Economic Area (EEA) The European Economic area comprises the EU member states plus Iceland, Liechtenstein and Norway
Explicit consent Express or explicit consent is given by a patient agreeing actively, usually orally (which must be documented in the patients’ case notes) or in writing, to a particular use of disclosure of information
General Data Protection Regulation (EU) 2016/679
Principles of Lawful Processing of Personal Identifiable Information
The GDPR requires that data controllers ensure personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
IAA (Information Asset Administrator) There are individuals who ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date. These roles tend to be system managers
IAO (Information Asset Owner) These are senior individuals involved in running the relevant service or department. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets. They are responsible for providing regular reports regarding information risks and incidents pertaining to the assets under their control or area
Implied consent Implied consent is given when an individual takes some other action in the knowledge that in doing so he or she has incidentally agreed to a particular use or disclosure of information, for example, a patient who visits the hospital may be taken to imply consent to a consultant consulting his or her medical records in order to assist diagnosis. Patients must be informed about this and the purposes of disclosure and also have the right to object to the disclosure. Implied consent is unique to the health sector and cannot be used as a legal basis to process personal data under the Data Protection Act 2018 or GDPR
Information Assets Information assets are records, information of any kind, data of any kind and any format which we use to support our roles and responsibilities. Examples of Information Assets are databases, systems, manual and electronic records, archived data, libraries, operations and support procedures, manual and training materials, contracts and agreements, business continuity plans, software and hardware
Information Risk An identified risk to any information asset that the organisation holds. Please see the risk policy for further information
Personal Data This means data which relates to a living individual which can be identified either:

  • from those data
  • from those data and any other information which is in the possession of, or is likely to come into the possession of, the data controller

It also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

Privacy and Electronic Communications Regulations 2003 These regulations apply to sending unsolicited marketing messages electronically such as phone, fax, email and text. Unsolicited marketing material should only be sent if the requester has opted in to receive this information
Privacy Invasive Technologies Examples of such technologies include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining and logging of electronic traffic. Technologies that are inherently intrusive, new and sound threatening are a concern and hence represent a risk
Pseudonymisation Where patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference
Records Management: NHS Code of Practice for Health and Social Care 2016 Is a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice. The code of practice contains an annex with a health records retention schedule and a business and corporate (non-health) records retention schedule
Retention Periods Records are required to be kept for a certain period either because of statutory requirement or because they may be needed for administrative purposes during this time. If an organisation decides that it needs to keep records longer than the recommended minimum period, it can vary the period accordingly and record the decision and the reasons behind. The retention period should be calculated from the beginning of the year after the last date on the record. Any decision to keep records longer than 30 years must obtain approval from The National Archives.
Special categories of personal data
(sensitive data)
This means personal data consisting of information as to the:

  • concerning health, sex life or sexual orientation
  • racial or ethnic origins
  • trade union membership
  • political opinions
  • religious or philosophical beliefs
  • genetic data
  • biometric data
SIRO (Senior Information Risk Owner) This person is an executive who takes ownership of the organisation’s information risk policy and acts as advocate for information risk on the board

5.3 Appendix C Data protection impact assessment (DPIA) template


Document control

  • Version: 3.1.
  • Unique reference number: 520.
  • Date approved: 15 January 2024.
  • Approved by: Corporate policy approval group.
  • Name of originator or author: Head of information governance or data security officer.
  • Name of responsible individual: Director of health informatics.
  • Date issued: 16 January 2024.
  • Review date: 31 January 2026.
  • Target audience: All colleagues.

Page last reviewed: October 29, 2024
Next review due: October 29, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem