Wikier

Data protection impact assessment

Norsk versjon: Vurdere personvernkonsekvenser

This page explains how to carry out a data protection impact assessment (DPIA). It also includes a DPIA template.

Theme page on information security | Pages tagged with Privacy

Why is a DPIA necessary?

The aim of a data protection impact assessment (DPIA) is to ensure that the system protects the privacy of data subjects – the people whose personal data will be collected, held or processed. Examples of data subjects include students, employees, and research participants. Article 35 in the General Data Protection Regulation (GDPR) defines when a DPIA is necessary, what it must include and who should conduct it.

NTNU has drawn up a set of guidelines about when a DPIA must be conducted and how this should be done. The procedure, which applies to the whole of NTNU, is based on the guide from WP29 (the Article 29 Data Protection Working Party at EU level), the guide from the Norwegian Data Inspectorate (Datatilsynet), as well as various other policies and guidelines from the sector about DPIA.

Principles for processing personal data

Important: all processing of personal data must comply with the basic principles for such processing (GDPR Article 5):

Lawful, fair and transparent: Processing of personal data must have a lawful basis. Processing of personal data must respect the interests and reasonable expectations of the data subjects. The processing must be transparent and predictable for the individual data subject.

Purpose limitations: The purpose(s) must be specific, explicit and legitimate.

Data minimization: Personal data must be adequate, relevant and limited to what is necessary for the purposes.

Accuracy: Personal data must be correct and up to date.

Storage limitations: Personal data must be deleted or anonymized when their purpose has been achieved.

Integrity and confidentiality: Personal data must be processed in a way that protects the integrity, confidentiality and availability of the data.

Accountability: This principle emphasizes responsibility for compliance with the principles for processing personal data and protecting the rights and freedoms of data subjects. We must be able to document compliance.

When must a DPIA be conducted?

A DPIA is mandatory when processing of personal data will involve a high risk to the rights and freedoms of natural persons (such as students, employees, external contacts, research participants).

Article 35(1) of the General Data Protection Regulation states: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

In addition, “the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.” (Article 35(11)).

Template for data protection impact assessment (DPIA) (Word document)

Routines at the Faculty of Medicine and Health Sciences (MH)

The Faculty of Medicine and Health Sciences (MH) has a DPIA template for health research projects:

The Head of Department must approve and sign the data protection impact assessment. Submit the completed data protection impact assessment to the administration at your unit/department for archival in ePhorte (Case number 2021/1374).

Example of completed and quality assured DPIA (Word document).

The Data Protection Officer at St. Olav’s Hospital approves and assesses the data protection impact assessment that has been filled out in the template from the Faculty of Medicine and Health Sciences (MH).

Projects that process personal data, but that fall outside the scope of the Health Research Act, must be reported to the Norwegian Social Science Data Services (NSD).

Checklist for health researchers

Are you a health researcher who would like to check whether you need to do a data protection impact assessment? The Faculty of Medicine and Health Sciences has developed a checklist for health researchers.

Processing of personal data with high risk

Article 35(3)) of the GDPR provides some examples of when processing is likely to involve a high risk. At NTNU, in the processing operations mentioned in these examples, a DPIA must be conducted:

  1. a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  2. b) processing on a large scale of special categories of data [sensitive personal data] referred to referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
  3. c) a systematic monitoring of a publicly accessible area on a large scale.

Criteria for whether a DPIA must be conducted

High risk may also be involved in other processing operations that are not covered by the examples above. To help identify other high-risk processing operations for which a DPIA must be conducted at NTNU, the following nine criteria related to processing personal data must be considered.

A DPIA must be conducted if at least two of the criteria are met. If only one of the criteria is met, an assessment in more detail is necessary. In these cases, the project manager should consult a legal adviser in the Division for Governance and Management Systems and/or the Data Protection Officer.

The criteria are:

  1. Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”
  2. Automated decision-making with legal or similar significant effect.Processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”
  3. Systematic monitoring.Processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area” on a large scale.
  4. Special categories of personal data or data of a highly personal nature. This includes special categories  of personal data (previously called sensitive personal data) as defined in Article 9 (for example health data and information about individuals’ political opinions).
  5. Personal data processed on a large scale.What is meant by “large scale” is not clear. The WP 29 guidelines recommend considering the following factors in particular when determining whether the processing is carried out on a large scale:

a. The number of data subjects concerned, either as a specific number or as a proportion of the relevant population.

b. The volume of data and/or the range of different data items being processed.

c. The duration, or permanence, of the data-processing activity.

d. The geographical extent of the processing activity.

  1. Matching or combining datasets , for example originating from two more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
  2. Data concerning vulnerable data subjects. The processing of this type of personal data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individual may be unable to consent to, or oppose, the processing of their personal data, or exercise their rights, in a simple way.Vulnerable data subjects may include children (they can be regarded as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees, more vulnerable population groups who need social protection (such as people with mental illnesses, people seeking asylum, older people, patients), or in these situations where there is an imbalance in the relationship between the data subject and the controller.
  3. Innovative use or applying new technological or organizational solutions, such as a combination of fingerprint and face recognition for improved physical access control. It is clear from the GDPR (Article 35(1) and recitals 89 and 91) that use of new technology as defined “in accordance with the achieved state of technical knowledge” may result in a need to conduct a DPIA.This is because applying new technology may involve novel forms of collection and use of personal data, possibly with a high risk to the individual’s rights and freedoms. The personal and social consequences of using new technology may be unknown. A DPIA helps the controller to understand and handle such risks. For example, some “Internet of Things” applications may have a significant impact on individuals’ everyday lives and privacy, and may therefore require a DPIA.
  4. When the processing “prevents data subjects from exercising a right or using a service or a contract”.This includes processing operations intended to allow, modify or refuse data subjects’ access to a service or entry into a contract.The more of the above criteria that the processing will meet, the greater the likelihood of a high risk, so that a DPIA will be needed.

Examples of using the criteria

Here are some examples that illustrate how the criteria should be used to assess whether a DPIA is needed for a specific processing operation.

Examples of processing where a DPIA is probably required:

A hospital processes its patients’ genetic and health data (hospital information system). Possible relevant criteria:

  • Special categories of personal data (sensitive or highly personal)
  • Data concerning vulnerable data subjects.
  • Data processed on a large scale

Use of a camera system to monitor driving behaviour on highways. The controller wants to use an intelligent video analysis system to identify individual cars and automatically recognize licence plates Possible relevant criteria:

  • Systematic monitoring
  • Innovative use or application of new technological or organizational solutions.

Storage of pseudonymized special categories of personal data about vulnerable data subjects for research projects or clinical trials (archival purposes). Possible relevant criteria:

  • Special categories of personal data (sensitive or highly personal)
  • Data concerning vulnerable data subjects.
  • Preventing data subjects from exercising a right or using a service or contract

Gathering public social media data to generate profiles. Possible relevant criteria:

  • Evaluation or scoring
  • Personal data processed on a large scale
  • Matching or combining of datasets
  • Special categories of personal data (sensitive or highly personal

Examples of processing operations where a DPIA is probably not required:

Processing of “personal data from patients or clients by an individual physician, other healthcare professional or lawyer”. Possible relevant criteria:

  • Special categories of personal data (sensitive or highly personal)
  • Personal data concerning vulnerable data subjects

An online magazine using a mailing list to send its subscribers a daily digest. Possible relevant criterion:

  • Personal data processed on a large scale

An e-commerce website displays advertisements for a specific product, based on items that have been viewed or purchased on its website (limited profiling) Possible relevant criterion:

  • Evaluation or scoring

A controller must still assess whether a processing operation corresponding to one of the examples above is not “likely to result in a high risk”. In such cases, the controller should justify and document the reasons for not conducting a DPIA, and include the views of the data protection officer.

When is a DPIA not necessary?

  • When it is unlikely that the processing operation will result in high risk for the rights and freedoms of natural persons; see Article 35(1) interpreted by negative implication;
  • When the scope, context and purpose of the processing operation is very similar to a processing operation for which a DPIA has already been done. In such cases, the results of the DPIA from the similar processing operation can be used – see the last sentence of Article 35(1);
  • When the processing has been approved by the Norwegian Data Inspectorate under Directive 95/46/EF before May 2018, and the specific circumstances have not changed – see recital 171;
  • Where a processing operation has a legal basis under Article 6(1) letter c or e, where the law regulates the specific processing operation and where a DPIA has already been done as part of establishing the legal basis, except if legislators have stated that it is necessary to carry out a DPIA before the processing activities – see Article 35(10);
  • Where the processing is included in the list (prepared by the Norwegian Data Inspectorate) of processing operations for which no DPIA is required – see Article 35(5). In such cases, no DPIA is needed, but this only applies if the processing is strictly within the scope of the relevant procedure mentioned in the list and still complies fully with all the relevant requirements of the GDPR.

Contact

If you have any questions about data protection impact assessment, you can contact NTNU’s data protection officer.