Data Protection Impact Assessment Policy and Procedures

Last updated

July 10th 2018


“Data Protection Impact Assessment” is a process developed by the Information
Commissioner’s Office (ICO) that will assist an organisation to ensure that privacy concerns and safeguards are addressed and built in as a project or plan develops. This policy and procedure covers conducting Data Protection Impact Assessments for new projects and modifications to existing systems (information assets).

The scope of this document is to outline MSKnote’s approach and methodology for Data Protection Impact Assessments for new and existing systems and processes. A process tool can be found in Appendix 1.

The Government’s Data Handling Review report contains a number of recommendations that are mandatory to the wider public sector. Part of the solution to reducing risk lies in ongoing culture change to ensure that information risk management is high on the agenda and the process of Data Protection Impact Assessments (DPIA) is advocated as a means of achieving this.

This DPIA guidance is effectively applicable to any member of staff who is responsible for project managing a new “project” or “plan” to modify any system (information asset).

This is an important aspect of the role of Information Asset Owners. This document is also of benefit to those involved in the proposed change to the organisation’s processes and systems.


Projects that involve personal information or intrusive technologies give rise to privacy issues and concerns. As an overarching principle, this policy advocates that respect for patient privacy and dignity should be considered from the outset of any project and, in so doing, that the values of confidentiality and consent are embraced.

To enable an organisation to address the privacy concerns and risks technique referred to a Data Protection Impact Assessment (DPIA), as advocated by the Information Commissioner, must be used.

It is recommended that specialist advice i.e. that of the Information Governance
Function / Information Security Manager should be obtained at appropriate points during the process.


Compliance with confidentiality and data protection must be taken into account and there must also be a comprehensive consideration of potential impacts on information quality at the design phase of any new process or information assets. Some of the considerations that must be taken into account are whether a new (or modified) project /process or information asset



Data Protection Impact Assessment

A risk technique advocated by the Information Commissioner’s Office to enable organisations to address privacy concerns and ensure appropriate safeguards are addressed and built in as projects or plans to develop existing information assets.

Projects / plans to develop

Data Protection impact assessments are required when new projects occur (for example introduction of a new electronic patient record) or where plans are proposed to develop an existing information asset. These can be both paper and electronic.

Sensitive data

Under the Data Protection Legislation 2018 this is data for example such as patient diagnosis, medical history, ethnicity, sex, religion.

Personal data

Data which is capable of identifying an individual, but isn’t classified as sensitive data, for example, name, postcode, GP, next of kin, address, date of birth and so on.


Senior Management

Senior Management at MSKnote owns the information risk and its implementation.

Senior Information Risk Owner (SIRO)

The SIRO is responsible for ensuring an Information Risk Policy is developed, implemented, reviewed and its effect monitored. Privacy Impact Assessment is one element of the management of information risk. Information risks need to be handled in a similar manner to other major risks such as financial, legal and reputational risks.

The SIRO will:

The SIRO is the key role for ensuring the management and identification of information risks within MSKnote.

Information Asset Owners

Information Asset Owners (IAO) are senior individuals involved in running the relevant business. Their roles include:

As a result, they are able to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security, confidentiality, integrity and use of the assets.

Information Asset Administrators

Information Asset Administrators (IAA) support the IAO by ensuring:

These roles would normally be undertaken by an operational member of staff who is responsible for one or more information assets reporting to their IAO, who is often the “System Manager”

Specialist Advice

Specialist advice can be provided via a number of individuals, i.e. Information Governance Function, Information Security Manager, Caldicott Guardian and SIRO depending on the issue identified as an outcome of completing a Data Protection Impact Assessment. The Information Governance Function is available to provide the expert knowledge and guidance around the legal framework.

General Staff Responsibilities

All staff employed by MSKnote must follow the requirements of this and related policies, particularly those relating to Information Governance. All health professionals must also meet their own professional codes of conduct in relation to confidentiality. Breaches of confidentiality, security alerts and so on etc relating to an information system should be assessed using this privacy impact assessment process to provide assurance that information risk is being managed.


Data Protection Impact Assessments need to be completed at an early stage of the project or planned modification to an existing process or information asset. A key aim is to ensure that full compliance with the checklists will be achieved as business processes and rules are specified during the course of the project. The appointed Information Asset Owner is responsible for ensuring that this is carried out with support and guidance from other individuals as relevant, i.e. Information Governance Function, Information Security or super users of the system.

All Data Protection Impact Assessments that require completion should be notified to the Information Governance Function in order that the correct level and expertise / support can be provided to the process. The Information Governance Function will ensure that the information system is recorded on MSKnote’s systems register. As a result of a completed Data Privacy Impact Assessment an action plan must be devised and written up for initial approval, subsequent auditing and monitoring by the Information Governance Lead or Data Protection Officer. This ensures that information risks are recorded with mitigation put in place and an annual review will also ensure ongoing compliance with confidentiality, data protection and security.


Information Asset Owner and Information Asset Administrator training sessions are held in accordance with the IG Training Toolkit requirements.


Aspect of compliance or effectiveness being monitored

Monitoring method

Individual responsible for the monitoring

Frequency of the monitoring activity

Group / committee which will receive the findings / monitoring report

Group / committee / individual responsible for ensuring that the actions are completed

Annual risk assessment of information assets and introduction of DPIAs following the introduction of new systems.

Risk Assessment

Information Governance Manager – Data Protection Officer


Senior Management



Available on the MSKnote website - https://mskassist.msknote.com/ig-gdpr/ 



All new IT systems, databases or on-line data submission systems introduced to MSKnote containing person identifiable data (PID), whether patient or staff, must be approved by the MSKnote Caldicott Guardian to ensure they comply with current technical and information governance requirements.

This checklist is to be used by MSKnote to ensure compliance with the Data Protection Legislation 2018 of new processes, software and hardware involving the processing of person identifiable data (PID). All processes, electronic or manual, software or hardware incorporating the processing of PID must be tested for DPIA/confidentiality compliance prior to implementation/commencement and approved.

The senior management of MSKnote will periodically carry out data protection compliance checks on existing processes and a report will be made to the MSKnote Caldicott Guardian detailing findings and recommendations if compliance is not met.

Please complete this form as part of your project initiation documentation and submit to the Head of Information Governance / DPO at MSKnote.



Complete all boxes

System name

What is the system commonly known as?

Who is the Supplier?

Give full contact details including address, telephone number and name of person responsible for support.

Which department is introducing the new system/database?


Please state system sponsor.


When is it anticipated the system will be implemented?

Will the system integrate with any other systems?

State anticipated ‘go-live’ date. Give brief outline of testing procedures, if applicable.

State whether the system will pull information such as demographics from any other system in use.

Is personal data being processed?

Can we legitimise processing of personal data in accordance with the terms of Schedule 2 of the DPIA?


The Data Protection Legislation 2018 defines personal data as any information held in any format that can identify a living individual. However a duty of confidentiality still applies to the deceased so this form should still be completed for systems/processes involving the use of personal data of the deceased.

If yes - legitimate process (Please tick – at least one of the terms below MUST apply)



Legitimate interest

Justice/ enactment

Legal obligation

Vital interests

Is sensitive personal data being processed?

Sensitive personal data is personal data relating to a person’s political beliefs, trade union membership, sexual life, physical and mental

If yes – legitimate process, schedule 2 and 3 terms need to be satisfied (Please tick all that apply)

Can we legitimise processing of sensitive personal data in accordance with the terms of Schedule 3 of the DPA


health, criminal record, ethnic origin, religious beliefs.

Explicit consent


Justice/ enactment

Political org. Etc.

Made public by DS

Medical Purposes

Vital interests

Legal proceedings

Purposes of equality

Order of the Secretary of State

Is the system capable of capturing and storing the NHS number?

This is now a requirement of all new systems. Steps must be taken to ensure the NHS number is captured and stored.

If the answer is yes, how is the NHS number verified?
If the answer is no, what steps are being taken to ensure this requirement is met?

Does the system have a reporting facility?

Is the system able to produce a printout of all personal data to satisfy the subject access provision of the 1998 Data Protection Act?

Briefly summarise the standard reporting facility of the system. The system should have the facility to produce a printout of all personal data held.


Briefly describe the purpose of the system.

Who is the Information Asset Owner? (The person responsible for the process/system?)


The word ‘system’ is used to mean new software/hardware.

An internal named lead must be the system owner and be responsible for the system management.

What steps have been taken to ensure the data processor complies with data protection?

How have you assessed the system security measures?
Is there an ongoing procedure in place to monitor compliance with these measures?

If maintenance/support is an external company is there a robust contract is place including security of information transferred and external staff accessing data, etc?

Will the data be used for the purpose of direct care?

Will the data be used for HR/staff records?



If consent is identified as the reason to legitimise processing what happens when consent is withdrawn?

Are individuals offered the opportunity to restrict processing of their personal data?

If so when is that opportunity offered?

Are procedures in place for maintaining an up to date record of use of personal data. If so how often and by whom?

Describe the process and what will happen to the data if consent is withdrawn.

If consent is withdrawn can vital interests/legitimate interest still be cited for continuing use of the system?

Data set/programme supported.


If this is a nationally recognised data set, programme or initiative please give title or outline description


Who is the Information Asset Administrator who will be responsible for the data quality (accuracy) of the information in the process/system?

How will the data be checked for relevancy, accuracy and validity?

How often will the data be checked and validated?

An internal member of staff must be named as the responsible person for maintaining the system/database and who will carry out data validation checks.

Work place procedures must be provided and appended to this application. List of relevant procedures.


Who will have access to the system and how will that access be controlled?

Will training on use of the system be provided and a list of trained personnel maintained?

Is there a process in place to ensure all users have attended CCG mandatory data protection training?


Give description of potential users and authorisation process. Include process used when users leave employment and how the account will be disabled.

Evidence mandatory training.
Maintain list of users trained on the system.

Is identifiable data shared with other organisations via the system?

If yes, please give brief details

If the PID is to be transmitted electronically does the method of transfer comply with data encryption/removable media policies?


Is anonymised or aggregate data shared with other organisations?


For example, the system collects clinical data that is used by another provider/Hospital when the patient is in contact with them. (Please list organisations data will be shared with).

Detail how will the data be moved. (I.e. on line, encrypted media, hard copies, etc.)

What will happen to the personal data when it is no longer required?

Who will take responsibility for ensure disposal of data in accordance with National and local retention and disposal policy timescales?

E.g. Data will be archived and subsequently destroyed securely. Workplace procedure will need to be in place outlining the process.

Does the process/system have an adequate level of security to ensure that PID is protected from unlawful or unauthorised access and from accidental loss, destruction or damage?

Confirmation of security and backup arrangements required.

Does the process/system enable timely location and retrieval of personal data to meet Subject Access requests?

Describe retrieval process. If the process refers to another paper or electronic system then this process is also required, e.g. tracing of paper case notes by an electronic system.


Is PID being sent outside the UK?


If yes seek further guidance from the Information Governance Manager

Is the purpose of processing the personal data listed in the CCG’s Notification to the Information Commissioner?

The IG Team will ensure that the purpose for processing is listed in the current Notification and Fair Processing Notice.

Approval for new system granted If no, reason for refusal:

Signed ___________________________________________________

Print Name



On behalf of the Director and SIRO ___________________________________________________