VeriFi EIDOS

1. Data Privacy Impact Assessment (DPIA)

A Data Privacy Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. A data controller must conduct or commission a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use the ICO checklists to help you decide when to do a DPIA which should be undertaken at the planning stage of a project.

In particular, data protection legislation says you must do a DPIA if you plan to carry out:-

  • Systematic & extensive profiling
  • Large scale use of sensitive data
  • Public monitoring
  • Innovative technology
  • Denial of service
  • Biometrics
  • Data matching
  • Invisible processing
  • Tracking
  • Targeting children / vulnerable adults
  • Risk of harm
  • Special category / criminal offence data
  • Automated decision-making
  • Other (please specify)

The VeriFi Data Protection Support Service includes a retrospective DPIA of Surveillance & Security Systems described in section 12 of this guidance document.

VeriFi will be pleased to carry out a DPIA if you are considering the installation of a new or refurbishment of an existing Surveillance & Security System. Typically a DPIA will include what you plan to do with the personal data, it should include the following information:

  • how you collect the data;
  • how you store the data;
  • how you use the data;
  • who has access to the data;
  • who you share the data with;
  • whether you use any processors;
  • retention periods;
  • security measures;
  • whether you are using any new technologies;
  • whether you are using any novel types of processing; and
  • which screening criteria you flagged as likely high risk.

The scope of the processing is what the processing covers. This should include, for example:

  • the nature of the personal data;
  • the volume and variety of the personal data;
  • the sensitivity of the personal data;
  • the extent and frequency of the processing;
  • the duration of the processing;
  • the number of data subjects involved; and
  • the geographical area covered.

The context of the processing is the wider picture, including internal and external factors which might affect expectations or impact. This might include, for example:

  • the source of the data;
  • the nature of your relationship with the individuals;
  • how far individuals have control over their data;
  • how far individuals are likely to expect the processing;
  • whether these individuals include children or other vulnerable people;
  • any previous experience of this type of processing;
  • any relevant advances in technology or security;
  • any current issues of public concern;
  • in due course, whether you comply with any GDPR codes of conduct (once any have been approved under Article 40) or GDPR certification schemes;and
  • whether you have considered and complied with relevant codes of practice.

The purpose of the processing is the reason why you want to process the personal data. This should include:

  • your legitimate interests, where relevant;
  • the intended outcome for individuals; and
  • the expected benefits for you or for society as a whole.

Step 3: Do we need to consult individuals?

You should seek and document the views of individuals (or their representatives) unless there is a good reason not to.

In most cases it should be possible to consult individuals in some form. However, if you decide this is not appropriate, you should record this decision as part of your DPIA, with a clear explanation. For example, you may be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.

If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.

If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public- consultation process, or targeted research. This could take the form of market research with a certain demographic or contacting relevant campaign or consumer groups for their views.

If your DPIA decision differs from the views of individuals, you need to document your reasons for disregarding their views.