A DPIA is a risk assessment for data protection related risks. 

It systematically analyses proposed data processing activities, and helps identify and minimise data protection risks arising.

As a minimum, it must: 

• describe the proposed processing and its purpose; 
• evidence the necessity of the proposed processing and its proportionality; 
• identify and assess risks to individuals arising from the proposed processing; 
• identify any measures that could be put in place to mitigate those risks and protect personal data. 

The DPIA does not have to eradicate risk but should minimise it and bring it within acceptable levels. 

A DPIA must be carried out when processing likely to be high risk is planned. It can optionally be carried out for lower risk processing. 

It must be carried out before the processing begins, as its purpose is to identify and mitigate data protection risks. It is important to allow enough time to fully consider a DPIA when planning a new project or activity which will use personal data. 

The University uses the Information Commissioner's Office (ICO) template checklist to help assess whether proposed processing is high risk.

This screening checklist has two sections: 

• Section 1 lists 12 very high risk processing types. If any of these types of processing are intended, then a DPIA must be carried out.
• Section 2 lists 8 high risk processing types. If any of these types of processing are intended, then a DPIA should be considered, and carried out if deemed appropriate.

The decision about whether a DPIA is required is made by the individual or team responsible for the proposed processing. 

It should be noted that there are broader reputational, financial and ethical benefits to be had from undertaking DPIAs. They can help demonstrate University commitment to privacy by default and design, accountability and transparency. They can also help build trust and engagement with our stakeholders. To that end, the activities listed in the screening checklist should not be considered exhaustive and a DPIA should be undertaken whenever it would be useful. 

Use our online DPIA screening tool

Yes. The online DPIA screening tool includes guidance notes within the form to assist you when completing the screening process. 

You can also download the guidance notes to refer to separately: DPIA Screening Guidance Notes (MS Word , 13kb) 

The University has adopted the template DPIA produced by the ICO. 

Using the online DPIA screening checklist will identify and record whether you need to undertake a DPIA.

If a DPIA is required, you will be sent a copy of the University DPIA template to complete. Please ensure that you use this copy of the document, as it is personalised to your project or activity. It will form the central record of your DPIA. 

If you require a blank copy of the template for reference, and are not currently undertaking a DPIA, please email dataprotection@york.ac.uk to request one.

For research projects, the DPIA should be completed by the Chief Investigator, Principal Investigator or Supervisor.

For all other projects, the DPIA should be undertaken by the project owner/lead. 

Once the DPIA has been completed, forward it to the Data Protection Officer (DPO) (dataprotection@york.ac.uk) for approval.

The DPO may require further information from you as part of that review. The DPO may also advise on additional steps to be taken to bring identified risk within acceptable levels.

Once this has been completed, the DPIA will be signed off by the DPO, and you will be notified that your project or activity can go ahead.

Where the DPO feels risk is high and no remedial action can be taken to mitigate it, the proposed processing activity will need to be referred to the Information Commissioner's Office for review. The DPO will complete the Regulator's online form and submit a copy of the DPIA for consideration. Once received, the ICO will aim to respond within eight weeks but may extend the timeframe by a further six weeks where cases are complex. 

1. Identify whether a DPIA is needed using the online DPIA screening checklist
   
2. If a DPIA is required, you will receive a copy of the DPIA form to complete:
   • Complete the form, with as much detail as you are able
   • Describe the proposed processing (e.g. explain the nature, scope, context and purpose of the proposed project) 
   • Consult widely - talk to data subjects, 3rd party data processors, the University's Data Protection Officer and other relevant contacts e.g. the University's Records Manager, IT Security team etc.)
   • Assess the necessity and proportionality of the proposed activity 
   • Identify and assess the severity of data protection risks arising from the proposed activity (e.g. possible data loss, risk of inadvertent disclosure, fairness of activity etc.)
   • Identify measures to eliminate or mitigate risk (e.g. documented security arrangements, handling procedures, use of robust contractual clauses etc.)
3. Submit completed DPIA to the University's Data Protection Officer (dataprotection@york.ac.uk) for sign-off 
4. Record the outcome of the DPIA, including differences of opinion with the Data Protection Officer or consulted individuals. 
5. Integrate agreed mitigations into project plan
6. Keep DPIA under review and revisit as necessary

Where you decide not to undertake a DPIA, you will need to keep a record of your decision.

When you use the online screening checklist your responses will be centrally recorded and a copy emailed to you to keep with your project/activity records.