Data Protection Impact Assessment (DPIA)
The Data Protection & Freedom of Information Office (DP&FOI Office) provide advice and recommendations in relation to Data Protection Impact Assessments (DPIAs) that are shared with them for review and comment.
A DPIA is a tool for building and demonstrating compliance and trust and for protecting the rights and interests of data subjects. A DPIA is a legal requirement when conducting research or projects involving human participants or when the processing is likely to result in a high risk to data subjects.
Carrying out a DPIA
A DPIA is carried out at the start of any project that will process personal data, or when making a significant change that affects the risk level to personal data. Assess and integrate DPIA actions into your project plan and deliver on them.
Examples of when a DPIA may be required include:
- undertaking research involving human data subjects
- building or migrating to new IT systems for storing or accessing personal data
- developing or amending a policy or strategy that has privacy implications
- embarking on new data sharing initiatives with other organisations
- using personal data for new purposes
DPIA responsibility
A DPIA is a legal requirement in certain circumstances. It allows you to assess and integrate DPIA actions into your project plan and deliver on them so that appropriate technical and organisational measures are put in place to mitigate risks to personal data.
- For research projects, the Principal Investigator is responsible for the DPIA.
- For non-research projects/initiatives the project lead is responsible for the DPIA. The DPIA should be retained with all other project documentation for the duration of the project.
The DP&FOI Office do not approve or sign off on DPIAs. It is the responsibility of the Principle Investigator or Project Leader to either accept or overrule the recommendations issued by the DP&FOI Office. If the latter, this should be justified and recorded on the DPIA.
Data Protection Impact Assessment template
To evidence compliance with best practice, UofG has adopted the ICO DPIA and tailored for UofG use.
Support and guidance
Where guidance or further information is necessary, consult the DP&FOI Office and, where relevant, external stakeholders and experts.
If your research concerns human subjects in health and social care settings (staff, patients, their families and carers, data, or tissue) please consult with the University's Research Regulation and Compliance (RRC) team. DPIAs for research in health and social care should be sent directly to the RRC team.
The DP&FOI Office will only review DPIAs involving data subjects (outwith health and social care settings) that are classified as high risk. Review the Information Risk Classifications to determine if you are working with high risk data.
Later when your new process is in place, your DPIA will provide valuable evidence to the University's Information Asset Register for on-going review and evidence to the ICO.
DPIA review times
Due to high demand, if you submit your DPIA to the DP&FOI office, it may take in excess of 8 weeks for us to provide an initial review. Depending upon the complexity of your project, there may also be extensive follow-up discussion before your DPIA is finalised. Please ensure that you leave enough time ahead of project initiation to accommodate DPIA review timescales.