Transcription
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 53813Ref No:STAGE 1 Data Protection Impact Assessment screening questions for proposedchangesPlease read the DPIA Guidance document before completing this formScreening questionsYesNo1Will the project involve the processing of information aboutindividuals? Please note this does include pseudonymised data* 2Will information about individuals be disclosed or shared withorganisations or people who have not previously had routineaccess to the information? 3Are you using information about individuals for a purpose it isnot currently used for, or in a way it is not currently used? 4Does the project involve you using new technology which mightbe perceived as being privacy intrusive? For example, the use ofbiometrics or facial recognition. 5Does any phase of the project utilise automated decisionmaking based on the information provided/ shared 6Will the project require you to contact individuals in ways whichthey may find intrusive? e.g marketing* If the answer is “yes” to any of the questions above then a DPIA must be carriedout.Please ensure that this has been to the following :Information Management & Governance, Subject matter experts including BusinessPartners, ICT, CYBER.Page 1 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 53813Ref No:Stage 2: Data Protection Impact AssessmentVersion ControlVersionStatusDPIA Approved by InformationAsset OwnerRevision DateSummary ofChangesName:AuthorDate:Section A: New/Change of System/Project General DetailsName:(of the project or change to bedelivered)Background/ Objectives:(why is the new system / changerequired?)Information flow diagram*(please see examples in guidance) seesection 3State who is the Data Controller*Page 2 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 53813Ref No:Benefits:(explain what the project aims toachieve, what benefits to theorganisation, to individuals and to otherparties)Consultation: (If required detail hereany consultation undertaken with thepublic, partners, internal or externalstakeholders)Implemenation date: for examplethe timescales required for completion,implementation dateRelationships / Partnerships:(e.g. with NHS, or private organisation,stakeholders, please also if possiblestate whether they are designated asdata controllers or data processors)Project Manager:Information Asset Owner(s)All information assets must have aninformation asset owner (IAO). IAO areusually Heads of Service or ChiefOfficers.System Administrator(if applicable)Name:Job Title:Service:Telephone:Email:Name:Job Title:Service:Telephone:Email:Name:Job Title:Service:Telephone:Email:Section B: Data Protection Impact Assessment (please complete all questions as fully ingPage 3 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 538131Ref No:Please state the purpose for theprocessing of the data / information:(for example, service provision, research,audit, employee administration)2Please tick the data items/information that will be processed Name Address/Postcode Date of Birth Telephone no/email Next of Kin National Insurance Number NHS Number Gender GP / Consultant Pseudonymised2bSpecial categories and Criminal data Sexual Orientation Political opinions/tradeunion membership Religion Physical health Mental health Medical history Ethnic Origin Sexual life Criminal convictions2cOther (please specify)3aWhat is the legal basis you arerelying on for the processing of thedata/information. (please seeguidance section 4 for all of question3)3bIf you are relying only on consent,did you consider any other legalbasis? Yes NoPage 4 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 538133cRef No:If using consent, how will thatconsent be obtained and recordedand withdrawn if requested? (pleasestate)456Will personal data items be collectedwhich have not been collectedbefore?The data of approximately howmany individuals will be affected? Yes NoHow is the personal data obtained? From Client/Service User From partner agencies From 3rd Party/ Another 1-10 10-100 100-1000 1000-10,000 10,000 Individuals For employment purposes Internal services Other7Have the individuals been informedof this processing?8Does the information involve newlinkage / matching of personal datawith data in other collections, or isthere significant changes in datalinkages / matching?9Does this project involve utilisingdata for the purposes of automateddecision making/profiling. If so adddetails(please see guidance section 4)Records Management10Does this project create a newInformation Asset? Yes (explicit) Yes (implicit i.e. throughPrivacy notice, website, leafletetc) No Yes No Yes NoIf no please record as risk insection CIf yes please record as arisk in section CPlease see guidance Yes NoPage 5 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 5381310aHow will the information be kept upto date and checked for accuracyand completeness?10bWhat processes are in place for dataquality checking?11If this project involves a new system,does it have the ability to quarantineinformation/restrict processing?(See guidance for details)Does the system have the ability toamend or add notes todata/information at a single datafield level?What checks have been maderegarding the adequacy, relevanceand necessity for the collection ofdata?11a1213Where will the information bestored / accessed? (please seeguidance section 4 for furtherinformation about cloud storage)Ref No:If there are no documentedprocedures to evidence thisanswer, please record as arisk in section cPlease see guidancePlease see guidanceIf no checks have beenmade please record this asa risk in section C LCC System/ Application Sharepoint LCC email system Paper filing system LCC File-Shares (e.gNetwork Drives) Removable media External to LCC (cloud, webhosted) other14What are the retention periods?15How will the information bedestroyed when it is no longerrequired?If there are no documentedretention periods pleaserecord as a risk in section CPage 6 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 5381315a15bIf held electronically, can thedestruction be certified?Can the information be deleted at asingular data field level?Ref No: Yes NoPlease see guidanceSecurity16Who will access the information?(i.e. Services, roles, organisations)17Is there an Access Control Policy inplace?(Please see guidance section 6 forfurther information) Yes No18Is there an ability to audit access tothe information?(Please see guidance section 6 forfurther information) Yes No19Detail what security measureshave been implemented tosecure access and limit the useof personal information?20Does this project involve privacyinvasive technologies?(Please see the guidance) Yes NoIf yes please detail21Is there a business continuity and adisaster recovery plan in place?Where external parties are accessingLCC information has it beenidentified that they require IGtraining? Yes No Yes No22If no please record as a riskin section C.If no please record as a riskin section CSharingPage 7 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 53813Ref No:If yes please record as arisk in section CWill any of the information beshared with other organisations orLCC services?Please list all organisations/LCCservices involved with sharingWhat is the legal basis for sharing? Yes No24Will there be signed informationsharing agreements in place Yes No25Which method will be used totransport information if it is goingoff site? Standard email Secure email (e.g. GCSx) Website Via courier By hand Via external post Via telephone Removable Media Secure file transfer protocol(eg. mail express) Other file transferringapplications (dropbox) Social Media Providing access via LCCsystems Other (please give details)If no please record as a riskin section C26Are you transferring any personalidentifiable data/information to acountry outside the United Kingdom Yes NoIf yes please record as arisk in section C2323a23bPlease note that your legalbasis for processing may bedifferent from your legalbasis for Sharing. Pleaserefer to guidanceIf no please record as a riskin section CPage 8 of 9
Appendix 3Data Protection Impact AssessmentDPIA Name: Award Skills Three-year Zerovalue Contracts 53813Ref No:Section C: Identify the Information, Privacy and related risksIdentify the key risks. All risks identified from the questionnaire in section B should be included, plus any others of relevance. Describe the actions you could take to reduce therisks and any future steps which would be necessary (e.g. the production of new procedures or future security elements for systems).Please note if your project has a large number of risks there is an alternative spreadsheet you can use, (please ask your IG officer) or simply continue onto a separate sheet.RiskSolutionResult: is the riskEvaluation: is the final impact on individuals after implementingeliminated,reduced, oraccepted?each solution justified, compliant and proportionate response to theaims of the project?Page 9 of 9
Sharepoint LCC email system Paper filing system LCC File-Shares (e.g Network Drives) Removable media External to LCC (cloud, web hosted) other 14 What are the retention periods? If there are no documented retention periods please record as a risk in section C 15 How will the information be destroyed when it is no longer
