The Information Commissioner's Office (the UK data protection supervisory authority) has this week published guidance on the completion of data protection impact assessments (DPIAs). The guidance is nothing new, it summarises the Article 29 Working Party Guidelines on DPIAs and exemplifies where processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted on 4th October 2017. 9ine have been working with our clients on DPIAs since the guidance was issued in October, with many of those on our GDPR training days having undertaken an exercise on the working party guidance.
This article explores and summarises the implications and how you can use 9ine’s tools to put policy into action.
DPIA. What is is and what do organisations need to do?
The DPIA is a business analysis, data workflow and transfer risk assessment. It requires you to document and assess how data and information flows in both hard and digital format throughout your organisation. This is not an assessment that a robot, computer or software programme can do. It requires an individual to document the data being processed, who receives it, how they process it, where they store it, who it is shared with, how it is shared and the protections that are in place at all stages.
The role of the Data Protection Officer (DPO), or Data Protection Lead (DPL), is to support the ‘data owner’ (mini-data controller) in analysing the processing activity and provide an objective and independent assessment of the risks created through that processing activity. It is the DPO’s responsible to decide whether those risks are acceptable to the organisation. For the DPO to do this, they have to have a granular understanding of the data and information workflow, understand the risk tolerance of the organisation and be able to call on the necessary resources of the organisation to mitigate the risks. Unless they will be based in your school for more than two days a week, this is one of the reasons why you should not be outsourcing the DPO in name. Importantly, if you outsource the DPO, they are fully within their rights to call on your financial resources to mitigate the risks they identify. As an organisation, you will need to document that you are comfortable with a third party instructing you on how your budget should be spent.
Mrs Smith is responsible for school admissions. Admissions documents are received in hard copy, through the website and sometimes delivered in person by a parent. Mrs Smith opens the posted copy / hand delivered copy and prints off the website application from an automated email she receives in her school inbox. The individual / company managing the website also gets a notification that a application has been submitted and has access to the admissions application. The admissions application often includes a mix of personal, special category and other data such as:
- Name and contact details of the parents
- Name of child/children
- Date of birth
- Current school
- Medical information
- Special Educational Needs
- Passport details for the parents and pupils
- Educational Psychological Evaluation
Digital copies are stored on a central file server managed by an in-house IT technician, with hard copies printed out and kept in a ring binder folder on Mrs Smith’s desk. When considering applications, staff involved will generally print off their own copies from the file server as there are no restrictions in accessing the information.
What does this example tell us?
Firstly, every school has an admissions process and every school will generally have a version of Mrs Smith managing it. The process and procedure in every school will generally vary. The security protections afforded to hard copy documents and server / cloud based documents will also vary.
We can tell immediately that the protections of the personal data within the process are weak, for the following reasons: the data is copied multiple times, there are not any obvious controls on the handling of the hard copy data, there is open access on the file server and through the hard copy ring binder, there are not sufficient controls in place to manage access to the personal data.
The admissions process is something that a school will need to do given they have a legal duty, or are processing the data as it is necessary to prepare a contract of services. A DPIA is required where there is a ‘high risk’ to the rights and freedoms of an individual. To evaluate whether there is a risk, the organisation needs to do an initial assessment of the processing activity and workflow against a set criteria. The GDPR sets out 10 items, with processing activity hitting more than two of the ten requiring a full DPIA.
Does Mrs Smith need to complete a full DPIA given the 10 criteria?
Q1. Does the data processing involve or contribute towards evaluation or scoring of the data subject?
Yes. The school is a faith based school and ranks student applications based on their faith.
Q2. Does the data processing involve automated-decision making?
Q3. Does the data processing involve systematic monitoring?No.
Q4. Does the data processing involve sensitive data?
Q5. Does the data processing involve processing on a large scale?
Q6. Does the data processing involve matched or combined data?
Q7. Does the data processing involve or relate to vulnerable data subjects?
Q8. Does the data processing involve the use, implementation, or installation of technological or organisational solutions?
Q9. Does the data processing transfer across borders outside the EU?
Q10. Does the data processing prevent exercising a right (under the GDPR)?
In addition to the security concerns identified in the workflow, there are three risk areas out of ten which (given the threshold is two) would result in the requirement for a full DPIA. In short, Mrs Smith and all other individuals responsible for that process in a school, are more likely than not required to complete a DPIA for their admissions process and procedure.
For organisations who aren’t schools there are similar examples.
How much work, business analysis and assessment is this?
Following the guidance from the ICO, by completing the above you will have completed Step 1 of the ICO DPIA checklist. You still have Steps 2 (some of which will be documented) to Step 9 that will need completing.
Step 1: identify the need for a DPIA
Step 2: describe the processing
Step 3: consider consultation
Step 4: assess necessity and proportionality
Step 5: identify and assess risks
Step 6: identify measures to mitigate the risks
Step 7: sign off and record outcomes
Step 8: integrate outcomes into project plan
Step 9: keep your DPIA under review
We are seeing that smaller schools are having between 20-50 DPIAs, and larger schools up to 200 DPIAs. Each one requires a full assessment by the Data Protection Officer or Data Protection Lead in accordance with the regulation. Each one will take around an hour to complete. If you are outsourcing, have you scheduled a minimum of 20 hours of involvement from your DPO? Thankfully, if you’re working with 9ine, this process will be much easier and quicker.
What resources do we need to assess the need for and to complete DPIAs?
You need a structured approach with examples for your type of organisation. You also need to have your Data Protection Officer, or DPL, involved throughout the process. The DPO is responsible for guiding your ‘data owners’ through the process. 9ine’s DPO Essentials service provides your organisation with the full DPIA structure, a GDPR Readiness Toolkit, and examples of processing activities. For schools we have examples in all areas including:
- Academic management
Also included are practical policies, processes and procedures (with procedures being the most important for the principle of accountability) such as:
- Data Protection Safe Handling Policy (Defines working practice for handling of all documents)
- Data Protection Policy
- Information Rights Policy / Procedure
- Breach Management Rights / Procedure
- CCTV Operations Policy and Procedure
Working with 9ine on DPO Essentials is going to save a lot of time, resource, cost and provide greater confidence that you are assessing your processing activities in line with your legal obligations. The service starts at £995.00 exc. relevant taxes.