Data protection impact assessment (DPIA)

A DPIA is a process that helps you systematically identify, analyse and where possible mitigate the data protection risks of specific projects, plans or activities within your organisation.

It helps you assess and demonstrate compliance with your data protection obligations.

Where there is a high risk to individuals, you are legally required to complete a DPIA. For example, when you are using or sharing the health and care data of a large number of people.

However, even if it is not legally required, it is best practice to conduct a DPIA whenever you are using and sharing sensitive information, such as identifiable information about a person’s care. A DPIA will assist you to identify and prevent problems with your planned project or activity, reducing the associated costs and damage to your reputation which might otherwise occur.

It is also a mandatory requirement of the Data Security and Protection Toolkit that health and care organisations understand when a DPIA is needed and have their own process in place for conducting DPIAs.

The DPIA template can be used for any use of health and care data or other data such as employment data.

This includes by research sponsors who wish to use data for research purposes. The template includes further information about how the template can and can’t be used in research. The HRA also has guidance on the use of DPIAs in research settings.

A DPIA should be completed during the planning stage of a project before any health and care data is used or shared. For example, if you were implementing a new technical system for managing patient records, you would need to complete a DPIA when designing the new system before any medical records were transferred over.

If the information sharing is a high risk to individuals, completing a DPIA would be a legal requirement. However, you may not know whether a specific project will legally require a DPIA until you have completed a preliminary assessment.

A preliminary assessment is built into the NHS England DPIA template via some questions at the start of the document, which you can use to justify whether you need to complete a full DPIA.

The DPIA should be filled out by staff members who understand the details of the project or activity and how information will be used and shared, such as the project or service lead.

You should be supported by your organisation’s data protection officer (DPO), IG lead or team, or by your management team if you are a small organisation.

You will need to know the details about the type of data involved in your project or activity, how your organisation will be using and sharing the data, and the lawful basis to justify the use of the data.

If you do not have this information, you should ask your DPO, your IG lead or team, or your management team for support.

This will depend on your governance process, the data your project involves and the associated risks.

If you work in a larger organisation, your DPIA might need to be reviewed and approved by your:

• DPO
• senior information risk owner (SIRO)
• Caldicott Guardian
• information asset owner (IAO)
• IG lead
• IT or cyber lead

If you work in a smaller organisation, your DPIA will likely need to be reviewed and approved by a member of your management team.

You should speak to your organisation’s DPO, IG lead or team, or your management team to find out whose approval is needed.

Any mitigating actions identified in the DPIA to reduce risk should be factored into your project plan where relevant. For example, creating a new process to be followed to send and receive information, or rolling out a training programme.

If you have any risks that remain high even after applying mitigating actions, you must consult the ICO before starting to use or share information.

The DPIA should be reviewed and updated whenever necessary. This may be, for example, when there is a change to how information is being used or shared.

See the ICO’s guidance for more information about what you need to do after completing your DPIA.