DP-04 Template Data Protection Impact Assessment

1. Data Controller

2. Reference Number

DPIA-01

3. Description of Project

4. Purpose of Project

Explain broadly what the project aims to achieve including what the intended effect on individuals is and the benefits of the processing for the individuals and the organisations involved

5. Types of Data Subjects

6. Types of Personal Data

☐Name
☐Address
☐Telephone Number
☐Age/Date of Birth
☐Email Address
☐Next of Kin
☐If other, please provide details below

☐ID Number
☐Bank Details
☐Financial Details
☐National Insurance Number
☐Online Identifiers (IP Address etc.)
☐Expression of Opinion

7. Special Category Data

☐Racial Origin
☐Ethnic Origin
☐Political Opinion
☐Religious Beliefs
☐Philosophical Beliefs
☐Trade Union Membership

☐Criminal Prosecutions or Allegations
☐Genetic or Biometric Data
☐Physical Health
☐Mental Health
☐Sex Life
☐Sexual Orientation

8. Who will be able to see and/or have access to the data?

9. How will you collect, use, store and delete data?

10. What is the source of the data?

11. Will the data be shared with anyone? If so how will this be protected?

12. How much data will you be collecting and using?

 If unknown, please provide a realistic estimate

13. How many individuals are affected?

If unknown, please provide a realistic estimate

14. How long will the information be kept for?

15. What Geographical area does it cover?

16. What is the nature of your relationship with the individuals?

17. How much control will they have over their data?

18. Would they expect you to use their data in this way?

19. Do they include children or other vulnerable groups?

20. Are there prior concerns over this type of processing? Or any security flaws?

21. Are there any current issues of public concern that may need to be factored in?

22. What is the lawful basis for processing the personal data?

23. Does the processing achieve the intended purpose?

24. Is there a less privacy intrusive way to achieve the same outcome?

25. How will you prevent the data from being used in an unexpected way?

26. How will you ensure data minimisation?

27. How will you ensure individuals right to be informed is complied with?

This could be by way of a privacy notice at the point of collection

28. What measures are in place to ensure any data processors comply with legislation?

29. Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

30. Identify and Assess Risks

Risk Ref

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary

Likelihood of harm

Severity of harm

Overall risk

Remote, possible or probable

Minimal, significant or severe

Low, medium or high

31. Identify Measures to Reduce Risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5

Risk Ref

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure approved

Eliminated, reduced or accepted

Low, medium or high

Yes or no

Name/date

Notes

Measures approved by:

Integrate actions back into project plan, with date and responsibility for completion

Residual risks approved by:

If accepting any residual high risk, consult the relevant supervisory authority before going ahead

Comments:

Consultation responses reviewed by:

If your decision departs from individuals’ views, you must explain your reasons

Comments:

This DPIA will kept under review by: