Our data protection impact assessment (DPIA) summaries
What DPIA is
This is a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
To determine if a DPIA is needed, a privacy screening template is completed using questions based on ICO published guidance. The responses are reviewed by the individual responsible for information governance and the information asset owner to determine if a DPIA is needed.
If there is no personal data involved or there are no high risks before any privacy controls are taken account of, then a DPIA will not normally be needed.
DPIA summaries
Summaries are shown in alphabetic order of the project or process name. Full DPIA's are available on request.
Data warehouse
This system will hold service user data in a production environment to provide routine reporting to funders and answer queries that do not require big data analytics.
Recommendation and conclusion
It’s been agreed that:
- data will be encrypted
- patient identifiable information will be anonymised using techniques and rules about disclosure
All exceptions to these rules are to be referred to information governance.
Electronic Staff Record
This system holds personal data for all staff employed within SCCCC.
This includes special category personal data relating to:
- pre-employment checks
- payroll
- absence
It may also relate to apprentices under the age of 18.
Recommendation and conclusion
Minor outstanding risks are actively owned by the information asset owner.
Equality and diversity
Equality and diversity declarations are held on ESR are extracted and reported on to make sure equality and diversity legislation obligations are being met during recruitment and employment.
Recommendation and conclusion
Only minor risks identified and are being actively managed by the information asset owner.
Human resources (HR) corporate
A number of similar HR processes were grouped together, including:
- occupational health referrals
- absence management
- redundancies
- disciplinary and grievances related information
Recommendation and conclusion
Only minor risks identified and actively managed by the information asset owner.
Recruitment
Our recruitment approach involves processing:
- equality and diversity declarations
- personal references
- occupational health referrals
- DBS checks
Recommendation and conclusion
Only minor risks identified and these are being actively managed by the information asset owner.
Service User Record (Hospital to Home and Good Neighbours Scheme)
This system will hold personal data relating to SCCCC Service Users.
This process can result in processing special categories of personal data including summary medical information which may be recorded against the person.
Recommendation and conclusion
Information asset owner has taken active ownership of residual minor risks.