Data Privacy Day takes place annually on the 28^th of January to raise awareness and promote privacy and data protection best practices.

This year, Suzanne Crutchley, Head of Data Protection & Information Governance at MIAA, outlines how a Data Protection Impact Assessment (DPIA) works and why they are necessary for health and care organisations.

Suzanne explained: “A data protection impact assessment (DPIA) will ensure that you identify and mitigate potential data protection risks to an acceptable level before processing data that identifies individuals (personal data).”

A DPIA will also help you meet a number of data protection legal requirements including:

• Data protection by design – Privacy and data protection issues must be considered at the start, or in the design phase, of a new system, product or process, then continuously while it exists.
• Accountability – Your organisation is responsible for showing how it complies with data protection laws.
• Transparency – Personal data must be used and shared in a transparent way.
• Security – Adequate measures need to be in place to protect data. This can range from policies and procedures, to technical security measures, such as encryption of data.

DPIAs are mandatory in certain circumstances, such as when using the health and care data of a large number of people. However, health and care organisations are strongly advised to complete a DPIA when using and sharing personal data in a new way or where there is a substantial change.

A DPIA involves a risk assessment. If a high level risk remains after applying mitigations, then you must consult with the Information Commissioner’s Office (ICO) for further advice before starting to collect, use or share the data.

A DPIA is a live document – you must update it if there are any changes to:

• the purpose – why you are proposing to use or share personal data
• the manner – how you will use or share the data
• who is involved – the organisations using and sharing personal data

MIAA are adopting a new NHSE template. The template is written so that it is easy to use without needing expertise in data protection.

It is the responsibility of the organisation, which is deciding on why and how the data is being used and shared (known as the data Controller), to ensure that the DPIA is completed appropriately. In the case of research, this would be the sponsor. See HRA guidance on controllers and research.

A template DPIA is available from Suzanne, who can also help you with completion.

If you would like to discuss how MIAA can support your organisation, please contact our Digital Director, Tony Cobain.