Data Protection (Privacy) Impact Assessment Policy and Procedure
Version: V2
Ratified by: Finance Investment Committee
Date ratified: 24/11/2021
Job Title of author:
Data Protection Officer IG and IT Projects Manager
Reviewed by Committee or Expert Group Technology Project Board
Equality Impact Assessed by: IG and IT Projects Manager
Related procedural documents
IGPOL31 Data Protection Policy
IGPOL53 Information Security Policy
IGPOL65 Transferring Confidential Information
Review date: 24/11/2024
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet.
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date
V1
Author
February2018 Information Governance andITProjects Manager
August2021
V2
DataProtection Officer& Information Governance andITProjects Manager
Final NEW POLICY. This Policy has been written in responsetothe requirementsof the new Data Protection Regulations. It effectively replaces the procedures described in IGPRE28 –Assuring the Information Governance of New and Changed Systems, Processes and Services.
Final 3-yearReview
1. Introduction
Introduction of new systems, services or modifications to existing ways of working can have a major impact on Information Governance processes and systems already in place. It is vitally important that all proposed changes to service delivery and organisational processes are able to maintain the confidentiality, integrity and accessibility of information, in both paper and electronic formats.
The General Data Protection Regulation (GDPR) introduces the requirement of ‘Privacy by design’ and ‘Privacy by default’. This is an approach that considers privacy and data protection compliance from the start of any project or processing involving personal data and not as an afterthought. Trying to bolt on security or privacy controls later down the line can not only be costly to implement but can leave the organisation open to regulatory and reputational risks.
Article 25 of the GDPR requires that a Data Protection Impact Assessments is carried out prior to data processing which is ‘likely to result in high risk to the rights and freedoms of natural persons’
The aim of this policy is to provide staff with information that promotes good practice and compliance with Data Protection Laws and other statutory requirements provided by the Information Commissioner's Office (ICO).
Not completing a Privacy Impact Assessment where one should have been completed can lead to fines of approximately £8.5m or 2% of annual turnover (whichever is higher) withthe possibility of proceedings imposed by the ICO
2. Purpose
The purpose of this policy is to ensure that risks to the rights and privacy of individuals are considered and minimised while allowing the aims of the project or processing activity to be met.
This document helps identify when a DPIA is required and it provides a standardised approach towards identifying, assessing and mitigating data protection and privacy risk and assists towards the delivery of compliance with legal statutory requirements.
Risks can be identified and addressed at an early stage by analysing how the proposed uses of data, technology and processes will work in practice. This analysis can be tested by consulting with the stakeholders who will be working on, or affected by, the project.
3. Definitions
Data Protection Impact Assessment (DPIA): Also known as a Privacy Impact Assessment, is a tool to help the organisation and staff identify and reduce any data protection or privacy risks prior to any planned data processing activity or before a project or change is delivered. It is a major part of Provide’s accountability obligations under the UK GDPR.
Caldicott Guardian: Is the organisation’s Medical Advisor and the senior person responsible for protecting the confidentiality of personal confidential data (PCD) information. The Caldicott
Guardian plays a key role in ensuring that the organisation abides by the highest level of standards for handling Personal Confidential Data and Personal identifiable Data.
Data Protection Officer (DPO): Is an independent legal role required by the Data Protection legislation (GDPR). This person is responsible for overseeing the Data Protection Compliance of the organisation, informing and advising the organisation on its Data Protection obligations, providing advice to all staff across the organisation and acting as a contact point for data subjects and the information Commissioners Office (ICO).
Information Asset Owners: Are typically departmental heads and senior managers involved in running the relevant business services. Their role is to understand what information is held, how it is used, who has access and why. As a result they can understand and address risks to the Information Assets they 'own', providing assurance to the SIRO.
Responsible Project/ Initiative Lead or process owner: Is any member of staff, including flexible, permanent, new starters, locum, temporary, student and contract staff members who are tasked with and responsible for accomplishing "project"/process objectives and outcomes.
Senior Information Risk Owner (SIRO): The SIRO owns the information risk and incident management framework, overall information risk policy and risk assessment processes, ensuring they are implemented consistently throughout the business by the Information Asset Owners Provide’s SIRO is the Group Chief Finance Officer & Company Secretary on behalf of the Board.
Data Security and Protection Toolkit (DSPT): Formally known as the IG Toolkit, the tool is an online system which allows Provide to measure compliance against the National Data guardian’s 10 data security standards. The toolkit is used to provide assurance that we are practicing good data security and that personal information is handled correctly. It is a requirement of our NHS contracts that we complete the toolkit on an annual basis.
Information Asset: A body of information defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
Personal Data: Any information relating to an identified or identifiable natural person (data subject).
Project: Shall mean any plan, process or proposal, which involves the use of information, data or technology. This shall also include any change that will amend the way in which the information, data or technology is handled.
Processing Activity: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
Must: The responsibilities and or actions from NHS England, Department of Health (DoH), NHS Digital and the Information Commissioners Office (ICO) required to be carried out as the minimum mandatory and statutory measure.
Should: The responsibilities and or actions recommended to follow as good practice.
Technology: A term used to describe systems, tools, techniques and processes embedded in machines or devices which then store, study, retrieve, transmit, and manipulate data or information.
4. Scope
A DPIA is an integral part of the development and implementation of projects and must be applied to all "projects" or planned processing activity, allowing greater scope for influencing how the project will be implemented.
Projects and processing activities are recognised and delivered in different ways. Therefore, all staff must recognise that a DPIA must be completed and the form submitted to Information Governance in advance of the following circumstances and situations:
• The use of a trial period of technology, systems, devices or products which use data or information
• The use of charitable or free technology or products which use data or information
• Publishing personal identifiable or sensitive information or data on the internet or in other publically available media types
• Procurement of technology, systems, devices or products which use data or information
• De-commissioning or disposal of technology, systems, or products which use data or information
• A change to existing processes or technology, systems, devices and products which will significantly amend the way data or information is handled
• The implementation or development of new processes, technology, systems, devices or products which involve the use of data or information
• Collection, retrieval, obtaining, recording or holding of new personal data or information
• Where the processing prevents data subjects from exercising a right or using a service.
• Evaluation and scoring (including profiling and predicting)
5. Duties
The SIRO and Senior Managers must ensure that this policy is adhered to by all staff.
The “responsible project lead”/process owner must: Examine the project at the earliest possible stage and make an initial assessment of data protection and privacy risks, by ensuring a DPIA form is completed and submitted to the IG team by e-mail. (see section 6 Procedure)
Accept accountability where some of the screening questions within the DPIA form apply to the project; therefore, it is likely that a full DPIA must be undertaken.
Recognise that should a full DPIA deemed to be necessary, there is a legal obligation at this stage for the Data Protection Officer to be involved and the DPIA outcome must be integrated into the project plan before the project is developed and implemented
Manage potential sources of risk and concerns as they arise, escalating
to the senior business or technical roles as required.
Should a full (Stage 2 and/or 3) DPIA be necessary, communicate with IG team to work towards finalising any conclusions and recommendations.
Where the conclusions and recommendations have been provided by the IG team and the DPO and are:
ACCEPTED: Demonstration that consideration has been given to the sources of potential risk through the completion of a DPIA. Additionally, conclusions and recommendations are integrated into the main project plan.
NOT ACCEPTED: Demonstration that consideration has been given to the sources of potential risk through formally providing the rationale of non-acceptance. Additionally, conclusions and recommendations are integrated into the main project plan.
Co-operate and provide the ICO evidence of the updated project plan and DPIA, if requested via the IG Team
It is the responsibility of the IG team to:
Carry out an evaluation of the submitted DPIA form and declaration, to address the initial sources of potential risk.
Provide the responsible project/ initiative lead with guidance, if required.
Provide the responsible project lead and DPO with any recommendations or conclusions that seem necessary.
Escalate any uncooperative actions such as not accepting the risks, not carrying out mitigating tasks etc. to the SIRO and Caldicott Guardian.
The Data Protection Officer must:
Carry out an evaluation of the full DPIA to identify potential risks and sources.
Escalate any uncooperative actions to the SIRO and Caldicott Guardian (after escalation to relevant line manager)
Provide the responsible project lead and IAO with any recommendations and conclusions that seem necessary from the evaluation.
Escalate unaccepted conclusions and recommendations to the IG team and SIRO.
Communicate with the IG team and the responsible project lead, SIRO and IAO with the frequency and formality that they deem necessary. Where high risks are identified and cannot be mitigated, the DPO shall consult with the ICO for advice (prior consultation). Feed the relevant communication from the ICO to the responsible project lead, IG team and SIRO.
It is the responsibility of the Technology Team to review the technical and security documentation to the project and associated technical risks and provide the Data Protection Officer with data and cyber security recommendation(s) and conclusion(s).
It is the responsibility of the IAO to incorporate any recommendations and actions into Business as Usual Processes. To maintain any new information assets and flows into their Information Asset register.
6. Procedure
There are 7 steps to completion of a DPIA:
Identify the need for the DPIA – The Responsible Project/ initiative lead/process owner (hereafter referred to as “the lead”) must complete Stage 1 (Screening Stage) of the DPIA form. This consists of five short Yes/ No questions which will determine whether a DPIA is required. The form can be downloaded on the staff intranet (https://www.providecommunityplatform.co.uk/Interact/Pages/Content/Document.aspx?id=2574 &SearchId=10062
Where all questions are answered “No” in stage 1 the lead must submit this form to the Information Governance (IG) Team (provide.infogov@nhs.net) for review and sign off. If any of the questions are answered “yes” then Stage 2 of the DPIA form must be completed, following the instructions on the form.
Describe the data processing /information flows–describe how the information within the processing operation is collected, stored, used and deleted Describe the nature, scope and type of personal data involved, who has access, if it will be shared and with whom and for how long it will be retained for. This step is documented in stages 2.1 and 2.2 of the DPIA form.
Consult with Stakeholders – Appropriate Stakeholders must be involved in the DPIA process in order to ensure all risks and requirements are adequately covered. As a minimum the following roles should be consulted:
• The person leading the project/service/process/change
• IT Team for any technical/security assessments/advice
• End user of new system/device, if applicable
• The Data Protection Officer
• The IG Team
If any of the above are not consulted, you should document the reason why not
Assess Necessity and Proportionality – Establish your lawful basis for processing. Consider if your plans will help achieve the purpose of processing. Consider if there are other reasonable ways to achieve the results without processing the personal data
You should also document other relevant details, which are captured in Stage 3 of the DPIA form, such as lawful basis for processing, how you intend to ensure data quality etc.
Identify privacy and related risks and identify and evaluate privacy solutions– The lead should complete Stage 2.3 and 2.4 in the DPIA form to determine the range of threats, and their related vulnerabilities, to the rights and freedoms of individuals whose data you collect and/or process. Some example of privacy risks are highlighted in Annex A of the form.
After completion of stage 2 the lead must forward the completed form to the IG team for review (provide.infogov@nhs.net) The IG team will at this stage review the contents of the form and consider whether a Stage 3 review is required. A stage 3 review is required for any complex or
higher risk processing activities. It is also required where a third party will be supplying or supporting a new system or where data is to be hosted on the cloud. A stage 3 review will also be required where there is not enough information supplied in stage 2 to determine any risks. Where a stage 3 review is required, the IG Team will co-ordinate this.
Record the DPIA outcomes and get sign-off – Once the form has been completed and submitted, the IG team will, in conjunction with the DPO, review the information and in particular the risks identified which will result in one of the following:
i) ACCEPTED: The DPIA will be signed off if there are no risks identified or sufficient actions have been identified to mitigate the risks to an acceptable level.
ii) NOT ACCEPTED*: Where any risks are identified that are considered significant or extreme and sufficient risk treatment controls have not been identified in the action plan or the risk cannot be reduced
*Where it is the case that the risk cannot be reduced the DPO will submit the DPIA to the Information Commissioners Office for consultation. They will advise whether the processing can proceed. Where the sufficient controls have not be identified, the lead will be consulted with to advise of this and to request that controls are revisited.
Integrate the DPIA outcomes into the project plan – the lead will need to continually refer to the DPIA in order to ensure that it is being followed and that its responses to the risks have been implemented effectively. It is therefore recommended that any actions identified as part of this process are incorporated into the main project plan for the initiative, where one exists.
If any significant risks have been identified and accepted these must be transferred to the Risk Register.
A flow diagram of the above process can be found in Appendix 1 of this policy.
The IG team and/ or DPO will be a point of contact should any lead need help or assistance carrying out the DPIA or in completion of the form.
7. Training
The requirement to undertake a DPIA is included within the annual mandatory IG training.
The IG team will from time to time provide additional training and awareness where a need is identified and will provide 1:1 assistance where assistance or advice is required.
It is recommended that all Project leads, IAO, Service leads undergo a more in-depth training on how to carry out an effective DPIA.
8. Additional Requirements
In order to accomplish the process, the responsible project lead/IAO/process owner will require access to the DPIA form which is available from the staff intranet.
9. Non-Compliance
The accountability principle within Article 5(2) of the GDPR requires Provide to demonstrate compliance with the GDPR principles. Therefore, the organisation has a legal obligation to implement technical and organisational measures such as DPIA’s to demonstrate that data protection requirements and Privacy by Design Principles are being adhered to.
Non-compliance with this policy and in particular non-completion of a Data Privacy Impact Assessment where one is warranted may lead to disciplinary action.
10.Review
All staff are responsible for monitoring their compliance with the principles and procedures detailed within this document. Line managers and supervisors should also monitor compliance on a regular basis.
This policy will be reviewed every 3 years by the Information Governance Team. Earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation.
11. Data Protection Impact Assessment Form
The DPIA form template is available on the staff intranet and attached below as appendix 2.
Appendix 1: DPIA Process Flow Chart
Appendix 2 : DPIAtemplate
Data Protection (Privacy) Impact Assessment (DPIA) Form
*PIA Ref Number:
Name of Project/ Processing activity:
Proposed implementation Date:
Name of Person Completing DPIA:
Date of Completion:
*This will be entered by the IG Team
This form should be completed in consultation with IGPOL90 – DPIA Policy and Procedures. If you have any questions or would like any help in completing this document please contact the IG Team at provide.infogov@nhs.net
Please provide a brief description of this project/ initiative/ change (i.e. why you are completing this DPIA?)
Stage 1 – Screening Questions
These questions and the answers should recorded here if it is not clear whether a full PIA should be completed for the project or initiative. You can expand on your answers as the project/ initiative develops if you need to.
Screening Question Response (Yes/No)
Will the project/initiative involve the collection of new information about data subjects?
Will personal data about individuals be disclosed to organisations or people who have not previously had routine access to the information Are you using personal data about individuals for a purpose it is not currently used for, or in a way it is not currently used Will the project/initiative result in you making decisions or taking action against individuals in ways which can have a significant impact on them?
Rationale
Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private.
If you have answered “Yes” to any of the above please continue on to Stage 2 If you have answered “No” to all of the above questions then please sign the last page and send to the IG team
Stage 2 – Describe the Processing/Information flow
This stage should be completed if you answered “Yes” to any of the question above or if it is clear that a DPIA is required from the outset.
2.1 Project/initiative Aims and Objectives?
The project scoping document can be used here, if applicable. It is a good idea to link/ embed the document. You should explain the processing or project objectives, benefits to organisation and any other parties such as the data subjects (those individuals who you will be collecting information about). You should be able to summarise the reason for the DPIA here
2.2
Information Flows/ Processing of Information
Any suggested collection, purpose and volume of Person Identifiable Information (PII) should be recorded here. If an Information Mapping exercise has been completed this should be linked here and the information below should provide a summary of those maps: Whom is the information processed about? (please tick √ all the related options)
Employees
Patients
Students
Agency Staff/ Volunteers
Partner businesses or organisations
Other
What are the Data Classes that will be held or processed as part of the implementation or change? (please tick √ all the related options)
Person sensitive details (name, address, postcode, date of birth, NHS number, IP address – please delete as appropriate) Family, lifestyle and social circumstances (marital status, housing, travel, leisure activities, membership of charities – please delete as appropriate)
(When data is processed, interpreted, organised, structured or presented so as to make them meaningful or useful, it is called information.)
How will the personal data be collected and transferred to the organisation?
Who will have access the information?
Where will the information be held?
What will the information be used for?
How long will the personal data be retained? How will it be destroyed/deleted?
Will the Information be shared with anyone else? If so Who?
Does this Project/ Initiative involve the use of a System Supplier? If so please provide details.
If personal, sensitive or business sensitive data is being processed by the system, has this been added to the relevant Data Flow Mapping document?
Attach Information Mapping Spreadsheet here if you have completed this
Education and training details (qualifications or certifications, training records – please delete as appropriate)
Employment details (career history, recruitment and termination details, attendance details, appraisals, other – please delete as appropriate)
Financial details (income, salary, assets, investments, payments, other – please delete as appropriate)
Criminal proceedings, outcomes and sentences
Goods or services (contracts, licenses, agreements etc.)
Racial or ethnic origins
Religious or other beliefs of a similar nature
Political opinions
Physical or mental health conditions
Offences including alleged offences
Sexual health
Trade Union membership
Other
2.3 Highlight Risks and Identify Controls
All key risks should be highlighted here with any controls that have been identified. All risks to the project should be held on a formal risk register (See Examples of Privacy Risks and Controls in Annex A and B)
2.4 Action Plan
This section should allow you to document any actions that are required throughout the project to ensure the controls are implemented correctly.If you have a Project Action plan then these should be reflected on it.
No Proposed Controls Action required to implement Approved
completed by whom and When
Stage 3 – Information Governance Assurance
Please note that not all projects or initiatives will require completion of stage 3. Once you have completed Stage 2 please send to the Information Governance Team who will advise – provide.infogov@nhs.net
If you have been requested to complete a Stage 3 review please ensure that any risks identified at this stage are included in section 2.3 and appropriate actions identified.
A CONFIDENTIALITY/ DATA PROTECTION
A1 Have you identified the legal basis for processing of this information? If “yes” please specify
A2 If you have identified “Consent” as the legal basis for processing. Have you identified mechanisms for obtaining and recording consent? If “yes” please specify.
A3 Are processes in place to inform patients/service users how their information will be used at the time they are asked to provide it?
A4 Are protocols in place to govern the sharing of information with agencies outside of the Health Service where this is occurring?
A5 Do you intend to send direct marketing messages by electronic means? This includes live and pre-recorded telephone calls, email and text message.
A6 If direct marketing messages will be sent, are consent and optout procedures in place?
A7 Are third party contractors involved in the supply or maintenance of the system? Please state their ICO registration in the further info field.
Personal Data: https://www.privacyregulation.eu/en/article-6-lawfulnessof-processing-GDPR.htm
Sensitive Categories of Data: https://www.privacyregulation.eu/en/article-9processing-of-special-categories-ofpersonal-data-GDPR.htm
Access to Health Records
Confidentiality Code of Conduct Policy. Your Information Your Right’s Leaflets, other locally produced leaflets/ guidance
A8 If you have answered “Yes” to the above have the third parties completed a Data Security and Protection Toolkit? Please include their toolkit score
A9 Do the third party/ supplier contracts contain all the necessary Information Governance clauses including contractual clauses for Data Protection and Confidentiality?
Please supply a copy of the contract
A10 Are you transferring any personal or sensitive data to a country outside the European Economic Area (EEA)? If “yes” where?
A11 Will patient/staff/ other information still be accessible for Subject Access Requests/Access to Health Records requests?
B1 Has consideration been made as to how the information will be kept up to date and checked for accuracy and completeness? If so please state briefly how.
B2 Where applicable does the system have the ability to record and verify NHS number?
B3 Has consideration been given to methods for data validation? Validation is an automatic computer check to ensure that the data entered is sensible and reasonable. It does not check the accuracy of data. E.g. someone’s date of birth should not be able to be recorded
Data Protection Policy
Access to Health Records Policy. https://www.provide.org.uk/accessto-your-information/
Subject Access Requests from Staff for access to their Personal DataPolicy and Procedures.
Data Quality Policy
NHS Number Strategy and Procedure
Data Quality Policy
as a date in the future, a man should not be able to be recorded as pregnant etc..
B4 Are national or locally defined data standards being used wherever possible?
B5 Where different systems are recording the same data, are processes in place to ensure there are no inconsistencies between them?
B6 Can changes to records be tracked to identify who has made the change i.e. audit trail in electronic system?
C INFORMATION SECURITY
C1 Are relevant security systems in place to ensure that identifiable information is protected from unlawful or unauthorised access e.g. appropriate access controls? Please describe these
C2 Have processes been considered to protect information from accidental loss, destruction or damage?
C3 Are controls in place to physically protect Information assets and ensure availability of utilities and services?
C4 Are controls in place to protect the system/network from malicious software? Please describe these
Data Quality Policy
List of current national data standards: https://digital.nhs.uk/data-andinformation/informationstandards/information-standardsand-data-collections-includingextractions/publications-andnotifications/standards-andcollections
Data Quality Policy
Data Quality Policy/ Information Security Policy
Information Security Policy
Security Policy
Security Policy
Security Policy
C5 Are appropriate and secure backup processes in place? Information Security Policy
C6 Where information is to be shared, have secure methods been identified for this to happen? Please describe these
C7 If third party contractors are involved in the supply or maintenance of the system, do they have ISO27001 Accreditation? If “Yes” please attach their ISO27001 certificate.
D RECORDS MANAGEMENT
D1 Where will the information be kept/ stored?
On Paper
On a Database on a network share Dedicated System
Information Security Policy Transferring of Personal Information Policy
D2 Have retention periods been identified for the Information Asset(s) in line with the organisation’s retention schedules?
D3 Have disposal requirements been identified?
D4 Have you included any new assets on your Information Asset Register? (Flowz)
E FREEDOM OF INFORMATION
Records Management Policies Retention & Disposal Schedules available on the staff intranet
Records Management Policy
E1 If the system hold information relevant to a Public Authority Commissioned service will information still be accessible when needed for Freedom of Information requests?
Freedom of Information Policy and Procedure
Ensure that any Risks identified at Stage 3 are included in Section 2.3
Sign Off and Approval
Once this document has been completed and the solutions agreed it should be signed off by the Project Lead and the Information Governance Manager within the organisation
Project Lead (Person Undertaking Review)
Name:
Position:
Signed by: ________________________________ Date:
Information Governance Team ONLY
Stage 3 Review Required?*
DPO Advise provided?
Copy of contract received and reviewed
Summary of DPO Advise
DPO Advise accepted or overruled by (and reasons why overruled):
* If Stage 3 deemed as not required please state why in the comments field and remove Stage 3 template from final form.
The named persons above and the Information Governance Team of Provide will retain copies of this DPIA
Annex A – Types of Privacy Risks
Risks to individuals
• Likelihood of personal data being shared inappropriately – sometimes due to inadequate disclosure controls
• Potential for personal data to be used for different purposes without the dadta subject’s knowledge - the context in which information is used or disclosed can change over time
• Breach arising from sharing personal data with third parties
• New surveillance methods may be an unjustified intrusion on their privacy.
• Inappropriate methods used in data collection - Measures taken against individuals as a result of collecting information about them might be seen as intrusive.
• Potential to collect more personal data than is necessary – For example the sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.
• Identifiers might be collected and linked which prevent people from using a service anonymously.
• Accidental disclosure of personal data - Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information.
• Existence of duplicate records - Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk.
• Personal data kept for longer than necessary - If a retention period is not established information might be used/kept for longer than necessary.
Compliance Risks
• Non-compliance with GDPR/ DPA 2018
• Non-compliance with the common law duty of confidentiality
• Non-compliance with the duties in the Health and Social Care (Safety and Quality) Act 2015
• Non-compliance with the Privacy and Electronic Communications Regulations (PECR)
• Non-compliance with sector specific legislation or standards
• Non-compliance with human rights legislation
• Non-compliance with Organisational Policies
Organisational Risks
• Non-compliance with the GDPR/ DPA or other legislation can lead to sanctions, fines and reputational damage.
• High cost of repair - Problems which are only identified after the project has launched are more likely to require expensive fixes.
• Loss of service users -The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation.
• High cost/unnecessary cost of storage - Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business and can be costly.
• Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business.
• Compensation claims - Data losses which damage individuals could lead to claims for compensation.
Annex B – Controls for Treating Privacy Risks
There are many different steps which organisations can take to reduce a privacy risk. Some of the more likely measures include:
• Deciding not to collect or store particular types of information.
• Devising retention periods which only keep information for as long as necessary and planning secure destruction of information.
• Ensuring that staff are properly trained and are aware of potential privacy risks.
• Developing ways to safely anonymise the information when it is possible to do so.
• Producing guidance for staff on how to use new systems and how to share data if appropriate.
• Using systems which allow individuals to access their information more easily and make it simpler to respond to subject access requests.
• Taking steps to ensure that individuals are fully aware of how their information is used and can contact the organisation for assistance if necessary.
• Selecting data processors who will provide a greater degree of security and ensuring that agreements are in place to protect the information which is processed on an organisation’s behalf.
• Producing data sharing or processing agreements which make clear what information will be shared, how it will be shared and who it will be shared with.
EQUALITY IMPACT ASSESSMENT
TEMPLATE: Stage 1: ‘Screening’
Name of project/policy/strategy (hereafter referred to as “initiative”):
Data Protection (Privacy) Impact Assessment Policy and Procedures
Provide a brief summary (bullet points) of the aims of the initiative and main activities:
The purpose of this policy is to ensure that risks to the rights and privacy of individuals are minimised while allowing the aims of the project or initiative to be met.
Project/Policy Manager: IG and IT Projects Manager Date: November 2021
This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.
Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.
Data subjects whose information is being processed will benefit. It will also ensure that groups/ communities are not disadvantaged or their information put at risk when new projects or initiatives are put in place.
Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?
No
Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.
No
Guidelines: Things to consider
Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.
The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.
Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this –e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.
Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan. Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?
It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that datagathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.
It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:
(To be used where the ‘screening phase has identified a substantial problem/concern)
This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.
Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?
N/A
Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?
N/A
Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?
No
Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.
N/A – This is a legal requirement
Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be considered?
N/A
Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.
N/A
Guidelines: Things to consider
An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.
It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.
The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.
If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.
