Data Protection by Design and Data Protection Impact Assessments (DPIAs)

University Hospitals of Northamptonshire (UHN) takes the security and appropriate use of personal data seriously. One of the tools that we use to ensure that any processing of data is compliant with the UK General Data Protection Regulation (UK GDPR) is a Data Protection Impact Assessment (DPIA).

What is a DPIA?

A DPIA is a process which helps UHN to identify and minimise the data protection risks of a project or process where personal data will be processed.

Whilst GDPR mandates the completion of a DPIA where processing of personal data is likely to result in high risk to the rights and freedoms of individuals, it is good practice to carry out a DPIA where any personal data will be processed.

Data Protection by Design

The UK GDPR and the Data Protection Act 2018 require organisations to be able to demonstrate that data protection has been considered and integrated into data processing activities  and business practices from the design stage and throughout the lifecycle of the activity.

The concept was previously known as ‘privacy by design’ and formed part of data protection law, however the UK GDPR made this a legal requirement.

This proactive approach allows privacy concerns and risks to be identified and addressed at the earliest opportunity. 

A DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks

The DPIA Process

The need for a DPIA is assessed at the start of a project. Where a DPIA is needed, relevant staff will be engaged to complete this. Generally this will include the project manager, product specialists (including Suppliers) and the Data Security and Protection Team.

DPIAs are reviewed and approved by the Data Protection Officer.

In the event that there are data protection risks that cannot be mitigated, these shall be reported to the UHN Senior Information Risk Owner (SIRO), and where the processing relates to patient data, the Caldicott Guardian.
In the unlikely event that the DPIA highlights high level risks which cannot be mitigated, UHN shall consult with the Information Commissioner’s Office prior to starting the processing.

Further Information.

If you would like more information about our process please contact: ngh-tr.dpo@nhs.net.