what is a dpia?
a dpia is a process designed to help organisations identify and minimise the data protection risks of a project. where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a dpia needs to be completed. for more information, read data protection impact assessments.
lawful basis for processing
organisations will only be able to process personal data collected if at least one of the following six grounds has been met:
-
consent - the data subject (ie the individual whose data is being processed) has given clear consent for the processing of their personal data for a specific purpose.
-
performance of a contract - the processing is necessary for contract performance or to ‘take steps’ at the request of the data subject before entering into a contract.
-
necessary for compliance - the processing is necessary to comply with the law (not including contractual obligations).
-
protection of vital interests - the processing is necessary to protect someone’s life.
-
public interest - the processing is necessary for the performance of a task in the public interest or for the organisation’s official functions, and the task or function has a clear basis in law.
-
legitimate interest - the processing is necessary for the organisation’s or a third party’s legitimate interests unless there is good reason to protect the personal data which overrides those legitimate interests. where this is the case, a legitimate interest assessment will need to be carried out.
the dpia should set out which of these legal grounds for processing applies.
for more information, read processing personal data.
processing special category personal data
special category personal data includes information about racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, biometrics (eg fingerprint data/facial images) and genetics. due to the sensitive nature of this data, it is given greater protection than other types of personal data (eg names and addresses). this means that, when processing special category sensitive data, further conditions for processing (see below) need to be met and recorded in a dpia.
most of these further conditions revolve around the processing being necessary. being ‘necessary’ doesn’t mean that the processing has to be absolutely essential, but it must be more than useful or habitual. it must also be a reasonable and proportionate way of achieving the purpose, and the organisation must not use more data than they need to achieve their purpose. see the information commissioner’s office (ico) guidance for more information.
explicit consent
where the data subject explicitly consented to the data processing. this means that consent must be freely given, specific, affirmative (opt-in), unambiguous, and able to be withdrawn at any time. generally, for consent to be ‘explicit’, it:
-
must be confirmed in a clear (verbal or written) statement (and not by another type of affirmative action)
-
must specify the nature of the special category data
-
should be separate from any other consent sought by the organisation
read consent under gdpr for more information. this condition applies to a wide range of circumstances, however, when relied upon, people need to be given a genuine choice over whether and how their data is used.
employment, social security and social protection
the processing is necessary for the organisation to carry out its obligations and exercise specific rights in the field of employment and social security and social protection law in so far as authorised by the law. this condition is likely relevant for employers (eg to ensure the health and safety of staff).
associated conditions
for an organisation to be able to rely on this condition to process special category sensitive data, the following ‘associated conditions’ need to be met:
the processing is necessary for the purposes of performing/exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and |
this special condition can only be relied on if organisations can prove that they have a legal obligation or right to process the data. this can be done by referencing the specific legal provision or by pointing to an appropriate source of advice/guidance. for example, organisations may refer to government or industry guidance setting out relevant employment obligations/rights. |
the organisation needs to have an appropriate policy document (apd) in place. |
this is a short document outlining the organisation’s compliance measures and retention policies for special category data. for more information, read appropriate policy documents. |
vital interests
the processing is necessary to protect the vital interest of a data subject or another person where the data subject is physically or legally incapable of giving consent. this means that organisations should, where possible, ask for explicit consent. if a data subject refuses to give consent, this condition cannot be used as a fallback condition unless the data subject is physically/legally incapable of giving consent.
this condition generally only applies to matters of life and death and is likely relevant for emergency medical care (eg where personal data needs to be processed for medical purposes, but the individual is unconscious).
not-for-profit bodies
organisations can only rely on this condition if they:
-
are a not-for-profit body (eg charities, trade unions, churches other associations if they have a political, philosophical, or religious aim).
-
are processing special category data as part of their legitimate activities. this covers most conduct provided it does not stray outside the purposes and powers set out in the body’s constitution or governing documents.
-
are only processing the data of members, former members, or other individuals in regular contact with them ‘in connection with their purposes’ (eg partners, supporters or beneficiaries). this means that the condition doesn’t apply to employee data or prospective member data.
-
have appropriate safeguards in place (eg restricting data access, applying shorter retention periods, or providing individuals with an opt-out).
-
don’t disclose this data to third parties without the data subject’s (explicit) consent.
made public by the data subject
the processing relates to personal data that has been made public by the person to whom it relates. this condition doesn’t cover all special category data made public - it only covers personal data that the individual themselves has made public. organisations need to be confident that individuals themselves actively chose to make their special category data public and that this was unmistakably a deliberate act on their part (eg blogging about a health condition).
further, the data must be ‘manifestly made public’. this means that it must realistically be accessible to the public. organisations should ask themselves whether any hypothetical interested member of the public could access this information (not whether it is theoretically available to the public, such as being mentioned in court).
when relying on this condition, organisations should keep a record of the data source, to help demonstrate that it was manifestly made public by the individual.
legal claims or judicial acts
for legal claims, organisations must show that the purpose for processing is to establish, exercise or defend legal claims. legal claims are not limited to current legal proceedings, but include processing necessary for:
-
actual or prospective court proceedings
-
accessing legal advice
-
establishing, exercising or defending legal rights in any other way
judicial acts apply where a court or tribunal is acting in its judicial capacity. courts can apply this condition whether they are processing special category data in their judicial capacity. where the processing is not part of their judicial capacity this condition doesn’t apply and a different condition is required.
substantial public interest
the processing is necessary for reasons of substantial public interest. being of ‘substantial public interest’ means the public interest needs to be real and of substance. due to the inherent risk of special category personal data, organisations cannot say that the processing is in the public interest for vague or generic reasons. instead, organisations need to be able to make a specific argument about the concrete wider benefits of the processing. for example, organisations may wish to consider how the processing of sensitive personal data would benefit the public including:
-
the amount of benefit experienced from the processing (even if only experienced by a small number of people)
-
the number of people who would benefit from the processing
organisations should focus on demonstrating that their overall processing purpose has substantial public interest benefits. each time the organisation undertakes the processing they do not typically need to make a new public interest argument to demonstrate the specific benefits of processing, provided that the overall purpose for processing is of substantial public interest (as demonstrated initially).
associated conditions
for an organisation to be able to rely on this condition, certain ‘associated conditions’ need to be met. for the substantial public interest condition, at least one of the 23 substantial public interest conditions set out in the data protection act 2018 (dpa) need to be met. in most cases, the organisation will also need to have in place an apd. for more information on these associated conditions, read substantial public interest for dpias.
health or social care
the processing is necessary for health or social care purposes (eg the provision of medical diagnosis and the provision of social care, such as social work).
associated conditions
for an organisation to be able to rely on this condition, the following ‘associated conditions’ need to be met:
the processing is necessary for health or social care purposes, and |
this condition covers the following purposes:
|
the processing is carried out by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. |
this means that the processing must be carried out:
for more information, read the ico’s guidance. |
public health
the processing is necessary due to public interest in public health. this condition may be relevant to public vaccination programmes, clinical trials and public health monitoring.
associated conditions
for an organisation to be able to rely on this condition, the following ‘associated conditions’ need to be met:
the processing is necessary for reasons of public interest in the area of public health, and |
to demonstrate a ‘public interest’, organisations will need to demonstrate that the processing has a benefit for the wider public or society as a whole (rather than their own interest or the interest of a particular individual). further, the processing should not enable processing for other purposes by employers, insurers or banks. the gdpr defines public health as all elements related to health, namely:
|
the processing is carried out by (or under the responsibility of) a health professional, or by another person who in the circumstances owes a duty of confidentiality under the law. |
this means that the processing must be carried out:
for more information, read the ico’s guidance. |
archiving, research and statistics
the processing is necessary for statistical or archiving purposes, scientific or historical research purposes and is in the public interest. this means that not all research is covered by this condition - only scientific or historical research that is in the public interest is covered.
associated conditions
for an organisation to be able to rely on this condition, certain ‘associated conditions’ need to be met. to rely on this condition, the organisation must demonstrate that:
the processing is necessary for archiving, research or statistical purposes, and |
the processing of the data must be a reasonable and proportionate way of achieving either archiving, statistical or research (scientific or historic) purposes, without the organisation having more data than needed. |
they comply with the safeguards and restrictions set out in article 89(1) of the gdpr and section 19 of the dpa, and |
this means that appropriate safeguards must be in place to protect individuals. this means that organisations must:
|
the processing is in the public interest. |
organisations will need to demonstrate that the processing has a benefit for the wider public or society as a whole (rather than their own interest or the interest of a particular individual). |
for more information on the conditions for processing special category personal data, see the ico guidance.
processing criminal offence data
criminal offence data is personal data that relates to criminal convictions and offences or related security measures. any information about criminal offences is treated separately to personal data and special category special data and is subject to even tighter controls that need to be recorded in a dpia.
organisations must have a lawful basis for processing, be fair and transparent about the processing and comply with the data protection principles and requirements of the uk gdpr. further, criminal offence data can only be processed under the control of official authority or where authorised by domestic law (the dpa sets out 28 conditions for processing criminal offence data). organisations will need to determine whether they can process criminal offence data. for more information, read criminal offence data for dpias.
if you have any questions about carrying out a dpia or require assistance, ask a lawyer.