The PIA template is a practical tool to help identify and address the data protection and privacy concerns at the design and development stage of a project, building data protection compliance in from the outset rather than bolting it on as an afterthought.
The documents attached to this page detail the process for conducting a Privacy Impact Assessment (PIA) through a project lifecycle to ensure that, where necessary, personal and sensitive information requirements are complied with and risks are identified and mitigated.
A PIA should be carried out whenever there is a change that is likely to involve a new use or significantly change the way in which personal data is handled, for example a redesign of an existing process or service, or a new process or information asset being is introduced or when changes are being made to a data sharing agreement.
Building into project plans
Completion of a PIA should be built into the organisational business approval and procurement processes. Any systems which do not identify individuals in any way do not require a PIA to be completed. However, it's important to understand that what may appear to be 'anonymised' data, could in fact be identifiable when used with other information, so anonymised data should be considered very carefully before any decision is made that it will not identify individuals.
Advice may be sought from our data protection officer (DPO) as to whether a PIA needs to be completed.
Responsibility for conducting a PIA
Any department which is introducing a new or revised service or changes to a new system, process or information asset is responsible for ensuring the completion of a PIA. The project manager will help with this process.
At the start of the design phase of any new service, process, purchase of implementation of an information asset for example, consideration should be given to the need and procedures for completing the PIA.
Privacy Impact Assessment outcomes should be routinely reported back to the organisation and issues raised through the project or programme board and included in the departmental risk register as appropriate.
Where significant risks are identified these should be aired in the first instance with the DPO who should discuss with the Caldicott guardian or senior information risk owner as necessary.