No Data Protection Impact Assessment Conducted on Coronavirus Test and Trace
The Open Rights Group (ORG) has filed a complaint with the Information Commissioner's Office about the NHS test and trace service. The complaint relates to the fact that a Data Protection Impact Assessment (DPIA) has not been carried out.
Whilst this might seem like a very specific circumstance, in our experience the failure to carry out a DPIA when required is relatively common. In addition, organisations often overlook the benefits that can flow from voluntarily carrying out a DPIA.
What Is a DPIA?
A DPIA is a documented process to identify and minimise the data protection risks associated with a project or plan. There are certain points that a DPIA must cover, for example:
- the purposes for which personal data will be used
- an assessment of the data protection risks
- the measures envisaged to address the risks
However, DPIAs do not have to be long and detailed. Depending on the risks associated with a project, a more light touch approach may be appropriate.
DPIAs are a core part of the GDPR requirement to demonstrate your organisation's compliance. They are not a one-off exercise and a DPIA should be updated as new information comes to light. Nor are they a tick box exercise because each DPIA should be tailored to the specifics of the project.
When Is a DPIA Required?
Under the GDPR, a DPIA must be carried out before starting to process personal data in a way that is likely to result in a high risk to individuals.
The ICO has published a non-exhaustive list setting out ten types of processing for which a DPIA will always be required. This list includes certain processing that involves genetic and biometric data. In addition, the European Data Protection Board has set out criteria that may be applicable.
Why Carry out a DPIA?
There are many benefits of carrying out a DPIA which means that it can be worth doing one even if it is not strictly required. For example:
- Identifying and assessing risks before starting to use personal data means that you can fix problems earlier and mitigate the risks. This could save you a considerable amount of time and money in the long run.
- A DPIA can help to build trust between you and your employees, customers and other stakeholders. Individuals are increasingly aware of their data protection rights, so giving them the reassurance that you treat their personal data with care could minimise complaints and even reduce the number of individuals exercising their data protection rights. Certain rights, such as subject access requests, can be very time consuming to deal with.
- The process of carrying out a DPIA can help to foster a culture of data protection compliance within your organisation. Staff from around your organisation may need to feed into the DPIA and this increases awareness of how data protection is relevant to your organisation's functions. We've noticed that organisations with such a culture are less likely to experience data protection issues.
DPIAs have been one of the cornerstones of data protection compliance since the GDPR started to apply and are only likely to increase in importance as organisations use personal data in ever more complex and innovative ways.