Data Protection Impact Assessments (DPIAs)
14/04/2022
What is a DPIA?
A DPIA is a tool designed to identify the Data Protection risks of a project or process, and record how those risks have been addressed and mitigated. DPIAs help ensure that personal information is managed correctly, and assist the Council in adopting a culture of ‘data protection by design and by default’, as well as demonstrating compliance with Data Protection Legislation.
The Council is legally required to document our information processing activities, and a register is maintained of all DPIAs.
What is ‘Data Protection by design and by default’?
The Council must consider and integrate Data Protection (DP) requirements into processing activities throughout the lifecycle of a project or process. DPIAs should be completed and signed off at the start of a project or process, then kept up-to-date.
DPIAs are signed off by the Council’s Data Protection Officer (DPO), Alison Morris. However, the responsibility for ensuring that DPIAs are completed in a timely manner, that caveats and mitigations are implemented, and, that DPIAs are kept up-to-date, lies with departments.
When do I need to complete a DPIA?
DPIAs are required whenever personal information is to be collected, used or shared, for example if a service user is registering for a new process/course/event, or, a school is considering a new online resource/learning platform.
Please ensure that no personal information is collected or shared on any new forms, websites or similar until a DPIA has been completed and agreed. For projects or processes that are already established a DPIA should be undertaken as soon as feasible.
Please contact the Information Governance Team before completing a DPIA. The team can advise whether a DPIA is required, if one has already been completed, and, if there are any other DP considerations. To get in touch please email: dataprotection@moray.gov.uk
Where to find a DPIA?
A DPIA template is available on the Data Protection interchange page.
Schools have a slightly different process to follow and should contact LearnTech@moray.gov.uk before starting a DPIA, and, look at their weekly bulletin for current information on the DPIA RAG list, links to scenario documents and other supportive documentation.
Additional guidance is also available on the Information Management interchange pages here: http://interchange.moray.gov.uk/int_standard/Page_132356.html and mandatory DP training is on LearnPro (CLIVE).