A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a new project, system or process (or changes to existing ones).

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our DPIA Screening Checklist within the DPIA template to help you decide when a Full DPIA is required.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data.


Once the form has been completed, it should be emailed to the Information Governance (IG) Team at (or use IG (MCT) on the global address list in Outlook).  The Team will then review it and contact you with any questions or concerns they may have.

Once the DPIA is ready, it will be presented at the Data Protection Panel for review.  If the Panel is happy with it, it will be approved on behalf of the Trust's Senior Information Risk Owner (Rob Collins) and Caldicott Guardian (Noir Thomas).  If it is not approved at that point, you will be contacted with further questions or guidance.

Occasionally, there will be high profile DPIAs that the Panel will escalate to the executives for approval.  You will be advised as soon as possible if that is going to happen.


For help with identifying who should be the Information Asset Owner and Administrator, please see the guidance available here.

If you need support when completing the form, please email the IG Team (see above for contact details).

Information is also available on the Information Commissioner's Office's website.