Data Protection Impact Assessment (DPIA) - Example for practices

Last Updated: May 18th, 2021

This example template provides the information you may want to include when you record your DPIA of DAN. It follows the process set out by the ICO¹. It is written from your perspective, so the term “we” means “your practice name”, and not Dental Audio Notes.

DAN provide this information to support the responsibilities you already comply with in your day-to-day operations as much as we possibly can. We are not data protection advisors and you should seek advice from your Data Protection Officer, or equivalent, to implement your DPIA.

Data Protection Impact Assessment (DPIA)

Submitting controller details

These are your details

Name of controller
Subject/title of DPO
Name of controller contact /DPO

Step 1: Identify the need for a DPIA

Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.

Clinical records are required to be Complete, Accurate and Contemporaneous. We strive for excellence in our clinical record keeping and audio recording of our consultations is the most effective way of ensuring that we have complete, accurate and contemporaneous records.

Due to the nature of being a healthcare provider, implementing audio recording will, or likely will:

Significantly change the way in which personal data is handled
Involve sensitive personal information (e.g. medical, health information)
Involve processing childrens’ personal data or personal data relating to vulnerable people

Therefore we have followed our DPIA process to assess the use of Dental Audio Notes (DAN) for audio record keeping.

For full screening questions, please see appendix 1.

Step 2: Describe the processing

Nature of the processing

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?

The source of the data is audio recording of patient consultations.
Data will be collected when the DAN application is in recording mode. This is manually controlled by our dental health team.
Data is automatically encrypted using 256-bit-encryption as soon as it is generated, sent and stored by DAN on their servers based in the UK. These servers are provided by Amazon Web Services (AWS).
Data will be stored for 11 years, in line with CGDent guidelines for record retention. At the end of the retention period, the data will be automatically, permanently deleted. If a patient revokes consent, recordings with this patient will be automatically, permanently deleted within 60 days of the consent record being updated in the DAN application.
Data is available to authorized users of our DAN account.
Data can be shared with patients on request. Data will not be shared with any third other parties.
There are no high-risk types of processing involved.
All data linking the audio to an individual is anonymous. We will use the Patient Number, taken from our written record system.

Scope of the processing

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

We are required to keep records of all of our patient consultations. We currently keep written records. The use of DAN provides a complete, accurate and contemporaneous record to support our written notes.
Due to the nature of being a healthcare provider, the data will contain personal, sensitive information about medical and health factors, as well as any other information shared during a consultation.
Data will be stored for 11 years, in line with CGDent guidelines for record retention, or until a patient revokes consent, whichever is sooner.
The number of individuals that data could relate to is equal to our patient base. We currently have 0,000 patients registered with us, mostly from the local area.
The data will be processed:
- when it is created and the data is stored,
- at any point an authorised user requests to listen to the data,
- if a patient requests a copy of the data,
- the data has come to the end of its retention period and requires deletion and destruction.

Context of the processing

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

We have a professional clinician-patient relationship with the individuals involved in the processing. The patient is in full control of the information they disclose during a consultation.
We obtain explicit consent for every recording, which can be revoked at any time.
Keeping patient records is a legal requirement and patients expect this of us.
Due to the nature of being a healthcare provider, some data will include that of children or other vulnerable groups.
Prior concerns of making and retaining audio recordings of our consultations include:
- Data management of relatively large files size risking impact on our IT systems
- Ensuring data is securely stored for the required retention period
- Managing consent for audio recording
These concerns are mitigated by the use of DAN. The processing by DAN is not novel. Proven existing technologies can store digital data securely.

Purpose of the processing

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?

As a healthcare provider we are required by law to keep complete, accurate and contemporaneous patient records. Audio records are the most effective way of ensuring that we satisfy this requirement.
Our indented outcomes include:
- Having the most complete, accurate and contemporaneous records of our consultations as possible
- The ability to provide a copy of a consultation to a patient, ensuring patient understanding and informed consent to treatment
- Improved patient care and patient experience

Step 3: Consultation process

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

You should describe your consultation process here. Stakeholders may include

Your team: management, dentists, hygienists, nurses, reception and support staff.
Your patients, whose views are sought when asked for explicit consent.
Your professional indemnity provider

Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?

As a healthcare provider we are required by law to keep complete, accurate and contemporaneous patient records.
Audio records are the most effective way of ensuring that we satisfy this requirement. It provides an exact record of the entire conversation in real time.
The use of Dental Audio Notes alleviates our prior concerns about making and retaining audio records.
We will ensure data quality and data minimisation by:
- Using patient number from our existing patient records system to identify audio records to individuals
- Making audio records only when the patent is present
All the information we hold on an individual will be provided to the individual on request
We have carried out our due diligence on Dental Audio Notes and found them to appropriately satisfy our needs.

Step 5: Identify and assess risks

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Risk #	Description of risk	Likelihood	Severity	Overall
1	Master user credentials (username & password) compromised	Low	Medium	Medium
2	Non-master user credentials (username & password) compromised	Low	Low	Low

Step 6: Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5

Risk #	Options to reduce or eliminate risk	Effect on risk	Residual risk
1	Use only strong passwords	Reduce likelihood	Medium
1	Do not use master user credentials for day-to-day use of Dental Audio Notes	Reduce likelihood	Medium
2	Use only strong passwords	Reduce likelihood	Low
2	Assign users only the access they require to carry out their role	Reduce severity	Low

Step 7: Sign off and record outcomes

These are your details

Item	Name/position/date	Notes
Measures approved by:		Integrate actions back into project plan, with date and responsibility for completion
Residual risks approved by:		If accepting any residual high risk, consult the ICO before going ahead
DPO advice provided:		DPO should advise on compliance, step 6 measures and whether processing can proceed
Summary of DPO advice:
DPO advice accepted or overruled by:		If overruled, you must explain your reasons
Comments:
Consultation responses reviewed by:		If your decision departs from individuals’ views, you must explain your reasons
Comments:
This DPIA will kept under review by:		The DPO should also review ongoing compliance with DPIA

Appendices

Appendix 1 - DPIA Screening Questions

Complete this section to help determine whether the processing is likely to result in a risk to the rights and freedoms of data subjects.

Will the processing activities…	Yes / No
Involve the collection or creation of new information about individuals?	No
Significantly change the way in which personal and/or business sensitive data is handled?	Yes
Significantly change handling of personal data about a large number of individuals?	No
Involve sensitive information e.g. medical, health disability, criminal convictions/offences, children, vulnerable individuals, sexual orientation, ethnicity, religion, trade union association, political opinion, sexual orientation or financial information?	Yes
Compel individuals to provide information about themselves?	No
Involve information about individuals being disclosed to organisations or people who have not previously had routine access to the information?	No
Use information about individuals for a purpose it is not currently used for, or in a way it is not currently used?	No
Involve the processing of personal data that has not been obtained directly from the data subject and where you do not plan to provide a Privacy Notice for the data subjects or inform them about the processing, as it would prove impossible or involve disproportionate effort.	No
Involve processing childrens’ personal data or personal data relating to vulnerable people?	Yes
Does the project involve the advertising, promoting, collecting of charitable donations or selling products or services?	No

Involve the use of technologies, digital solutions or Internet of Things (IoT) to process or store information? “Innovative technologies” are new developments to the state of technological knowledge in the world at large such as artificial intelligence, machine learning, rather than technology which is simply new to the organisation.	No
Involve using new technology which might be perceived as being privacy intrusive? For example the using of biometrics or facial recognition.	No
Involve processing biometric information? e.g. fingerprint	No
Involve or require you to contact individuals in ways which they may find intrusive?.eg emails, unsolicited telephone calls	No
Involve the use of profiling? e.g segmenting customers, categorising them or putting them in certain groups by age/sex or gender etc.	No
Involve automated decision making i.e. systems automatically making decisions about people without any human intervention? e.g. a technical machine or algorithm is determining an outcome rather than a human intervention such as credit checks, fraud prevention, job screening.	No
Involve collecting information about individual’s geographical location? e.g. through GPS, WiFI hotspots, mobile phone cells, RFID etc..	No
Involve monitoring individuals e.g. through collecting information online about people’s behaviour or preferences.	No
Involve the use of CCTV or other video monitoring of publicly accessible spaces?	No
Involve comparing, matching, consolidation, inter-linking, or cross-referencing of personal and/or business sensitive data from multiple sources? e.g. using Facebook lookalike audiences, data matching, data augmentation etc.	No
Involve making predictions about individuals in general, their performance, movement, behaviour or location?	No
Involve the use of information about individuals of a kind particularly likely to raise privacy concerns? For example, health records, criminal records or other information that people would consider to be particularly private.	No
Involve any cross-border processing or transfers of personal data out of the U.K?	No
Involve personal data which could result in a risk of physical harm to data subjects in the event of a security breach? e.g. processing data concerning sex offenders.	No
Involve any data processing which is exempt from the statutory privacy protections provided in the GDPR?	No
Involve multiple organisations, whether they are public sector agencies i.e. joined up government initiatives or private sector organisations e.g. outsourced service providers or business partners?	No
Involve systematic disclosure of personal data to, or access by, third parties (third parties would include all cloud based services)?	No
Expose personal data to elevated levels of security risks ?	No

Are the processing activities based on justifications which include significant contributions to public security or public interest measures?	No
Will you be monitoring or collecting information online (website) or other digital means? e.g. example, cookies or other online technical mechanisms.	No
Will you be carrying out processing on a large scale?	No

If you answered “no” to all the questions above, then a full DPIA is not needed.

If you have answered “yes” to any of the questions above, then you must complete a DPIA.

These are your details

Name:

Signed:

Date:

Notes

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/how-do-we-do-a-dpia/ ↩