Records Management

Data protection impact assessment (DPIA)

Guidance for staff on carrying out a data protection impact assessment (DPIA)

A DPIA is:

  • A tool/process to assist organisations in identifying and minimising the privacy risks of new projects, systems or policies
  • A type of impact assessment conducted by an organisation, auditing its own processes to see how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes
  • A tool/process to assist organisations in ensuring that all activities involving personal data are proportionate and necessary

 A DPIA is designed to accomplish three goals:

  • Ensure compliance with applicable legal, regulatory, and policy requirements for privacy;
  • Determine the risks and effects; and
  • Evaluate protections and alternative processes to mitigate potential privacy risks.

When do I need to carry out a DPIA?

When you plan to:

  • Embark on a new project involving the collection of personal data;
  • Introduce new IT systems for storing and accessing personal information;
  • Participate in a new data-sharing initiative with other organisations;
  • Initiate actions based on a policy of identifying particular demographics;
  • Use existing data for a “new and unexpected or more intrusive purpose”;
  • Review or audit an existing system or activity.

Has a DPIA already been done for what I want to do?

You can check if a DPIA has been done for your project/system/policy on the Data Protection SharePoint Intranet.

List of Data Protection Impact Assessments

If a DPIA has already been completed for the specific processing or system you wish to use, you may be able to use that assessment as a basis rather than completing a new one. Please get in touch with the Data Protection Officer at dpo@ed.ac.uk to confirm.

Requesting a DPIA

When you need to conduct a DPIA, email the Data Protection Officer at dpo@ed.ac.uk and you will be assigned an assessment through our online tool. The assessment tool is a platform hosted by a third party.

Student research

If you are a student and need to do a DPIA, then please download the template below together with the guidance. Upon completion, your academic supervisor will approve the DPIA. If you have already completed an ethics approval form which includes a DPIA, you do not need to complete this form.

DPIA guidance

 

If you require these documents in an alternative format, such as large print or a coloured background, please contact the Records Management Section on 0131 651 4099 or email recordsmanagement@ed.ac.uk