Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
A Data Protection Impact Assessment (DPIA), (previously known as a Privacy Impact Assessment (PIA)), is a process which enables organisations to identify and address the likely privacy impact of new initiatives and projects.
Humberside Police will use the guidance on DPIAs contained within the College of Policing Authorised Professional Practice (APP) – Information Management – Data Protection. The purpose of this policy is to provide police personnel with guidance in exercising the requirements as set out within the APP and as set out within other guidance such as the Information Commissioner’s Office (ICO) ‘Data Protection Impact Assessment’ guidance.
It is the policy of Humberside Police to consider and respect the privacy of individuals. This policy and associated DPIA template, guidance and process map have been developed to ensure Humberside Police’s compliance with the:
The Code of Ethics published in 2014 by the College of Policing requires us all to do the right thing in the right way. It also recognises that the use of discretion in Policing is necessary but in using discretion, states that you should, "take any relevant policing codes, guidance, policies and procedures into consideration."
This policy is applicable to all Humberside Police staff, including police officers, police staff, police community support officers, special constables and volunteers. It includes staff whether they are employed on a full-time, part-time, casual or temporary basis. It also includes non-Humberside Police staff that have access to Humberside Police Force systems and have the use of a Humberside Police e-mail account.
The key principles of the policy are:
1.1 Humberside Police will use as its default decision making process the ICO guidance Data protection impact assessments and the College of Policing APP on Information Management Information Sharing and Data Protection and any additional guidance or Code of Practice issued by the ICO as a result of the UK General Data Protection Regulation (UK GDPR).
1.2 The UK GDPR introduces a new obligation upon a Data Controller (Chief Constable) to undertake a DPIA before carrying out processing likely to result in high risk to the interests of individuals.
2.2 Humberside Police will ensure that privacy and data protection is a key consideration in the early stages of any project or initiative and then throughout its lifecycle for example when:
The consideration of whether a DPIA is required is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal information. For a DPIA to be effective it should be applied at a time when it is possible to have an impact on the project.
The undertaking of the DPIA process will assist in ensuring that privacy and data protection issues are considered. The core principles of a DPIA can be applied to any project which involves the use of personal data, or to any other activity which could have an impact on the privacy of individuals.
Humberside Police should be in a position to identify the need for a DPIA at an early stage and have built this into the project management process and any other relevant business processes. Humberside Police will integrate core privacy consideration into existing project management and risk management methodologies and policies (Privacy by Design).
Under Data Protection legislation Humberside Police is required to undertake a DPIA for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits; this will assist the Force in demonstrating accountability and will assist in building trust and engagement with individuals. As a consequence, Humberside Police will always carry out a DPIA if we plan to:
Even if there is no specific indication of likely high risk, a DPIA will be undertaken for any new project, system or initiative involving the use of personal data.
The below criteria may act as indicators of likely high risk processing:
In most cases a combination of two of the above factors will indicate the need for a DPIA; however, this may not always be the case. Through a DPIA Screening, it may be determined that a DPIA is not required; however, the reasons for not undertaking a DPIA will be documented with the Information Governance Unit.
Humberside Police will consider carrying out a DPIA if the below criteria applies:
Advice regarding the DPIA process will be sought from the Data Protection Officer who will provide advice on:
Advice provided by the Data Protection Officer will be recorded within the DPIA and:
When a new project/initiative involving the processing of personal information is being considered the IAO or Project Manager will contact the Information Governance Unit to arrange a meeting with relevant parties to discuss the proposal. This will include the Data Protection Officer.
Upon completion of the DPIA template the Project Manager and IAO will review, sign off and send a copy to the Information Governance Unit. The Information Governance Unit will seek the views of the Data Protection Officer, the Information Security Officer and other subject matter experts. The DPIA will then be considered and signed off by the Senior Information Risk Owner (SIRO) where necessary. The Data Protection Officer and Information Governance Unit can be contacted for advice at any time during the process.
The outcomes of the DPIA will be integrated into the project plan (or initiative/process). The IAO/Project Manager will ensure that the steps recommended by the DPIA are implemented. The DPIA will continue to be used throughout the lifecycle of the project or initiative when appropriate. The implementation of privacy solutions will be carried out and recorded. The DPIA will be referred to if the project or initiative is reviewed or expanded in the future.
2.16 Consultation will take place with the ICO if any high risks identified as part of the DPIA process cannot be mitigated (this is a legal requirement under UK GDPR). The consultation process will be undertaken by the Information Governance Unit.
3.1 This policy will undergo regular reviews to assess its effectiveness and applicability; this will be planned at least on an annual basis and may be prompted between planned reviews by any significant changes to legislation or national guidance (APP).
4.1 This policy is owned by the Information Governance Unit. The review process will be conducted by the Head of Information Governance prompted through a standing agenda item through the Information Management Board (IMB).
Introduction
A DPIA (Article 35 of the UK GDPR) is a process designed to describe the processing, assess its necessity and proportionality and help manage the risk to the rights and freedoms of a natural person resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the UK GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with Regulations.
The responsibility for conducting a Data Protection Impact Assessment (DPIA) lies with the Information Asset Owner (IAO) for a project and is produced as part of the project proposal; however, this activity can be delegated to an appropriate person such as the Project Manager/Lead. When a new project/initiative/system involving the processing of personal information is being considered the IAO or Project Manager will contact the Information Governance Unit to arrange a meeting with relevant parties to discuss the proposal. At this stage it may be identified that it is necessary to undertake an information security assessment in conjunction with the Force Information Security Officer.
Information Governance will create a file/reference number.
A project proposal can be an ideal base for a DPIA. The project proposal should explain how the project will benefit the organisation and link to the Police and Crime Delivery Plan.
The consideration of whether a DPIA is required is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal information. This will be discussed at the initial meeting and the IAO/Project Manager will be required to undertake a DPIA Screening which will identify whether a DPIA is necessary or not.
Please read the guidance section of this document fully first, before completing the DPIA template form (link below) as this will assist you.
Upon completion of the DPIA Template the Project Manager and Information Asset Owner (IAO) will review, sign off and send a copy to the Information Governance Unit. The Information Governance team will seek approval from the Data Protection Officer and the Information Security Officer. The DPIA will then be considered and if agreed signed off by the Senior Information Risk Owner (SIRO) where necessary.
A DPIA (Article 35 of the UK GDPR) is a process which enables Humberside Police to identify and address the likely privacy impact of a new initiative or project. It enables privacy considerations to be made in the early stages of a project where any identified problems can be easier to resolve rather than late or retrospective consideration where solutions can be more costly or delay implementation. It can also identify, following completion of the DPIA, whether the project should be continued when balanced with the rights of persons affected.
What is Privacy?
Purpose of a DPIA
The purpose of a DPIA is to identify where an individual’s privacy will be impacted by a new business or technological initiative. The aim of the DPIA is to focus attention on privacy issues by internal stakeholders.
Ownership of the DPIA
The IAO from the business will own any residual ‘information risks’ upon project closure. It is imperative that the IAO is identified at this early stage as they will need to have an overview of or involvement in the DPIA Report.
The consideration of whether a DPIA is required is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal information.
The DPIA process is most valuable when used in the early stages of a project as any identified privacy issues that require solutions can be easier to resolve. Where possible the DPIA should be completed in line with the following timescales.
It should be noted that sufficient time should be allowed for the DPIA process due to consultation and sign off requirements.
DPIA - Step by step
The DPIA should be started as early as is practicable in the design of the processing operations even if some of the processing operations are still unknown.
Information Security Risk Assessment
Prior to undertaking the DPIA process consideration must be made to undertaking an Information Security Assessment. This will be discussed at the initial meeting referred to above. (Article 35(1) (3)(4) (new technology being introduced)
Screening Questions
Answering ‘yes’ to any of the screening questions indicates that a DPIA is required. If you have answered ‘yes’ please complete the remainder of the document.
Step 1 – Identify the need for a DPIA
Explain broadly what the project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.
Step 2 – Describe the processing
Describe the nature of the processing
How will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or another way of describing data flows. What types of processing identified as likely high risk are involved?
Describe the scope of the processing
What is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
Describe the context of the processing:
What is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
Examples
Describe the purposes of the processing:
What do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing for you, and more broadly?
Step 3: Consultation process
Consider how to consult with relevant stakeholders:
Describe when and how you will seek individuals’ views, or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your data processors to assist? Do you plan to consult information security experts, or any other experts?
Examples of stakeholders as follows:
Internal Stakeholders |
External Stakeholders |
Project Board Data Protection Officer Project management team ICT Procurement Corporate Communications Frontline Staff / Officers Corporate Governance Senior Management Engineers, developers and designers Customer facing roles Business Improvement Legal Services Senior Management
|
End Users Data Subjects Representative Groups Interest Groups General Public Regulators Potential suppliers and data processors Engineers developers and designers Information Commissioner’s Office Staff (e.g. staff who may be affected by a new HR system) Data Processors (if used) |
Information Governance can provide specialist knowledge on privacy issues and information security issues.
IT can also advise on security risks that may impact on security.
Consultation is an important part of the DPIA process and should be meaningful i.e it should be designed as such that stakeholders can have a meaningful impact on the project or initiative. It allows stakeholders to highlight privacy risks based on their own area of interest and expertise. It also provides an opportunity for them to suggest measures to reduce the risks. It will allow the Force to understand the concerns of those who will potentially be affected and will also improve transparency by making people aware of how information about them is being used. The timing and nature of consultation can be of particular importance if a project or initiative is sensitive – the Force may not want to reveal its plans to the outside world for the reasons of security or commercial sensitivity. If this is the case the rationale for not undertaking the consultation process should be recorded within the DPIA.
Effective external consultation should be:
Step 4 – Assess necessity and proportionality
Describe compliance and proportionality measures, in particular:
What is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep[1]? How will you ensure data quality and data minimisation[2]? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
Step 5: Identify and assess risks
Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.
See the Force Risk Management section on the Intranet for further information regarding risk management.
Step 6: Identify measures to reduce risk
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5
Consultation will take place with the Information Commissioner’s Office if any high risks identified as part of this process cannot be mitigated. This consultation will be undertaken by the Information Compliance Unit.
Step 7: Sign off and record outcomes
Information Governance staff will ensure that this section is fully completed.
Step 8 – Conclusions
Please provide a summary of the conclusions that have been reached in relation to this project’s overall compliance with the DPA. Include references to any changes that were introduced as a result of the DPIA process.
Sign off authority
Information Governance staff will ensure that this section is fully completed.
Additional Information
Data Protection Officer: Under the UK General Data Protection Regulation (UK GDPR) there is a requirement to seek the advice of the Data Protection Officer as part of the DPIA process. The DPIA policy identifies the categories of advice upon which the Data Protection Officer can advise.
Information Asset Owner: Information Asset Owners (IAOs) must be senior/responsible individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result, they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process. For further guidance please see Cabinet Office- Guidance on the IAO Role
SIRO: The role of Senior Information Risk Owner sits with the Deputy Chief Constable of Humberside Police. The SIRO is responsible for determining and setting their force risk appetite for their information assets that are not contained within or connected to national systems. The SIRO must be aware of the need to act as a community of interest and of the need to manage risk collectively, considering the wider impact of any local decisions on national information.
Special category data: Special category for example includes:
Personal data relating to criminal convictions and offences:
Data Protection Act 2018 Section 11 – “Special categories of personal data etc: supplementary”
(2) In Article 10 of the UK GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—
(a) the alleged commission of offences by the data subject, or
(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.
Please note:
Please note that there will be a need to allow sufficient time for these requirements to be set in place. Information Governance staff can advise on these requirements and assist the process.
A generic view of the process for carrying out a DPIA is shown below.