Data Privacy Day takes place annually on the 28th of January to raise awareness and promote privacy and data protection best practices.
This year, Suzanne Crutchley, Head of Data Protection & Information Governance at MIAA, outlines how a Data Protection Impact Assessment (DPIA) works and why they are necessary for health and care organisations.
Suzanne explained: “A data protection impact assessment (DPIA) will ensure that you identify and mitigate potential data protection risks to an acceptable level before processing data that identifies individuals (personal data).”
A DPIA will also help you meet a number of data protection legal requirements including:
DPIAs are mandatory in certain circumstances, such as when using the health and care data of a large number of people. However, health and care organisations are strongly advised to complete a DPIA when using and sharing personal data in a new way or where there is a substantial change.
A DPIA involves a risk assessment. If a high level risk remains after applying mitigations, then you must consult with the Information Commissioner’s Office (ICO) for further advice before starting to collect, use or share the data.
A DPIA is a live document – you must update it if there are any changes to:
MIAA are adopting a new NHSE template. The template is written so that it is easy to use without needing expertise in data protection.
It is the responsibility of the organisation, which is deciding on why and how the data is being used and shared (known as the data Controller), to ensure that the DPIA is completed appropriately. In the case of research, this would be the sponsor. See HRA guidance on controllers and research.
A template DPIA is available from Suzanne, who can also help you with completion.
If you would like to discuss how MIAA can support your organisation, please contact our Digital Director, Tony Cobain.