Data Protection Impact Assessment Template

Use the Data Protection Impact Assessment Template to evaluate data processing activities, data sharing processes, facilitate international transfers, etc.

Data Protection Impact Assessment Template



1.1 Proposal/Project/Activity Title

1. Is the access and use of the MACP portal for Migrant Help under the Advice, Issue, Reporting and Eligibility (AIRE) contract?


Photo Comment
1.2 Information Asset Title(s) (if Applicable)

1. Are there any information asset titles available?


Photo Comment
1.3 Information Asset Owner(s) (IAO)

1. What is the email address?


Photo Comment

2. What is the name?


Photo Comment

3. What is the telephone number?


Photo Comment

4. What is the information asset title?


Photo Comment
1.4 Person Completing DPIA On Behalf Of The IAO (Named At 1.3 Above)

1. What is the email address?


Photo Comment

2. What is their name?


Photo Comment

3. What is their telephone number?


Photo Comment

4. What is their Business Unit/Team?


Photo Comment
1.5 DPIA Commencing Date

1. When did the DPIA commence?


Photo Comment
1.6 Date Processing Activity To Commence (if Known):

1. What is the data processing activity commence date (if known)?


Photo Comment
1.7 Information Asset Register Reference (if Applicable):

1. What is the information asset register reference (if applicable)?


Photo Comment
1.8 DPIA Version

1. What is the DPIA version?


Photo Comment
1.9 Linked DPIAs

1. What are the linked DPIAs?


Photo Comment
1.10 DPIA Proposed Publication Date (where Applicable, And If Known)

1. What is the DPIA proposed publication date (where applicable, and if known)?


Photo Comment
Section 2: Personal Data

1. 2.1 What Personal Data is Being Processed?


Photo Comment

2. 2.2.a Is the general processing regime (UK GDPR/Part 2 DPA) applied?


Photo Comment

3. 2.2.b Is the law enforcement processing regime (Part 3 DPA) applied?


Photo Comment

4. 2.3 Does the processing include any of the following special categories or criminal conviction data?


Photo Comment

5. 2.4 Does it include the processing of data relating to an individual aged 13 years or younger?


Photo Comment

6. 2.5 If yes,  what additional safeguards are necessary for this processing activity?


Photo Comment

7. 2.6 Will data subjects be informed of the processing? If ‘no’, why?


Photo Comment

8. 2.7 If yes, how will they be informed/ notified?


Photo Comment

9. 2.8 Which HO staff and/or external persons will have access to the data?


Photo Comment

10. 2.8a How will access be controlled?


Photo Comment

11. 2.9 Where will the data be stored?


Photo Comment

12. 2.10 If the data is being stored electronically, does the storage system have the capacity to meet data subject rights (e.g. erasure, portability, suspension, rectification, etc)? If ‘no’, why?


Photo Comment

13. 2.11 If ‘Yes’ how are these requirements met?


Photo Comment

14. 2.12 (For law enforcement processing only) If the data is being stored electronically, does the system have logging capability (as per s.62 DPA)?


Photo Comment

15. If ‘no’, what action is being taken to ensure compliance with the logging requirement?


Photo Comment

16. 2.13 (For law enforcement processing only) Will it be possible to easily distinguish between different categories of individuals (e.g. persons suspected of having committed an offense, victims, witnesses, etc.) as well as between factual and non-factual information (as per s.38 DPA)?


Photo Comment

17. If ‘no’, what action is being taken to ensure compliance with s.38 DPA?


Photo Comment

18. 2.14 What is the retention period for the data?


Photo Comment

19. 2.15 How will data be deleted in line with the retention period and how will the deletion be monitored?


Photo Comment

20. 2.16 If physically moving/sharing/transferring data outside the Home Office, how will it be moved/shared?


Photo Comment

21. 2.17 What security measures will be put in place to ensure the transfer is secure?


Photo Comment

22. 2.18 Is there any new/additional personal data being processed? If yes, what are they?


Photo Comment

23. 2.19 What is the Government Security Classification marking for the data?


Photo Comment

24. 2.20 Will your processing include the use of cookies? If ‘no’ go to section 3.


Photo Comment

25. If ‘yes’, what sort of Cookies will be used?


Photo Comment

26. 2.20a If cookies fall into categories 2) & 3) how will you ensure data subjects are aware and can give active consent to the use of cookies?


Photo Comment
Section 3: Purpose Of The Processing

1. 3.1 What is the purpose of the processing?


Photo Comment

2. 3.1a.1 Is the General processing regime (UK GDPR/Part 2 DPA) applied?


Photo Comment

3. 3.1a.2 Is the Law enforcement processing regime Part 3 DPA applied ?


Photo Comment

4. 3.2a (General processing only) What is the (UK GDPR Article 6) lawful basis for the processing?


Photo Comment

5. 3.2b (Law enforcement processing only) What is the (Part 3 DPA) lawful basis for the processing?


Photo Comment

6. 3.3 If you have selected ‘legal obligation’ or ‘performance of a public task’ for general processing (for Q3.2.a), OR if the processing is for a law enforcement purpose, indicate below the legal basis and relevant legislation authorizing the processing of the data:


Photo Comment

7. 3.4a (General processing only) If processing special category data or criminal convictions data, what is the (UK GDPR Article 9) condition for processing the special category data?


Photo Comment

8. 3.4b (Law enforcement processing only) If processing sensitive data for a law enforcement purpose, what is the (DPA Schedule 8) condition for the processing?


Photo Comment

9. 3.5 Is the purpose for processing the information described in 3.1 above the same as the original purpose for which it was obtained by the Department?


Photo Comment

10. If ‘no’, what was the original purpose and lawful basis?


Photo Comment
Section 4: Processing Activity

1. 4.1 Is the processing replacing or enhancing an existing activity or system? If 'yes', specify the details.


Photo Comment

2. 4.2 If no, is the processing a new activity? Specify the details.


Photo Comment

3. 4.3 Is this a one-off activity, or will it be frequent and/or regular?


Photo Comment

4. 4.4 Does the processing directly relate to the processing of personal data that includes new legislative measures, or of a regulatory measure based on such legislative measures?


Photo Comment

5. 4.5 If the answer is yes, please explain what that processing activity is, including whether or not the HO will be accountable for the processing of personal data


Photo Comment

6. 4.6 Does the processing activity involve another party?


Photo Comment

7. 4.6.a In what capacity is the other party acting?


Photo Comment

8. 4.7 Will any personal data be transferred outside the country?


Photo Comment

9. 4.8 Does the proposal involve profiling that could result in an outcome that produces legal effects or similarly significant effects on the individual?


Photo Comment

10. 4.9 Does the proposal involve automated decision-making?


Photo Comment

11. 4.10 Does the processing involve the use of new technology?


Photo Comment

12. 4.11 If ‘yes', describe the new technology, including details of the supplier and technical support.


Photo Comment

13. 4.12 Are the views of impacted data subjects and/or their representatives being sought directly in relation to this processing activity?


Photo Comment
Section 5: Risks Of The Processing

1. 5.1 Are there any other known, or anticipated risks associated with the processing of personal data that have been identified by the project/ program /initiative owner, which have not been captured in this document?


Photo Comment

2. 5.2 What steps have been taken to mitigate these risks?


Photo Comment

3. 5.3 Can you demonstrate that the risks to the individuals are sufficiently balanced by the perceived public protection benefits?


Photo Comment

4. 5.4 Are these risks included within a risk register?


Photo Comment
6.1 External Contact Details For Data Exchange/ Processing

1. What is their name?


Photo Comment

2. What is their grade?


Photo Comment

3. What is their organization?


Photo Comment

4. What is their Business Unit/Team?


Photo Comment

5. What is the email address?


Photo Comment

6. What is their telephone number?


Photo Comment

7. 6.2 What is the legal basis/power/statutory gateway for the processing activity?


Photo Comment

8. 6.3 How long will the data be retained by the receiving organization or processor for the purpose for which it is received?


Photo Comment

9. 6.4 How will it be destroyed by the receiving/ processing organization once it is no longer required for the purpose for which it has been received?


Photo Comment

10. 6.5 Is the data sharing process underpinned by a non-binding arrangement (Memorandum of Understanding (MoU) or equivalent) or binding agreement (Treaty or contract)?


Photo Comment

11. 6.6 Provide details of the proposed HO MoU/Contract signatory and confirm they have agreed to be responsible for the data sharing/processing arrangement detailed in this document


Photo Comment

12. 6.7 Will the other party share any HO data with a third party including any ‘processors’ they may use?


Photo Comment
Technical Impact And Viability

1. 6.8 Which of the following reflects the data processing?


Photo Comment

2. 6.9 Has any analysis or feasibility testing been carried out?


Photo Comment

3. Is development work required to ensure that systems are DP-compliant?


Photo Comment
Security

1. 6.11 Given the security classification of the data, are you satisfied with the proposed security of the data processing/transfer arrangements detailed in 2.16 and 2.17 above?


Photo Comment

2. 6.12 Have you read the associated guidance and, if necessary, consulted with HO Security and the relevant DDaT teams, including Home Office Cyber Security (HOCS)?


Photo Comment

3. 6.13 If the answer is ‘no’: What needs to happen to ensure that adequate security arrangements are achieved?


Photo Comment

4. 6.14 Will the data be stored and be accessible off-site?


Photo Comment

5. 6.15 If ‘yes’, have you considered the security arrangements that need to be in place to prevent the data from being accidentally or deliberately compromised?


Photo Comment
Section 7: International Transfers

1. 7.1 Does the activity involve transferring data to a country outside of the UK (including Crown Dependencies, Overseas Territories, and Sovereign Base Areas)?


Photo Comment

2. 7.2 Does the country have a positive adequacy decision?


Photo Comment

3. If ‘no’, under what legal basis do you propose to transfer the data?General processing only/Law enforcement processing only


Photo Comment

4. 7.3 Does the HO already have a binding or non-binding data-sharing arrangement with this country? (If no, skip 7.4 a)


Photo Comment

5. 7,4 a) If ‘yes’, does the arrangement cover the purpose(s) for which you need to share data? Does the arrangement recognize the rights of data subjects? Does it include effective legal remedies for data subjects’ rights; set out important reasons of public interest and how those reasons are legally founded; or set out why the transfer is necessary in individual cases for a law enforcement purpose? (If yes go to Section 8)


Photo Comment

6. If ‘no’, how do you propose to document the terms of the understanding with the other country? 


Photo Comment
8.1 Referral To The ODPO

1. What is the date referred to in the ODPO?


Photo Comment

2. What date is it reviewed?


Photo Comment

3. What date is it returned to the author?


Photo Comment

4. Are there any comments/recommendations?


Photo Comment
8.2 ODPO Review Complete

1. What is the date referred to the ODPO?


Photo Comment

2. What date is it reviewed?


Photo Comment

3. What date is it returned to the author?


Photo Comment

4. Are there any comments/recommendations?


Photo Comment
8.3 IAO Sign-Off

1. What is the date referred to in the IAO?


Photo Comment

2. What is the name of IAO or the person signing on behalf of?


Photo Comment

3. What date is it returned to the author?


Photo Comment

4. Are there any comments?


Photo Comment
9.1 Criteria For Referral To The HO Data Board:

1. Has ODPO identified a risk that, in its opinion, requires escalation to the ICO (regardless of risk severity? Is guidance produced in due course once examples indicate how this might be revealed? Will the view of the Chair of the Data Board be sought in advance of any such escalation?


Photo Comment

2. Is there an ODPO reason for referral if not one listed below? If 'no', why?


Photo Comment

3. Is there an instance where the proposal will not meet the Home Office’s obligations to meet the individual rights and protections of data subjects as defined in UK GDPR and DPA18?


Photo Comment

4. Is there an instance where the proposal is likely to result in any person’s individual privacy/data protection rights being compromised?


Photo Comment

5. Is a particular concern identified with regard to the purpose, method of processing, and location of processing that, in combination, warrants further escalation or consideration?


Photo Comment

6. Is the nature of the personal data itself so sensitive that, despite the rest of the risks around processing being low, the board might need to scrutinize it, or could the Board determine that scrutiny is not necessary?


Photo Comment

7. Is it not possible to implement all recommended controls/mitigations? (If controls and mitigations have been identified but result in a short period of heightened risk, does this still warrant escalation?)


Photo Comment

8. Is there a high likelihood of a challenge or regulatory enforcement being brought, or a high likelihood of such a challenge or action being successful against the Home Office?


Photo Comment

9. If a proposal resulted in advice that the processing would be unlawful, and the project has since revised the proposal, should this be referred to the Board?


Photo Comment
Specific Referral Circumstances

1. Has data processing been promised by a Minister/the Cabinet, but are there questions as to whether there is a sufficient legislative/technical/administrative framework in place to enable this?


Photo Comment

2. Has a decision been made to prefer specific safeguards over others or a riskier approach?


Photo Comment

3. Has a business-critical issue emerged, such as essential work to a business-critical system, that may mean data subjects' rights might not be met?


Photo Comment

4. Is the processing likely to attract significant controversy?


Photo Comment
9.2 Referred To The HO Data Board Secretariat

1. What is the date referred to by the Secretariat?


Photo Comment

2. Is it referred to the HO Data Board?


Photo Comment

3. What is the date of the Data Board?


Photo Comment

4. What is the date returned to the author?


Photo Comment
9.3 Action Taken By The Respective IAO(s)

1. What is the effective date?


Photo Comment

2. What is the last review date?


Photo Comment

3. What is the next review date?


Photo Comment

4. Who is the owner?


Photo Comment

5. Whom is it approved by?


Photo Comment

6. Who is the audience?


Photo Comment
Summary Of The Processing

1. Does the proposal/project/activity involve the processing of personal data, or is new legislation that relates to the processing of personal data being considered? (If the answer to this question is ‘No’, then the rest of the form does not need to be completed. If the answer is ‘Yes’, please continue.)


Photo Comment

2. Does the proposal/project/activity involve a new way of processing personal data?


Photo Comment

3. Does the proposal/project/activity involve the use of a new form of technology for a new or existing process?


Photo Comment

4. Does the proposal/project/activity involve new legislation that relates to the processing of personal data being considered?


Photo Comment

5. Does the proposal/project/activity involve substantial changes to an existing project/program/process involving personal data, which would include a significant increase in the volume or type (category) of data being processed?


Photo Comment

6. What is the purpose of the processing?


Photo Comment
Screening Questions

1. Does the processing activity include the evaluation or scoring of profiling and predicting, especially from aspects concerning the data subject's performance at work?


Photo Comment

2. Does the processing activity include the evaluation or scoring of the data subject's economic situation?


Photo Comment

3. Does the processing activity include the evaluation or scoring of the data subject's health?


Photo Comment

4. Does the processing activity include the evaluation or scoring of the data subject's personal preferences or interests?


Photo Comment

5. Does the processing activity include the evaluation or scoring of the data subject's reliability or behavior?


Photo Comment

6. Does the processing activity include the evaluation or scoring of the data subject's location or movements?


Photo Comment

7. Does the processing activity include automated decision-making with legal or similar significant effects? i.e. processing that is intended to make decisions about data subjects that will produce “legal effects concerning the natural person” or which could “significantly affect the natural person”.


Photo Comment

8. Does the processing activity involve systematic monitoring? i.e. processing used to observe, monitor, or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area” e.g. CCTV.


Photo Comment

9. Does the processing activity involve mostly sensitive personal data? (This includes special categories of personal data, data about criminal convictions or offenses, or personal data with the security marking of Secret or Top Secret.)


Photo Comment

10. Does the processing activity involve data processed on a large scale? (If sharing with a third party external to the Home Office, large scale is defined as 1,000 plus pieces of personal data in a single transaction or in multiple transactions over a cumulative 12-month period. )


Photo Comment

11. Does the processing activity involve matching or combining datasets that are being processed for different purposes?


Photo Comment

12. Does the processing activity involve mostly data concerning vulnerable data subjects or children?


Photo Comment

13. Does the processing activity involve the innovative use or application of new technological or organizational solutions?


Photo Comment

14. Will the processing activity in itself prevent data subjects from exercising a right (under Data Protection Legislation and the UK GDPR) or using a service (provided by) or a contract (with) the Department?


Photo Comment

15. Is the introduction of new legislation or a legal regulatory measure that relates to the processing of personal data being considered? (If you have answered ‘yes’ to more than one of the above screening questions (Q 3 to 12), a DPIA must be completed. If you have answered ‘no’ to each of the screening questions but feel the planned policy/process/activity is significant, or carries reputational or political risk, you should complete the full DPIA.)


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists

linkedin