Data Protection Impact Assessment

This document is a ‘Screening Questionnaire’ to decide if a full data Protection Impact Assessment (DPIA) is necessary.

Staff Procedure on Data Protection Impact Assessment (DPIA)

Step 1: Carry out a screening questionnaire to decide if a full Data Protection Impact Assessment (DPIA).  A DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of individuals”.

Step 2: Complete the data items table (Appendix I).  If the answer to any of the data items is “Yes” then personal data is being processed and the following nine questions need to be answered.

If all the answers are “No” then you do not need to answer the nine questions and the DPIA screening questionnaire is complete.

Step 3: If personal data is being processed, use the questionnaire in Appendix I to determine whether a full DPIA is necessary.

Step 4: Discuss this with the person responsible for Data Security to assess if they agree with the risk rating. 

Should the answer to any screening question be “Yes” but the responsible person believes the processing not to be “likely to result in a high risk” NHS Digital must justify and document the reasons for not carrying out a DPIA and include/record views of the Data Protection Officer.