Alert close - icon Fill 1 Copy 10 Untitled-1 tt copy 3 Untitled-1 Untitled-1 tt copy 3 Fill 1 Copy 10 menu Group 3 Group 3 Copy 3 Group 3 Copy Page 1 Group 2 Group 2 Skip to content

Data Protection Impact Assessment

Data Protection Impact Assessment (DPIA) is a process which helps assess privacy risks to individuals in the collection, use and disclosure of personal information.

The DPIA template is a practical tool to help identify and address the data protection and privacy concerns at the design and development stage of a project, building data protection compliance in from the outset rather than bolting it on as an afterthought.

A DPIA should be carried out whenever there is a change that is likely to involve a new use or significantly change the way in which personal data is handled, for example a redesign of an existing process or service, or a new process or information asset being is introduced or when changes are being made to a data sharing agreement.

Building into project plans

Completion of a DPIA should be built into the organisational business approval and procurement processes. Any systems which do not identify individuals in any way do not require a DPIA to be completed.

However, it's important to understand that what may appear to be 'anonymised' data, could in fact be identifiable when used with other information, so anonymised data should be considered very carefully before any decision is made that it will not identify individuals.

Advice may be sought from our data protection officer (DPO) whether a DPIA needs to be completed.

Responsibility for conducting a DPIA

Any department which is introducing a new or revised service or changes to a new system, process or information asset is responsible for ensuring the completion of a DPIA. The project manager will help with this process.

At the start of the design phase of any new service, process, purchase of implementation of an information asset for example, consideration should be given to the need and procedures for completing the DPIA.

Data Protection Impact Assessment outcomes should be routinely reported back to the organisation and issues raised through the project or programme board and included in the departmental risk register as appropriate.

Where significant risks are identified these should be aired in the first instance with the DPO who should discuss with the Caldicott guardian or senior information risk owner as necessary.

To see our DPIA and find out more visit the Our Derbyshire website, or contact the relevant department data protection liaison officer: