10. Privacy Impact Assessments
Where University staff are considering adopting new administrative systems and other processes with possible privacy implications, or updating existing systems or processes (such as student record systems, virtual learning environments (VLEs), ePortfolio systems and distance learning programmes) they should consider undertaking a Privacy Impact Assessment (PIA) in the early stages of project or process design, well before roll-out/implementation.
Privacy Impact Assessment is defined as a process whereby a project's potential privacy issues and risks are identified and examined from the perspectives of all stakeholders and a constructive search is undertaken for ways to avoid, minimise or at least improve privacy concerns. PIAs are most effective when they are:
- Applied to initiatives under development, at a time when the personal information aspects are known, but before key development, system design, and operational decisions are set in stone and become costly to change
- Part of a system of incentives, sanctions and review, and/or where they are embedded in project workflows or quality assurance processes, as is common with other forms of threat/risk assessment.
The University PIA template and guidance are available on the Privacy Impact Assessment page.
The UK Information Commissioner publishes guidance to which staff should refer. The guidance has related annexes to help staff decide whether a Privacy Impact Assessment is necessary, provide an assessment template and link this to compliance with the data protection principles.
At the start of any project referred to in 10.1 above, staff are advised to do this assessment collaboratively with e.g. the project team and involve other key stakeholders as necessary in determining and addressing the privacy risks. Please note that Governance Services can assist with this process but will not have the necessary operational knowledge to conduct the assessment.