Privacy Impact Assessments
A Privacy Impact Assessment is a risk assessment which is conducted for any processing (manual or electronic) of personal data to identify where risks are present and put measures in place to mitigate those risks, thereby reducing the risk of data breach/es happening.
Privacy Impact Assessments are required in the following circumstances:
1) New projects or proprosed processing (manual and/or electronic) which will result in a system which processes personal data
2) Reviews, changes or updates to any "systems" or procedures (manual or electronic) where personal data is being processed
3) Existing processes which haven't had a privacy impact assessment conducted
Any/all procedures (tasks/activities) or systems which process personal data should already have written instructions which include a privacy risk assessment or have been subject to a data protection audit. These must be regularly reviewed to ensure they are still operationally correct.
If in doubt please contact Governance Services at dataprotection@napier ac.uk
To paraphrase Article 25: The nature, scope, context and purposes of the personal data processing, along with the risks of a data breach occuring must be considered prior to (ideally during system design), and during processing e.g. processes/systems already in place.
Article 35 sets out the detail of the requirements for a Privacy Impact Assessment.
Guidance on Privacy Impact Assessments
When University staff are considering adopting new administrative systems and other processes with possible privacy implications, or updating existing systems or processes, they are required (by law) to undertake a Privacy Impact Assessment (PIA) in the early stages of a project to identify any potential privacy issues and risks, and seek ways to avoid, minimise or at least improve privacy concerns.
When must you undertake a PIA?
- If starting a new project which will result in a system or process (manual or electronic or electronic) which processes personal data
- If making substantial changes to a system (manual or electronic or both) which processes personal data and there is no existing PIA for the process/system (if a PIA exists it can be updated rather than initiated)
examples where PIAs have been done include:
- Student Learning Profile process: Information about students who require adjustments to learning/teaching materials/delivery, exams, etc. is passed from the Student Wellbeing and Inclusion team to appropriate contacts within the Schools
- Panopto Lecture Capture software for recording lectures
- Graduate Apprenticeship data sharing with other organisations involved in the course provision
- Childcare and discretionary funding procedures
- External examiner appointment and procedures for marking and mark collection/dissemination
Guidance on privacy impact assessments, which includes advice on when a PIA should be carried out, who should be involved and what form the process might take, is available in Section 10 of the Data Protection Code of Practice.
The University PIA template form and guidance are available below:
PIA template Nov 2018.doc
University Guide to PIAs Nov 2018.pdf
For assistance and guidance on conducting a PIA please contact the University's Information Governance Manager.