Data Protection Impact Assessment (DPIA) – Screening Questions
Overview
A Data Protection Impact Assessment (DPIA) is essential to ensure that new systems and processes are compliant with Data Protection Legislation (GDPR and the Data Protection Act 2018). A DPIA is mandatory when introducing new technology or where the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons”. The risk is considered high when processing personal information about a living person. Failure to carry out a DPIA, or failure to carry one out correctly when the risk is high, may result in a large fine.
What is Personal Data?
“personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
It may be that a single piece of information can identify an individual, or it may be that it requires a combination of information to identify them. The following information would be considered personal data:
· Name
· Address
· Date of birth
· Email address (personal and work)
· NI number
· Bank details
Personal data also extends to items such as a photo, posts on social media or an IP address.
What is Special Category Data?
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.”
The following information would be considered special category data:
*Biometric Data: physical or physiological identification techniques – e.g. fingerprint verification, facial/voice recognition, keystroke/handwriting analysis, gait and gaze analysis.
In order to determine whether a DPIA is necessary, insert the required information into the table below and complete the checklist.
If the answer is YES to any of the screening questions in the checklist then a DPIA must be carried out.
Data Protection Impact Assessment (DPIA) – Screening Questions
Project/Process Title |
4021 Library Management System-Re-procurement |
||
Directorate / Service Area |
Community Development-Culture, Arts and Leisure |
||
Overview of Project/Process |
To procure a Library Management System (LMS) due to current contract ending in March 2025. This contract has been in place since 2015 so using the full 7 years with a further extension agreed in 2022 to cover the LGR implementation period. A further extension would not be compliant or necessarily desirable.
This procurement is for an improved but essentially a replacement product with no major impact on working practices, the minimum requirements for the system to manage and monitor the service remaining largely unchanged from the previous system specification. There is, however, increased customer expectation around their ability to self-serve and the ease of access to do so which should inform the Quality part of the tender questionnaire. A range of peer networks and events has allowed service managers to maintain current awareness of products and developments in the market and hosting Discovery Days will highlight new developments to further inform the process.
It is anticipated that the current service budget is sufficient to cover costs including implementation.
|
||
Screening Questions |
Yes |
No |
Justification for Answer |
Will your project/app/system involve processing of information about individuals which includes special category or criminal conviction data? Please note this does include ‘anonymous’ data within these categories if unique identifiers such as initials or reference numbers are also processed. If you are processing any of the below types of personal data your answer should be YES: · Racial or ethnic origin · Political opinions · Religious or philosophical beliefs · Trade union membership · Genetic data · Biometric data · Data concerning health · Data concerning a person’s sex life · Data concerning a person’s sexual orientation · Criminal conviction data |
☒ |
☐ |
The system will hold info on name, DOB and where a person lives. No special category info will be collected. |
Will you be collecting new personal information about individuals, or information which, if breached could have a significant impact on an individual? Examples where the answer would be YES: · This a new system/process processing personal data that has not been previously collected · This is an existing system/process processing personal data but additional data must be collected due to a change in scope of the system/process · Data which has routinely been collected is being collected in a new way, this data is very sensitive and would cause distress to the data subject if it was breached |
☒ |
☐ |
Information collected will extend to Name, DOB, address and email address. It will not necessarily result in new info being gathered but this is not yet scoped as to what the new service could offer. Whilst initially this is a like for like procurement extra self serve offers may be available for use of the customer. |
Will information about individuals be disclosed or shared with organisations or people who have not previously had routine access to the information? Example of where the answer would be YES: · There is a requirement to share information with an external 3rd party who has not previously had access to the data. This would also result in the need for a Data Sharing Agreement (DSA). |
☒ |
☐ |
Yes, this is a potential change dependent on who is successful at tender. Should the current provider not re submit interest or not be successful then all info will need to be shared with the new provider. |
Are you going to use information you already hold about individuals for a purpose it is not currently used for? Example of where the answer would be YES: Matching information from different systems/data sources, where purpose/lawful basis of original data collection may differ Details of the Information Asset in question will be contained within NYCC’s Information Asset Register (IAR) and the purpose for processing, along with the legal basis for processing will be recorded. The way information will be used in this new system/process must match the existing purpose/legal basis, otherwise a DPIA is required |
☒ |
☐ |
Information will need to be transferred from one provider to another if not the current one. |
Does the project involve using technology which might be perceived as privacy intrusive or monitoring any publicly accessible areas? For example, CCTV, facial recognition, use of biometrics* such as thumb prints, Vehicle number plate recognition or location tracking. |
☐ |
☒ |
|
Does any phase of project/system/ app use automated decision making based on information provided by the individual or received from a 3rd party? Automated individual decision-making is a decision made by automated means without any human involvement (e.g. online credit checks). Example of where the answer would be YES: · A new piece of software is being implemented which checks an applicant’s geographical location, age and household income and automatically offers a free service to eligible applicants when certain conditions are met |
☐ |
☒ |
|
Will the project include marketing or contacting individuals which may be considered intrusive? By phone, by email or by post, where they have not be informed/are not expecting that this contact will take place. Example of where the answer would be YES: · I have access to a list of email addresses which were collected for the purpose of setting people up as users of their local library. I’d like to send them a notice about a new transport services available that operate near the library. |
☐ |
☒ |
The changes to the service should be minimal and managed through staff. Staff and volunteers should be supported to offer support to customers who may be struggling with any changes that occur. There is a possibility that other info will be shared with users of the library. |
Will the project include data matching from different sources or profiling? Combining, comparing or matching personal data obtained from multiple sources. Example of where the answer would be YES: · Matching data from two/three different children’s systems to understand which children may be eligible to join a new learning programme. |
☒ |
☐ |
Should the provider change from the current one then yes we will look to match data to transfer rather than ask people to re subscribe. |
Will you be conducting large scale processing, this includes numbers, duration and geographical spread? Example of where the answer would be YES: · Processing data related to all/most children who reside in North Yorkshire · Tracking all/most individuals using public transport systems in North Yorkshire |
☒ |
☐ |
Yes, this system will relate to all customers who use the library in North Yorkshire and therefore will have a large scale processing. |
If you have answered YES to any of the questions above then a full DPIA must be carried out.
If you have answered NO to ALL of the above screening questions then a DPIA is not necessary. Please complete the declaration below and email a copy to the Data Governance Team, email: datagovernance@northyorks.gov.uk.
Date of Assessment |
4/7/23 |
Project Sponsor Name |
Hazel Smith |
Project Sponsor Signature |
|
Note: If the scope of work changes in any way then the pre-assessment MUST be repeated.