Data Protection Impact Assessment (DPIA) – Screening Questions
Overview
A Data Protection Impact Assessment (DPIA) is essential to ensure that new systems and processes are compliant with Data Protection Legislation (GDPR and the Data Protection Act 2018). A DPIA is mandatory when introducing new technology or where the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons”. The risk is considered high when processing personal information about a living person. Failure to carry out a DPIA, or failure to carry one out correctly when the risk is high, may result in a large fine.
What is Personal Data?
“personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
It may be that a single piece of information can identify an individual, or it may be that it requires a combination of information to identify them. The following information would be considered personal data:
· Name
· Address
· Date of birth
· Email address (personal and work)
· NI number
· Bank details
Personal data also extends to items such as a photo, posts on social media or an IP address.
What is Special Category Data?
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.”
The following information would be considered special category data:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data*
- Data concerning health
- Data concerning a person’s sex life
- Data concerning a person’s sexual orientation
*Biometric Data: physical or physiological identification techniques – e.g. fingerprint verification, facial/voice recognition, keystroke/handwriting analysis, gait and gaze analysis.
In order to determine whether a DPIA is necessary, insert the required information into the table below and complete the checklist.
If the answer is YES to any of the screening questions in the checklist then a DPIA must be carried out.
Data Protection Impact Assessment (DPIA) – Screening Questions
|
Project/Process Title |
3585 Double Devolution |
||
|
Directorate / Service Area |
Locality Engagement |
||
|
Overview of Project/Process |
The proposal for local government reorganisation in North Yorkshire included a commitment to pilot double devolution and provide opportunities for town and parish councils and community groups that would like to manage services and assets on behalf of the unitary council. This project is looking at identifying 6 pilot areas to commence from April 2024.
|
||
|
Screening Questions |
Yes |
No |
Justification for Answer |
|
Will your project/app/system involve processing of information about individuals which includes special category or criminal conviction data? Please note this does include ‘anonymous’ data within these categories if unique identifiers such as initials or reference numbers are also processed. If you are processing any of the below types of personal data your answer should be YES: · Racial or ethnic origin · Political opinions · Religious or philosophical beliefs · Trade union membership · Genetic data · Biometric data · Data concerning health · Data concerning a person’s sex life · Data concerning a person’s sexual orientation · Criminal conviction data |
☐ |
☒ |
From the expressions of interest received there is no need for any processing of information in relation to individuals. The project is looking to develop specific assets and or services that the Towns and Parish councils are interested in taking responsibility for. None of these services or assets are regarding individuals but more management of properties, or land management. |
|
Will you be collecting new personal information about individuals, or information which, if breached could have a significant impact on an individual? Examples where the answer would be YES: · This a new system/process processing personal data that has not been previously collected · This is an existing system/process processing personal data but additional data must be collected due to a change in scope of the system/process · Data which has routinely been collected is being collected in a new way, this data is very sensitive and would cause distress to the data subject if it was breached |
☐ |
☒ |
No new information will be gathered regarding individuals. The information gathered is more in relation to the Town and Parish councils legal and financial viability to take on the assets and or services. |
|
Will information about individuals be disclosed or shared with organisations or people who have not previously had routine access to the information? Example of where the answer would be YES: · There is a requirement to share information with an external 3rd party who has not previously had access to the data. This would also result in the need for a Data Sharing Agreement (DSA). |
☐ |
☒ |
No information will be disclosed or shared with organisations or people who have not always had access to information. |
|
Are you going to use information you already hold about individuals for a purpose it is not currently used for? Example of where the answer would be YES: Matching information from different systems/data sources, where purpose/lawful basis of original data collection may differ Details of the Information Asset in question will be contained within NYCC’s Information Asset Register (IAR) and the purpose for processing, along with the legal basis for processing will be recorded. The way information will be used in this new system/process must match the existing purpose/legal basis, otherwise a DPIA is required |
☐ |
☒ |
No, we will not be gathering personal information or matching systems and or data sources. |
|
Does the project involve using technology which might be perceived as privacy intrusive or monitoring any publicly accessible areas? For example, CCTV, facial recognition, use of biometrics* such as thumb prints, Vehicle number plate recognition or location tracking. |
☐ |
☒ |
The project does not involve the use of any technology which might be perceived as privacy intrusive. The project is the transfer of assets and or services to Town and or Parish councils. |
|
Does any phase of project/system/ app use automated decision making based on information provided by the individual or received from a 3rd party? Automated individual decision-making is a decision made by automated means without any human involvement (e.g. online credit checks). Example of where the answer would be YES: · A new piece of software is being implemented which checks an applicant’s geographical location, age and household income and automatically offers a free service to eligible applicants when certain conditions are met |
☐ |
☒ |
No, at all points decision making will be done through an evaluation board. |
|
Will the project include marketing or contacting individuals which may be considered intrusive? By phone, by email or by post, where they have not be informed/are not expecting that this contact will take place. Example of where the answer would be YES: · I have access to a list of email addresses which were collected for the purpose of setting people up as users of their local library. I’d like to send them a notice about a new transport services available that operate near the library. |
☐ |
☒ |
The only marketing will be form the successful Town and or Parish council promoting that they are the body responsible for the delivery of a specific asset and or service. |
|
Will the project include data matching from different sources or profiling? Combining, comparing or matching personal data obtained from multiple sources. Example of where the answer would be YES: · Matching data from two/three different children’s systems to understand which children may be eligible to join a new learning programme. |
☐ |
☒ |
There is no requirement for data matching from sources or profiling. No individuals data is being reviewed or shared. |
|
Will you be conducting large scale processing, this includes numbers, duration and geographical spread? Example of where the answer would be YES: · Processing data related to all/most children who reside in North Yorkshire · Tracking all/most individuals using public transport systems in North Yorkshire |
☐ |
☒ |
No, there is no processing of data required for this project as it does not relate to data but assets (property) or services Markets, public conveniences). |
If you have answered YES to any of the questions above then a full DPIA must be carried out.
If you have answered NO to ALL of the above screening questions then a DPIA is not necessary. Please complete the declaration below and email a copy to the Data Governance Team, email: datagovernance@northyorks.gov.uk.
|
Date of Assessment |
9/6/23 |
|
Project Sponsor Name |
Rachel Joyce |
|
Project Sponsor Signature |
Rachel Joyce at KIT 9/6/23 |
Note: If the scope of work changes in any way then the pre-assessment MUST be repeated.