Data Protection Impact Assessment (DPIA) – Screening Questions
Overview
A Data Protection Impact Assessment (DPIA) is essential to ensure that new systems and processes are compliant with Data Protection Legislation (GDPR and the Data Protection Act 2018). A DPIA is mandatory when introducing new technology or where the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons”. The risk is considered high when processing personal information about a living person. Failure to carry out a DPIA, or failure to carry one out correctly when the risk is high, may result in a large fine.
What is Personal Data?
“personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
It may be that a single piece of information can identify an individual, or it may be that it requires a combination of information to identify them. The following information would be considered personal data:
· Name
· Address
· Date of birth
· Email address (personal and work)
· NI number
· Bank details
Personal data also extends to items such as a photo, posts on social media or an IP address.
What is Special Category Data?
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.”
The following information would be considered special category data:
*Biometric Data: physical or physiological identification techniques – e.g. fingerprint verification, facial/voice recognition, keystroke/handwriting analysis, gait and gaze analysis.
In order to determine whether a DPIA is necessary, insert the required information into the table below and complete the checklist.
If the answer is YES to any of the screening questions in the checklist then a DPIA must be carried out.
Data Protection Impact Assessment (DPIA) – Screening Questions
Project/Process Title |
Hackney Carriage and Private Hire Licensing Policy |
||
Directorate / Service Area |
LGR- North Yorkshire Council |
||
Overview of Project/Process |
To harmonise 7 differing policies in to 1 overarching policy and consult with stakeholders on the proposed policy.
|
||
Screening Questions |
Yes |
No |
Justification for Answer |
Will your project/app/system involve processing of information about individuals which includes special category or criminal conviction data? Please note this does include ‘anonymous’ data within these categories if unique identifiers such as initials or reference numbers are also processed. If you are processing any of the below types of personal data your answer should be YES: · Racial or ethnic origin · Political opinions · Religious or philosophical beliefs · Trade union membership · Genetic data · Biometric data · Data concerning health · Data concerning a person’s sex life · Data concerning a person’s sexual orientation · Criminal conviction data |
☐ |
☒ |
We are not asking for any personal data from stakeholders. We are asking for their input in to the draft policy document and feedback as to how the changes would impact the service. |
Will you be collecting new personal information about individuals, or information which, if breached could have a significant impact on an individual? Examples where the answer would be YES: · This a new system/process processing personal data that has not been previously collected · This is an existing system/process processing personal data but additional data must be collected due to a change in scope of the system/process · Data which has routinely been collected is being collected in a new way, this data is very sensitive and would cause distress to the data subject if it was breached |
☐ |
☒ |
See above. The consultation is asking for feedback on the proposed changes to the Licensing policy |
Will information about individuals be disclosed or shared with organisations or people who have not previously had routine access to the information? Example of where the answer would be YES: · There is a requirement to share information with an external 3rd party who has not previously had access to the data. This would also result in the need for a Data Sharing Agreement (DSA). |
☐ |
☒ |
Not applicable as the feedback is specifically to inform the proposed policy. |
Are you going to use information you already hold about individuals for a purpose it is not currently used for? Example of where the answer would be YES: Matching information from different systems/data sources, where purpose/lawful basis of original data collection may differ Details of the Information Asset in question will be contained within NYCC’s Information Asset Register (IAR) and the purpose for processing, along with the legal basis for processing will be recorded. The way information will be used in this new system/process must match the existing purpose/legal basis, otherwise a DPIA is required |
☐ |
☒ |
This is a not an area of concern as we will not be using information held for any purposes it is not already used for |
Does the project involve using technology which might be perceived as privacy intrusive or monitoring any publicly accessible areas? For example, CCTV, facial recognition, use of biometrics* such as thumb prints, Vehicle number plate recognition or location tracking. |
☐ |
☒ |
This is a standard consultation that will have some face to face events and an on line survey, |
Does any phase of project/system/ app use automated decision making based on information provided by the individual or received from a 3rd party? Automated individual decision-making is a decision made by automated means without any human involvement (e.g. online credit checks). Example of where the answer would be YES: · A new piece of software is being implemented which checks an applicant’s geographical location, age and household income and automatically offers a free service to eligible applicants when certain conditions are met |
☐ |
☒ |
|
Will the project include marketing or contacting individuals which may be considered intrusive? By phone, by email or by post, where they have not be informed/are not expecting that this contact will take place. Example of where the answer would be YES: · I have access to a list of email addresses which were collected for the purpose of setting people up as users of their local library. I’d like to send them a notice about a new transport services available that operate near the library. |
☐ |
☒ |
|
Will the project include data matching from different sources or profiling? Combining, comparing or matching personal data obtained from multiple sources. Example of where the answer would be YES: · Matching data from two/three different children’s systems to understand which children may be eligible to join a new learning programme. |
☐ |
☒ |
|
Will you be conducting large scale processing, this includes numbers, duration and geographical spread? Example of where the answer would be YES: · Processing data related to all/most children who reside in North Yorkshire · Tracking all/most individuals using public transport systems in North Yorkshire |
☐ |
☒ |
If you have answered YES to any of the questions above then a full DPIA must be carried out.
If you have answered NO to ALL of the above screening questions then a DPIA is not necessary. Please complete the declaration below and email a copy to the Data Governance Team, email: datagovernance@northyorks.gov.uk.
Date of Assessment |
11/8/22 |
Project Sponsor Name |
Tony Clarke ( Dean Richardson and Sharon Cousins) |
Project Sponsor Signature |
T Clarke |
Note: If the scope of work changes in any way then the pre-assessment MUST be repeated.