Legal Services


Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. This must be carried out before the project begins.

UCL has two types of DPIA (professional / general use and research), please read the guidance document for information on how to complete the DPIA for professional services / general use.

To determine whether you will need to complete a DPIA, complete the following screening questions, if the answer to any of these is 'yes', then a DPIA is required. 

DPIA Screening QuestionsY/N
Will the project involve the collection of new information about individuals? 
Will the project require individuals to provide information about themselves? 
Will information about individuals be shared with organisations or people who have not previously had routine access to the information? 
Will the project use information about individuals for a purpose it is not currently used for, or in a way it is not currently used? 
Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. 
Will the project result in you making decisions or treating individuals in ways which can have a significant impact on them? 
Is the information about individuals likely to raise privacy concerns or expectations, for example, health records or information that people would consider to be particularly private? 

Will the project require contact with individuals in ways they may find intrusive, for example, unexpected telephone calls?

Will the project use personal data, including personal data obtained from live or operational systems for access or transfer outside the UK (e.g. use of Cloud, Hybrid or offshore support purposes)? 

Will the project involve processing special category personal data?




1. DPIA for professional services / general use:


When completing the DPIA for professional services/ general use, please refer to the guidance document: 


There is also an additonal/lternative form for professional service type projects: 


2. DPIA  for research (please note this is a pdf fillable form, in order to save a copy you will need to use (Ctrl+Shift+S) or click on the download button to save to your local file: 


You can find out more information about research DPIAs on the UCL Data Protection webpages.