The Importance of a DPIA

photo-1527345931282-806d3b11967f-2

A Data Protection Impact Assessment (DPIA) helps Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal data. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles.

Consequnces

Failure to conduct a DPIA, or failures in the process, can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

A recent Norwegian case saw the data protection authority impose a fine of almost €47,000 on a town council in relation to its digital learning app. The Council communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal data of others in their group. No risk assessment, DPIA or testing was undertaken before the application was rolled out. In May 2020, a company in Finland was fined €16,000 for failing to undertake a DPIA before  processing  the  location data of its employees by tracking vehicles.

Of course there is also the reputation damage of not conducting a DPIA especially when it comes to large scale projects which rely on public confidence to ensure take up and success. The Government has been criticised recently after it admitted that it had failed to complete a DPIA for the Covid19 Track and Trace Programme.

Article 35

Article 35 contains an obligation on Data Controllers to conduct a DPIA before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted. Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP, now the EDPB) data protection impact assessment guidelines and the ICO’s DPIA guidance.

Carrying out a DPIA is not mandatory for every personal data processing operation.
It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA?
The ICO’s DPIA guidance states that it requires a Data Controller to conduct a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant.
Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

Help

Act Now is using its expertise to help make the task of conducting a DPIA less daunting. We are supporting an exciting new public sector collaboration  to  co-design and develop a Digital DPIA which should make this task much easier. The final product will be available in the Autumn. Watch this space! We are also running a series of online workshops on How to do a DPIA.

Act Now Supporting Innovative Digital DPIA Project

EQaZlPcXsAEyAX4

Act Now Training is pleased to announce that it is supporting a new public sector collaboration to co-design and develop a digital approach to Data Protection Impact Assessments (DPIAs).

This innovative six month project will help Data Controllers conducting DPIAs to ensure that a ’Data Protection by Design and Default’ approach is embedded into the process. The project is also supported by the Information Commissioner’s Office, NHSX and the Information and Records Management Society.

Greater Manchester Combined Authority, the London Office of Technology and Innovation, Norfolk County Council and the University of Nottingham are leading the project which follows on from a successful alpha phase undertaken last year. A full project overview can be read here: https://cc2i.org.uk/digital-dpia/

Ibrahim Hasan, Director of Act Now Training, said:

“We are really pleased to be supporting this innovative new project alongside the Information Commissioner’s Office, NHSX and the IRMS. A digital DPIA solution will be a valuable tool to help DPOs ensure that privacy and data protection are at the heart of every new data driven project.”

Are you a public authority wishing to a share in this exciting new project and shape the future of the Digital DPIA? Using a proven co-funding approach (similar to crowdfunding, but on a corporate level), the collective is actively looking for partners to join them in this cost-neutral project.

A webinar on the project and approach is being hosted on Wednesday 12th at 2pm. Led by Stephen Girling, Information Governance Project Manager at GMCA and Lianne Hawkins, Head of Service Design at Looking Local, this webinar will cover:

  • The background and outcomes of the original Digital DPIA alpha project undertaken by GMCA – including the headline business case
  • The benefits of a uniform approach to DPIAs across public sector
  • The work packages planned to deliver a digital DPIA solution
  • Partner benefits and their motivation to be part of this collaborative approach
  • Project partners timelines & what’s involved

We would encourage all our blog subscribers to register for the webinar here: http://bit.ly/2ScGdi2 A recording of the webinar will also be available. Please email  irene.zdziebko@cc2i.org.uk 

Act Now launches GDPR Policy Pack

ACT NOW NEWS

The first fine was issued recently under the General Data Protection Regulation (GDPR) by the Austrian data protection regulator. Whilst relatively modest at 4,800 Euros, it shows that regulators are ready and willing to exercise their GDPR enforcement powers.

Article 24 of GDPR emphasises the need for Data Controllers to demonstrate compliance through measures to “be reviewed and updated where necessary”. This includes the implementation of “appropriate data protection policies by the controller.” This can be daunting especially for those beginning their GDPR compliance journey.

Act Now has applied its information governance knowledge and experience to create a GDPR policy pack containing essential documentation templates to help you meet the requirements of GDPR as well as the Data Protection Act 2018. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent £500,000 fine levied on Equifax by the Information Commissioner under the Data Protection Act 1998.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. The detailed contents are set out below:

  • User guide
  • Policies
    • Data Protection Policy
    • Special Category Data Processing (DPA 2018)
    • CCTV
    • Information Security
  • Procedures
    • Data breach reporting
    • Data Protection Impact Assessment template
    • Data Subject rights request templates
  • Privacy Notices
    • Business clients and contacts
    • Customers
    • Employees and volunteers
    • Public authority services users
    • Website users
    • Members
  • Records and Tracking logs
    • Information Asset Register
    • Record of Processing Activity (Article 30)
    • Record of Special Category Data processing
    • Data Subject Rights request tracker
    • Information security incident log
    • Personal data breach log
    • Data protection advice log

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format). Sequential files and names make locating each document very easy.

Click here to read sample documents.

The policy pack gives a useful starting point for organisations of all sizes both in the public and private sector. For only £149 plus VAT (special introductory price) it will save you hours of drafting time. Click here to buy now or visit or our website to find out more.

Act Now provides a full GDPR Course programme including one day workshops, e learning, healthchecks and our GDPR Practitioner Certificate. 

GDPR and Data Protection Impact Assessments: When and How?

CJgbrkzUwAAJSZA

Article 35 of GDPR introduces a new obligation on Data Controllers to conduct a Data Protection Impact Assessment (DPIA) before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted.

DPIAs are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles (see Article 5(2)).

Guidance

Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP) data protection impact assessment guidelinesand the ICO’s DPIA guidance.

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every personal data processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA? The ICO’s DPIA guidance sates that it requires a Data Controller to do a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO guidance contains screening checklists to help Data Controllers decide when to do a DPIA. In addition they are advised to think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new major project involving the use of personal data.

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA in Article 35(7) (see also Recitals 84 to  95):

  • A systematic description of the envisaged processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purposes.
  • An assessment of the risks to Data Subjects
  • The measures in place to address the risks, including safeguards and security measures, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project. A sample DPIA template is included with the ICO guidance and number of methodologies are referenced in the A29WP guidance (Annex 2).

When should a DPIA be conducted?

DPIAs should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Designapproach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

What about current data processing operations?

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

The ICO says that Data Controllers should also review their existing processing operations to identify whether they currently do anything that would be considered likely high risk under the GDPR. If so, they have to be confident that they have already adequately assessed and mitigated the risks of that project. If not, they may need to conduct a DPIA now to ensure the processing complies with the GDPR. However, the ICO does not expect Data Controllers to do a new DPIA for established processing where they have already considered relevant risks and safeguards (as part of a formal or informal risk assessment process) – unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.

The ICO recommends that Data Controllers document their review and reasons for not conducting a new DPIA where relevant, to help them demonstrate compliance if challenged.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’sadvice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.

Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

GDPR and Employee Surveillance

canstockphoto18907084

The regulatory framework around employee surveillance is complex and easy to fall foul of. A few years ago, West Yorkshire Fire Service faced criticism when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

At present all employers have to comply with the Data Protection Act 1998 (DPA) when conducting surveillance, as they will be gathering and using personal data about living identifiable individuals. Part 3 of the Information Commissioner’s Data Protection Employment Practices Code (Employment Code) is an important document to follow to avoid DPA breaches. It covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet monitoring.

When the General Data Protection Regulation (GDPR) comes into force (25th May 2018) it will replace the DPA. The general rules applicable to employee monitoring as espoused by the DPA and the Employment Code will remain the same.  However there will be more for employers to do to demonstrate GDPR compliance.

Data Protection Impact Assessment

One of the main recommendations of the Employment Code is that employers should undertake an impact assessment before undertaking surveillance. This is best done in writing and should, amongst other things, consider whether the surveillance is necessary and proportionate to what is sought to be achieved.

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA) (also known as a Privacy Impact Assessment) as a tool, which can help Data Controllers (in this case employers) identify the most effective way to comply with their GDPR obligations. A DPIA is required when the data processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Employee surveillance is likely to be high risk according to the criteria set out by the Article 29 Working Party in its recently published draft data protection impact assessment guidelines.

The GDPR sets out the minimum features which must be included in a DPIA:

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

Before doing a DPIA, the Data Protection Officer’s advice, if one has been designated, must be sought as well as the views (if appropriate) of Data Subjects or their representatives. In some cases the views of the Information Commissioner’s Office (ICO) may have to be sought as well. In all cases the Data Controller is obliged to retain a record of the DPIA.

Failure to carry out a DPIA when one is required can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Our recent blog post and forthcoming DPIA webinar will be useful for those conducting DPIAs.

Article 6 – Lawfulness

All forms of processing of personal data (including employee surveillance) has to be lawful by reference to the conditions set out in Article 6 of GDPR (equivalent to Schedule 2 of the DPA). One of these conditions is consent. Article 4(11) states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

As discussed in our previous blog post, consent will be more difficult to achieve under GDPR. This is especially so for employers conducting employee surveillance. According to the Information Commissioner’s draft guidance on consent under GDPR:

“consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.”

Employers (and public authorities) may well need to look for another condition in Article 6 to justify the surveillance. This could include where processing is necessary:

  • for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c));
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Article 6(1)(e)); or
  • for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f)).

Legitimate interests (Article 6(1)(f)) will be a favourite condition amongst employers as usually the surveillance will be done to prevent or detect crime or to detect or stop abuse of the employers’ resources e.g. vehicles, internet and email facilities etc.

Public Authorities

Article 6 states that the legitimate interests condition shall not apply to processing carried out by public authorities in the performance of their tasks. Herein lies a potential problem for, amongst others, local authorities, government departments, and quangos.

Such organisations will have to consider the applicability of the legal obligation and public interests/official authority conditions (Article 6(1)(c) and Article 6(1)(e)) respectively). We can expect lots of arguments about what surveillance is in the public interest and when official authority is involved. If the surveillance involves a public authority using covert techniques or equipment to conduct the surveillance, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and so the latter condition is met. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H),).

More detail on the RIPA and human rights angle to employee surveillance can be found in our blog post here. More on the DPA angle here.

We also have a specific blog post on the legal implications of social media monitoring as well as a forthcoming webinar.

Transparency

All Data Controllers, including employers, have an obligation to ensure that they are transparent in terms of the how they use employee’s information. Consideration will also have to be given to as to what extent general information will have to be supplied to employees in respect for the employer’s surveillance activities (See our blog post on Privacy Notices).

Surveillance of employees can be a legal minefield. Our forthcoming webinar on GDPR and employee surveillance will be useful for personnel officers, lawyers, IT staff and auditors who may be conducting or advising on employee surveillance.

 

Act Now can help with your GDPR preparations. We offer a GDPR health check service and our workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast.

%d bloggers like this: