1. Data Privacy Impact Assessment (DPIA)
A Data Privacy Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project before committing to it. In the case of systems installed prior to instructing VeriFi, the scope of the DPIA is limited to data capture and processing equipment together with associated record keeping.
It is assumed that the data controller had previously completed any required pre-installation consultation with affected parties and reviewed alternative potential solutions.
A data controller must conduct or commission a Data Protection Impact Assessment (DPIA) for processing that is likely to result in a high risk to individuals.
This includes some specified types of processing. You can use the ICO checklists to help you decide when to do a DPIA, which should be undertaken at the planning stage of a project.
A full list of the circumstances in which you must conduct a DPIA are set out on the ICO website Typically a DPIA will include what you plan to do with the personal data, it should include the following information:
- how you collect the data
- how you store the data
- how you use the data
- who has access to the data
- who you share the data with
- whether you use any processors
- retention periods
- security measures
- whether you are using any new technologies
- whether you are using any novel types of processing; and
- which screening criteria you flagged as likely high risk.
The scope of the processing is what the processing covers. This should include, for example:
- the nature of the personal data
- the volume and variety of the personal data
- the sensitivity of the personal data
- the extent and frequency of the processing
- the duration of the processing
- the number of data subjects involved and
- the geographical area covered.
The context of the processing is the wider picture, including internal and external factors which might affect expectations or impact. This might include, for example:
- the source of the data
- the nature of your relationship with the individuals
- how far the individuals have control over their data
- how far individuals are likely to expect the processing
- whether these individuals include children or other vulnerable people
- any previous experience of this type of processing;
any relevant advances in technology or security - any current issues of public concern and
- whether you comply with any applicable data protection codes of conduct.
The purpose of the processing is the reason why you want to process the personal data. This should include:
- your legitimate interests, where relevant
- the intended outcome for individuals and
- the expected benefits for you or for society as a whole.
Do we need to consult individuals?
You should seek and document the views of individuals (or their representatives) unless there is a good reason not to. In most cases it should be possible to consult individuals in some form. However, if you decide this is not appropriate, you should record this decision as part of your DPIA, with a clear explanation. For example, you may be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.
If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees) you should design a consultation process to seek the views of those particular individuals, or their representatives.
If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public consultation process, or targeted research. This could take the form of market research with a certain demographic or contacting relevant campaign or consumer groups for their views.
If your DPIA decision differs from the views of individuals, you need to document your reasons for disregarding their views.