Did you receive a text recently, apparently from the NHS, telling you that all adults need to receive the Covid booster? You might assume all the data related issues were worked through before the text was sent, perhaps in a Data Protection Impact Assessment (DPIA). In this article I’m considering the question “what is a DPIA?” As well as what a DPIA shouldn’t be.

Data Protection experts discussed the legality of the recent Covid booster text on Twitter, with many people arguing that the text was necessary and justified under any one of a variety of legal bases.

Never one to go with the flow though, I wasn’t easily convinced; the very fact that people on the Internet had to guess what the sender’s legal basis was, means the sending of the text fell at the first fence of Transparency. (It didn’t help, to my mind, that the sender was actually the network providers, at the request of the Government, rather than the NHS as it showed up as.)

One well known privacy and data protection lawyer tweeted a “mini-data protection impact assessment” to support his stance that the text was lawful.

One thing that struck me though, from that mini-DPIA and the other tweets, was the lack of focus on two things…Impact – the “I” in DPIA – and demonstrating compliance.

 

Legal definition of a DPIA

The (UK)GDPR Article 35 states (with my own emphasis):

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Leaving aside the difficulty of identifying when processing “is likely to result in a high risk to the rights and freedoms of natural persons” without carrying out an impact assessment, or at least a pre-assessment assessment (I’ll write about that soon), let’s look at what a DPIA should cover.

There is no set format or template for a DPIA, but coming back to the (UK)GDPR, with my emphasis again:

“The assessment shall contain at least:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”

 

DPIAs in practice

At CP Data Protection, we start by trying to get clarity on what the processing is designed to achieve, and just as importantly, whether the processing is even likely to achieve that outcome.

Then we consider all the ways the processing could impact on the data subjects; including both positive and negative effects, and including if things go to plan, or if the data is breached somehow. (I’ve discussed how to brainstorm the potential ways things could go wrong in previous articles and I’ll touch on it again in the next one. Please see the links below.)

These actions cover points a, b and c above, which brings us to (d) “the measures envisaged to address the risks…” This is where we think about what needs to be done in order to protect the personal data of course, but also “to demonstrate compliance with this Regulation.”

Much like the ‘Accountability Principle’ (Article 5(2)), this means that we should be doing more than protecting data from security breaches.

We should be ensuring, for starters, that we’re complying with the rest of Article 5(1): data processing that is fair, lawful and transparent; processing is for limited purposes; data minimisation; accuracy; and storage limitation.

Then there’s upholding the rights of data subjects, working with processors if relevant, and dealing effectively with any breaches.

AND we should be able to show we’ve considered all these things, and taken steps to achieve them.

In conclusion, to answer the question, “what is a DPIA”, it’s safe to say a DPIA is not a simple task; a DPIA is a process to help identify, and manage, the potential impacts of data processing and to help ensure the processing complies with data protection law.

It’s helpful to use a template as a starting point for a DPIA, that includes sections for all the questions we’ve discussed in this article, but be sure to add a little imagination too. It’s important to keep an open mind about the processing and especially:

1) the purpose and necessity of the processing, which should be weighed against;

2) the potential negative effects on data subjects.

The Covid booster text

To finish off by considering the Covid booster text again, despite many guesses as to the legal basis relied on for sending it, some of them sensible and one of them pretty convincing, they remained just that – guesses – because the Government failed to clearly communicate the legal basis. So as I said, I believe it’s clear that the sending of the text failed at transparent processing. It’s anyone’s guess if the Government considered the necessity of sending the text, and whether it was likely to have the desired effect, or if it could confuse or upset any of the recipients.

In the Twitter discussions I got the distinct impression that many of the commentators felt that being anti the text equalled being anti-vaxx, and that no harm could come from a simple text message. You won’t be surprised to hear that I strongly disagree with both of those positions!

For what it’s worth, I had my booster the same day as I joined in the Twitter debate, and I know people who were confused by receiving the text and it’s not a long jump to imagine people being upset or suspicious about it.

What’s next?

In our next DPIA article I’ll discuss some tips for keeping an open mind when carrying out a DPIA. To find out when it’s published, and see it first, sign up to receive emails here:

Any questions?

If you have any questions about data protection, either about DPIAs or anything else related to personal data, book a free 15 mins call!

Image of Clare Paterson - Caucasian female with long brown hair and wearing glasses

Author: Clare Paterson, CP Data Protection director

Clare draws on over 20 years of experience in risk management and quality assurance, including ten years in data protection, to provide clear and practical advice and training.

Don’t tell everyone (shh!) but Clare’s favourite sector is social housing, having worked in a large housing association for 12 years, although she loves to support all values-led organisations.

When EDI meets privacy

With National Inclusion Week 2022 coming to a close, what will your organisation continue to do to support inclusion in the workplace? Thoughts often turn to workshops, diversity champions, EDI statistics (Equality, Diversity & Inclusion), and so on. These require...

Social Housing Providers: Are you ready for the RSH TSM data collection?

The Regulator of Social Housing (RSH) recently published the final list of Tenant Satisfaction Measures (TSM) questions, that social housing providers have until April 2023 to get ready to start collecting data for - just over 6 months. I can imagine the stress and/or...

Why Data Purpose is Crucial – guest slot on “Get Data Done” on YouTube

Our Director & Consultant, Clare Paterson, was thrilled recently to be asked to join Phil Husbands of Truly Intelligent Business on their YouTube channel, Let's Get Data Done, to talk about why data purpose is crucial. After talking about why it's crucial for...

Customer insight in social housing: How to repurpose data safely & lawfully.

Customer insight Customer insight in the social housing sector is a key aim amongst many housing associations; we want to better understand our customers and better serve them. However, in a recent discussion about repurposing and combining data in the social housing...

Domestic CCTV and social housing tenants

There is (understandably!) a lot of confusion around the use of domestic CCTV, including the cameras fitted in 'Ring' doorbells and similar systems, especially when those cameras are used by social landlord tenants, which can be compounded when the footage is used as...

Data Quality; how to ensure your data is good quality (1 min. video)

In under 60 secs we identify the 3 pillars of good quality data, to support your decision making and help you fulfil your organisation's purpose.

How to respond to SARs (& make SARs less stressful)

If you're anything like me, when I was working in-house doing Data Protection at a large Housing Association, you let out a sigh whenever a Subject Access Request (or SAR) hits your desk. Especially if it's taken a number of days, or even weeks, to get to you, leaving...

How to identify process-based risks in your DPIA; a checklist

In the last article about Data Protection Impact Assessments (DPIAs), we explored three techniques to help identify the ways people could be impacted by your planned processing, as part of the risk assessment part of a DPIA. In this article we'll look at the...

How to identify data related risks using your imagination

In the last article about Data Protection Impact Assessments (DPIAs), we explored what a DPIA should include, based on the requirements laid down in the (UK)GDPR. Here we'll discuss how to identify data related risks using your imagination. In brief, a DPIA should...

Data Protection Day – what’s it all about?

So every 28th January is Data Protection Day...but you would be forgiven for thinking "So what?" "What is 'Data Protection Day'?" Or "What is 'Privacy Day'?" as it's sometimes known. And "why is it important?" If you don't consider yourself as being in the data...