A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals. To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is also good practice to carry out a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.
Aintree University Hospital NHS Foundation Trust have been carrying out Privacy Impact Assessments on new projects and initiatives for several years prior to the enactment of the General Data Protection Regulation and have refined our processes to ensure they meet the requirements of the new legislation and the GDPR Article 29 Working Party criteria for an acceptable DPIA.
In summary the Trust will:
- Describe the nature, scope, context and purposes of the processing
- Ask data processors to help us understand and document their processing activities and identify any associated risks
- Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
We will ask for the advice of our Data Protection Officer
- Check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance
- Carry out an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests and identify measures we can put in place to eliminate or reduce high risks
- Record the outcome of the DPIA, including any difference of opinion with our Data Protection Officer or individuals consulted
- Implement the measures identified, and integrate them into our project plan
- Consult the Information Commissioners Office (ICO) before processing if we cannot mitigate “high risks”
- Keep all DPIAs under review and revisit them if necessary.
Here at Aintree University Hospital NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.
Below you will find a summary of all DPIAs carried out since 25th May 2018 when this became a data protection requirement.
The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact: firstname.lastname@example.org.