Data Protection Impact Assessment (DPIA) - Example for practices

Last Updated: June 25th, 2024


This example template provides the information you may want to include when you record your DPIA of DAN. It follows the process set out by the ICO1. It is written from your perspective, so the term “we” means “your practice name”, and not Dental Audio Notes.

DAN provide this information to support the responsibilities you already comply with in your day-to-day operations as much as we possibly can. We are not data protection advisors and you should seek advice from your Data Protection Officer, or equivalent, to implement your DPIA.


Data Protection Impact Assessment (DPIA)

Submitting controller details

These are your details

Name of controller
Subject/title of DPO
Name of controller contact /DPO

Step 1: Identify the need for a DPIA

Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.

Clinical records are required to be Complete, Accurate and Contemporaneous. We strive for excellence in our clinical record keeping and audio recording of our consultations is the most effective way of ensuring that we have complete, accurate and contemporaneous records.

Due to the nature of being a healthcare provider, implementing audio recording will, or likely will:

Therefore we have followed our DPIA process to assess the use of Dental Audio Notes (DAN) for audio record keeping.

For full screening questions, please see appendix 1.

Step 2: Describe the processing

Nature of the processing

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?

Scope of the processing

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

Context of the processing

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

Purpose of the processing

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?

Step 3: Consultation process

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

You should describe your consultation process here. Stakeholders may include

Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?

Step 5: Identify and assess risks

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Risk # Description of risk Likelihood Severity Overall
1 Master user credentials (username & password) compromised Low Medium Medium
2 Non-master user credentials (username & password) compromised Low Low Low

Step 6: Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5

Risk # Options to reduce or eliminate risk Effect on risk Residual risk
1 Use only strong passwords Reduce likelihood Medium
1 Do not use master user credentials for day-to-day use of Dental Audio Notes Reduce likelihood Medium
2 Use only strong passwords Reduce likelihood Low
2 Assign users only the access they require to carry out their role Reduce severity Low

Step 7: Sign off and record outcomes

These are your details

Item Name/position/date Notes
Measures approved by: Integrate actions back into project plan, with date and responsibility for completion
Residual risks approved by: If accepting any residual high risk, consult the ICO before going ahead
DPO advice provided: DPO should advise on compliance, step 6 measures and whether processing can proceed
Summary of DPO advice:
DPO advice accepted or overruled by: If overruled, you must explain your reasons
Comments:
Consultation responses reviewed by: If your decision departs from individuals’ views, you must explain your reasons
Comments:
This DPIA will kept under review by: The DPO should also review ongoing compliance with DPIA


Appendices

Appendix 1 - DPIA Screening Questions

Complete this section to help determine whether the processing is likely to result in a risk to the rights and freedoms of data subjects.

Will the processing activities… Yes / No
Involve the collection or creation of new information about individuals? No
Significantly change the way in which personal and/or business sensitive data is handled? Yes
Significantly change handling of personal data about a large number of individuals? No
Involve sensitive information e.g. medical, health disability, criminal convictions/offences, children, vulnerable individuals, sexual orientation, ethnicity, religion, trade union association, political opinion, sexual orientation or financial information? Yes
Compel individuals to provide information about themselves? No
Involve information about individuals being disclosed to organisations or people who have not previously had routine access to the information? No
Use information about individuals for a purpose it is not currently used for, or in a way it is not currently used? No
Involve the processing of personal data that has not been obtained directly from the data subject and where you do not plan to provide a Privacy Notice for the data subjects or inform them about the processing, as it would prove impossible or involve disproportionate effort. No
Involve processing childrens’ personal data or personal data relating to vulnerable people? Yes
Does the project involve the advertising, promoting, collecting of charitable donations or selling products or services? No
Involve the use of technologies, digital solutions or Internet of Things (IoT) to process or store information? “Innovative technologies” are new developments to the state of technological knowledge in the world at large such as artificial intelligence, machine learning, rather than technology which is simply new to the organisation. Yes
Involve using new technology which might be perceived as being privacy intrusive? For example the using of biometrics or facial recognition. No
Involve processing biometric information? e.g. fingerprint No
Involve or require you to contact individuals in ways which they may find intrusive?.eg emails, unsolicited telephone calls No
Involve the use of profiling? e.g segmenting customers, categorising them or putting them in certain groups by age/sex or gender etc. No
Involve automated decision making i.e. systems automatically making decisions about people without any human intervention? e.g. a technical machine or algorithm is determining an outcome rather than a human intervention such as credit checks, fraud prevention, job screening. No
Involve collecting information about individual’s geographical location? e.g. through GPS, WiFI hotspots, mobile phone cells, RFID etc.. No
Involve monitoring individuals e.g. through collecting information online about people’s behaviour or preferences. No
Involve the use of CCTV or other video monitoring of publicly accessible spaces? No
Involve comparing, matching, consolidation, inter-linking, or cross-referencing of personal and/or business sensitive data from multiple sources? e.g. using Facebook lookalike audiences, data matching, data augmentation etc. No
Involve making predictions about individuals in general, their performance, movement, behaviour or location? No
Involve the use of information about individuals of a kind particularly likely to raise privacy concerns? For example, health records, criminal records or other information that people would consider to be particularly private. Yes
Involve any cross-border processing or transfers of personal data out of the U.K? No
Involve personal data which could result in a risk of physical harm to data subjects in the event of a security breach? e.g. processing data concerning sex offenders. No
Involve any data processing which is exempt from the statutory privacy protections provided in the GDPR? No
Involve multiple organisations, whether they are public sector agencies i.e. joined up government initiatives or private sector organisations e.g. outsourced service providers or business partners? No
Involve systematic disclosure of personal data to, or access by, third parties (third parties would include all cloud based services)? No
Expose personal data to elevated levels of security risks ? No
Are the processing activities based on justifications which include significant contributions to public security or public interest measures? No
Will you be monitoring or collecting information online (website) or other digital means? e.g. example, cookies or other online technical mechanisms. No
Will you be carrying out processing on a large scale? No

If you answered “no” to all the questions above, then a full DPIA is not needed.

If you have answered “yes” to any of the questions above, then you must complete a DPIA.

These are your details

Name:

Signed:

Date:

Notes


  1. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/how-do-we-do-a-dpia/