Introduction
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a new project, system or process (or changes to existing ones).
You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our DPIA Screening Checklist within the DPIA template to help you decide when a Full DPIA is required.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
A specialised DPIA template has been created for projects involving surveillance cameras or surveillance camera systems. This is based on the template issued by the Surveillance Camera Commissioner and the Information Commissioner's Office. Further guidance on completing this DPIA is available here.
Process
Once the form has been completed, it should be emailed to the Information Governance (IG) Team at IG
Once the DPIA is ready, it will be presented at the Data Protection Panel for review. If the Panel is happy with it, it will be approved on behalf of the Trust's Senior Information Risk Owner (Rob Collins) and Caldicott Guardian (Noir Thomas). If it is not approved at that point, you will be contacted with further questions or guidance.
Occasionally, there will be high profile DPIAs that the Panel will escalate to the executives for approval. You will be advised as soon as possible if that is going to happen.
Guidance
For help with identifying who should be the Information Asset Owner and Administrator, please see the guidance available here.
If you need support when completing the form, please email the IG Team (see above for contact details).
Information is also available on the Information Commissioner's Office's website.