Determine if you need to carry out a Data protection Impact Assessment. This must be carried out before the project begins.
Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. Learn more at Data Protection Impact Assessment Overview.
To determine whether you will need to complete a DPIA, complete the following screening questions, if the answer to any of these is 'yes', then a DPIA is required.
|DPIA Screening Questions||Y/N|
|Will the project involve the collection of new information about individuals?|
|Will the project require individuals to provide information about themselves?|
|Will information about individuals be shared with organisations or people who have not previously had routine access to the information?|
|Will the project use information about individuals for a purpose it is not currently used for, or in a way it is not currently used?|
|Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.|
|Will the project result in you making decisions or treating individuals in ways which can have a significant impact on them?|
|Is the information about individuals likely to raise privacy concerns or expectations, for example, health records or information that people would consider to be particularly private?|
Will the project require contact with individuals in ways they may find intrusive, for example, unexpected telephone calls?
|Will the project use personal data, including personal data obtained from live or operational systems for access or transfer outside the UK (e.g. use of Cloud, Hybrid or offshore support purposes)?|
Will the project involve processing special category personal data?
|Will the project involve the processing of under 18’s personal data?|