Our data protection impact assessment (DPIA) summaries

What DPIA is

This is a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

To determine if a DPIA is needed, a privacy screening template is completed using questions based on ICO published guidance. The responses are reviewed by the individual responsible for information governance and the information asset owner to determine if a DPIA is needed.

If there is no personal data involved or there are no high risks before any privacy controls are taken account of, then a DPIA will not normally be needed.

DPIA summaries

Summaries are shown in alphabetic order of the project or process name. Full DPIA's are available on request.

Data warehouse

This system will hold service user data in a production environment to provide routine reporting to funders and answer queries that do not require big data analytics.

Recommendation and conclusion

It’s been agreed that:

• data will be encrypted
• patient identifiable information will be anonymised using techniques and rules about disclosure

All exceptions to these rules are to be referred to information governance.

Electronic Staff Record

This system holds personal data for all staff employed within SCCCC.

This includes special category personal data relating to:

• pre-employment checks
• payroll
• absence

It may also relate to apprentices under the age of 18. 

Recommendation and conclusion

Minor outstanding risks are actively owned by the information asset owner.

Equality and diversity

Equality and diversity declarations are held on ESR are extracted and reported on to make sure equality and diversity legislation obligations are being met during recruitment and employment.

Recommendation and conclusion

Only minor risks identified and are being actively managed by the information asset owner.

Human resources (HR) corporate

A number of similar HR processes were grouped together, including:

• occupational health referrals
• absence management
• redundancies          
• disciplinary and grievances related information

Recommendation and conclusion

Only minor risks identified and actively managed by the information asset owner.

Recruitment

Our recruitment approach involves processing:

• equality and diversity declarations
• personal references
• occupational health referrals
• DBS checks

Recommendation and conclusion

Only minor risks identified and these are being actively managed by the information asset owner.

Service User Record (Hospital to Home and Good Neighbours Scheme)

This system will hold personal data relating to SCCCC Service Users.

This process can result in processing special categories of personal data including summary medical information which may be recorded against the person.

Recommendation and conclusion 

Information asset owner has taken active ownership of residual minor risks.