Planning, Governance and Compliance

Data Protection Impact Assessments

A Data Protection Impact Assessment (‘DPIA’) is a process to help the University, as a Data Controller, to identify and minimise the data protection risks of a project or particular area of work.

Under the eneral Data Protection Regulation, we are required to do a DPIA if we intend to process personal data that is likely to result in a high risk to individuals. You should always complete a DPIA in the following circumstances:

  • If you plan to use systematic and extensive profiling with significant effect;
  • If you process special category or criminal offence data on a large scale;
  • If you use profiling or special category data to decide on access to services;
  • If using new technologies; and
  • When processing biometric data or genetic data.

It is also good practice to do a DPIA for any major project which requires the processing of personal data.

To help you decide if a DPIA is necessary, you should complete the ‘Data Protection Impact Assessment Screening Questions’. If you answer ‘yes’ to any of the questions, it is likely that a DPIA will be needed. You should also seek advice from the University’s Data Protection Officer, Alexandra Elliott, at dpo@sussex.ac.uk

Where a DPIA is needed, it must describe the nature, scope, context and purpose of the processing and identify and assess risks to individuals, as well as any measures that can be put in place to mitigate those risks. The University has a template for DPIAs which should be completed and this can be obtained from the Data Protection Officer. There may also be other areas of the University and third parties that need to be consulted as part of the assessment process.

Data Protection Impact Assessment Screening Questions

Question to determine whether a DPIA is needed?YesNo
1. Will the project / piece of work that is planned involve the collection of new information about individuals?    
2. Will the project / piece of work compel individuals to provide information about themselves?    
3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?    
4. Will the project / piece of work use information about individuals for a purpose it is not currently used for, or in a way it is not currently used?    
5. Does the project / piece of work involve you using new technology which might be perceived as being privacy intrusive?    
6. Will the project result in you making decisions or taking action against individuals in ways which can have a significant impact on them?    
7. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private.    
8. Will the project / piece of work require you to contact individuals in ways which they may find intrusive?    
9. Will the project / piece of work use personal data obtained from live or operational systems for testing purposes?    
10. Will the project / piece of work use personal data which will be accessed or transferred outside the European Economic Area?