Privacy Impact Assessment Questionnaire

The following questionnaire has been designed to assist the privacy impact assessment
facilitator. Privacy Impact Assessments (PIAs) is a valuable method for identifying privacy risks
and preparing mitigation strategies. If your organization collects personally identifiable
information (PII) it should one PIA for each unique PII data set to ensure compliance and
identify unmitigated risks.

What is personally identifiable information?

Defined by the Canadian Institute of Chartered Accountants (CICA) and the American Institute
of Certified Public Accountants (AICPA). Personally Identifiable Information is any information
relating to an identified or identifiable individual broken into two of the following categories:

(a). ‘Private Information’ (PI) customers name address, telephone number, social
security/insurance, other government identification numbers, employer, credit card numbers,
personal or family financial information, personal or family medical information, employment
history, history of purchases or other transactions, credit records and similar information.

(b). ‘Sensitive Private Information’ medical or health conditions, racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership, sexual preferences.

Privacy Principles

 # 1 – Organizational Responsibility for Personal Information

 # 2 – Identifying the Purpose for Personal Information
 # 3 – Limiting Data Collection to Business Objectives
 # 4 – Required Consent
 # 5 – Limitations on the Retention of Personal Information
 # 6 – Accuracy of Data
 # 7 – Data Security
 # 8 – Training and Communication

************

Principle 1 – Organizational Responsibility for Personal Information

 1.1. Has responsibility for Organizational privacy oversight been assigned to a Specific
individual? Y/N
 1.2. Are the roles, responsibility and reporting structure of that person documented? Y/N
 1.3. Have performance requirements been specified in a measurable way, and subject to
management reviews? Y/N
 1.4. Are independent third-party audits facilitated to review privacy practices? Y/N
  1.5. Has Organizational retained the legal right to collect, use, disclose, archive and
dispose of personally identifiable information under its custody? Y/N
 1.6. Has Organizational retained the legal right to audit and enforce data protection
principles with the organizations external service providers? Y/N

Principle 2 – Identifying the Purpose for Personal Information

 2.1. Is the business purpose for the collection, use, retention and disclosure documented?
Y/N
 2.2. Has the purpose for collection been mapped to the business purpose? Y/N
 2.3. Has the purpose for collection been mapped to a specific statute or regulation? Y/N
 2.4. Is the purpose for collection based on an exception due to debt collection,
investigations or media? Y/N
 2.5. Has Organizational customers been formally notified of the purpose for the
collection? Y/N

Principle 3 – Limiting Data Collection to Business Objectives

 3.1. Can the requirements for information collection be limited or reduced? Y/N
 3.2. Is personally identifiable information collected directly from the individual? Y/N
 3.3. Is personally identifiable information indirectly collected thou other programs? Y/N
 3.4. Is personally identifiable information collected indirectly thru external parties? Y/N
 3.5. Will the Customers online activity be monitored and related information collected?
Y/N
 3.6. Is the information collected for planning, forecasting, or evaluation purposes? Y/N
 3.7. Can the information collected be made anonymous and still meet the business
purpose? Y/N

Principle 4 – Required Consent

 4.1. Was the consent clearly linked to the purpose for collection and usage? Y/N
 4.2. Did the consent clearly and unambiguously specify that personally identifiable
Information can be collected, used and disclosed? Y/N
 4.3. Did the individual implicitly consent to the collection of their personally identifiable
information? Y/N
 4.4. Was the consent to collect personal identifiable information implied? Y/N
 4.5. Was consent gathered based on the individual’s option to ‘opt-in’? Y/N
 4.6. Was consent gathered based on the individual’s option to ‘opt-out’? Y/N
 4.7. Was personally identifiable information collected indirectly from an external third
parties? Y/N
 4.8. Does consent allow for secondary uses like service improvements? Y/N
 4.9. Has procedures been created to obtain further consent for usage not previously
identified? Y/N

Principle 5 – Limitations on the Retention of Personal Information

  5.1. Are there specific statutory or regulatory obligations for retaining personal
identifiable information? Y/N
 5.2. Has the reconciliation of cross jurisdictional retention obligations been completed?
Y/N
 5.3. Have practices and/or standards been document with respect to the retention of
Personal information? Y/N
 5.4. Do these standards include a minimum and maximum retention period? Y/N
 5.5. Is there a method to log and report on the duration which personally information has
been retained? Y/N
 5.6. Are there documented practices and standards outlining the appropriate methods of
destruction, erasure or anonymizing personally information? Y/N
 5.7. Are disposal/destruction records maintained for personally information? Y/N

Principle 6 – Accuracy of Data

 6.1. Are updates to Customer records recorded including date, time stamp and user
account? Y/N
 6.2. Have procedures been documented and communicated to Customers regarding
Access and maintenance of inaccurate records? Y/N
 6.3. Are records kept regarding requests for access to records? Y/N
 6.4. Can Customers access their personally information without disrupting regular
operations? Y/N
 6.5. Has field level validation been implemented for interactive updates to records? Y/N
 6.6. Has exception reporting been implemented for batch file processing? Y/N
 6.7. Are errors to information process monitored and investigated? Y/N
 6.8. Are external parties notified of corrections? Y/N

Principle 7 – Data Security

 7.1. Has a Risk Assessment been facilitated for the information asset? Y/N
 7.2. Are regular user account access and privilege access rights authorized and recorded?
Y/N
 7.3. Has the roles and responsibilities for asset owners and custodians been documented
and communicated? Y/N
 7.4. Has an information handling practice and standard been documented for the
collection, transmission, storage and disposal of personal information? Y/N
 7.5. Has a breach protocol been documented and communicated to all stake holders? Y/N
 7.6. Have Organizational employees been trained on the requirements for protecting
personal information? Y/N
 7.7. Has a process been documented for granting users access to the maintenance
application to add, change or delete personal information? Y/N
 7.8. Does the business system including audit logging of access to personal information
including date and time stamping and user account? Y/N

Principle 8 – Training and Communication

  8.1. Has training and awareness been developed for Organizational employees? Y/N
 8.2. Does the training include an overview of statutory, regulator and contractual
obligations for data protections? Y/N
 8.3. Does training include an overview of Organizational policies, practices and standards
relating to the Handling of personal information? Y/N
 8.4. Does training include instructions concerning the reporting of suspected breaches in
security? Y/N
 8.5. Does training include instructions regarding the “whistleblower” policy? Y/N
 8.6. Are there documented plans for training on “how to” facilitate a privacy impact
assessment? Y/N
 8.7. Are new hires required to attend information handling training and awareness before
access to personal information is granted? Y/N
 8.8. Have all Organizational employees accessing personal information attended training
and awareness? Y/N
 8.9. Has an annual training and awareness program and schedule been created and
communicated? Y/N
 8.10. Are records of Organizational employee and contractors attendance including post
session evaluations and sign in sheets maintained? Y/N

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a key component of a 'Privacy by design'
approach to a project or other personal data processing activity (hereafter referred to as an
'initiative'). 'Privacy by design' is an essential tool in minimising privacy risks and building
trust.The Information Commissioner's Office (ICO) encourages organisations to ensure that
privacy and data protection is a key consideration in the early stages of any initiative, and then
throughout its lifecycle.

This guidance explains how to carry out a Data Protection Impact Assessment (DPIA). It builds
on the more general guidance on Privacy Impact Assessments issued by the Information
Commissioner's Office (see link on the right of this page).

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a structured approach to idenitifying the privacy risks associated with the processing
of personal data and for implementing appropriate controls to manage those risks. The process
comprises the following six distinct steps and a parallel stream of consultation:

1. Identify the need for a DPIA

2. Describe the information flows
3. Identify and assess the privacy risks
4. Identify and approve controls
5. Assign responsibility for implementing controls
 6. Re-assess and accept the risks.

Why conduct a DPIA?

Key benefits of conducting a DPIA are:

 Fulfilling the University's legislative,statutory and contractual obligations, particularly

those under data protection legislation in relation to data processing activities
 Contributing towards effective risk management and increased privacy and data
protection awareness across the institution
 Giving individuals confidence that the University is taking steps to safeguard their
privacy, and a better understanding of the ways in which their personal data are being
used
 Taking actions which are less likely to be privacy intrusive and have a negative impact on
individuals
 Increasing the likelihood that the initiative is more successful because privacy risks are
identified early, allowing controls to be designed in at less cost and with less impact on
delivery.

Is a DPIA required?
A DPIA should be completed for any initiative that involves the processing of personal data or
any other activity that could impact the privacy of individuals. Examples are:

 Building a new IT system for storing or accessing staff personal data

 Implementing surveillance technology in a building, such as a CCTV system
 Using a cloud service for the storage of research data
 Developing policies or strategies that have privacy implications.

A DPIA should be completed for new initiatives or for changes to existing systems or processes.
It may also be a recommended outcome from a formal investigation into an information security
incident or weakness at the University.

The first step in conducting a DPIA is a screening process to decide whether the detailed work in
the subsequent steps will be required.

A DPIA must be completed for all research projects that may impact the privacy of indviduals
and/or involve the use of personal data.

When should a DPIA be undertaken?

Ideally, a DPIA should be undertaken in the early stages of an initiative. The earlier a DPIA is
completed, the easier it is likely to be to address any privacy risks identified.
Who should conduct a DPIA?
The University Data Protection Officer has overall accountability for ensuring that DPIAs are
completed for high risk personal data processing initiatives.

Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible
for the initiative, such as:

 The project sponsor

 The information asset owner
 The lead for a research project.

Who should hold the completed DPIA?

The individual responsible for the initiative should retain the master copy of the completed DPIA
for audit purposes and to be able to demonstrate compliance with legislative requirements should
a query be raised. The University's Data Protection Officer or Information Governance Unit may
request copies of DPIAs for monitoring and reporting purposes.

The University's DPIA template

Please use the University's standard Data Protection Impact Assessment Template (see
Resources section at the bottom of this page).

Please note that in the case of research projects, the DPIA template is not mandatory; the
assessment can be recorded in the project's Data Management Plan instead.

Conducting a DPIA
Step One - Identify the need for a DPIA

Complete the DPIA screening questions in the DPIA template. If the answer to any of the
screening questions is 'Yes', a DPIA is required. Below are the screening questions, with some
additional context and examples to help determine answers.

Question Context Example

This is particularly important when
Does the initiative
personal data processing relates to an Building behavioural or
involve evaluating or
individual's performance, economic marketing profiles of
1 scoring individuals
situation, health, personal preferences or individuals based on their
(including profiling
interests, relaibility or behaviour, web activity.
and predicting)?
location or movements.
2 Does the initiative This is personal data processing that Asking an individual to
involve automated aims to make automated decisions about submit personal data that is
 then analysed by a computer
decision-making that
individuals that produce legal effects or system, with the result that
may have a significant
similarly significant effects upon the the individual's request to
effect on an
individual. use a service is either
individual?
accepted or refused.
Does the initiative
This is personal data processing used to Installing a CCTV system on
3 involve systematic
observe, monitor or control individuals. University premises.
monitoring?
Does the initiative Sensitive personal data is a particular set
Processing the health data of
involve the processing of personal data, as defined by data
4 research participants in a
of 'sensitive personal protection legislation (see the
research project.
data'? Information Governance Glossary).
There is no specific definition of 'large
scale' but the following should be
considered:

 The number of individuals

Does the initiative
affected
involve processing Implementing a new student
5  The volume of personal data
personal data on a record system.
 The range of personal data
large scale?
 The duration or permanence of
the processing activity
 The geographical extent of the
processing activity.

This relates to combining personal data

originating from two or more personal Matching alumni and
Does the initiative
data processing operations performed supporters personal data
involve datasets that
6 for different purposes or by different against personal data held by
have been matched or
data controllers in a way that would a third party for profiling
combined?
exceed the reasonable expectations of purposes.
the individual.
This relates to the processing of personal
Does the initiative Processing children's
data where there is an imbalance of
involve the personal personal data as part of a
7 power between the individual and the
data of vulnerable 'widening participation'
University, or the processing involves a
people? activity in the University.
vulnerable section of society.
Does the initiative
involve the use or
New technology can often involve novel
application of Using fingerprint recognition
ways of collecting and using personal
8 innovative technology to control access
data that individuals may not reasonably
technological or to a building.
expect.
organisational
solutions?
9 Does the initiative This relates to sending personal data to Storing personal data in a
involve the transfer of countries outside of the European cloud service hosted in the
 personal data outside
of the European Union. USA.
Union?
Does the initiative This includes personal data processing
prevent individuals that takes place in a public area that Screening applicants before
10 from exercising a right passers-by cannot avoid, or processing allowing them to use a web
or using a service or that aims to allow or refuse an service.
contract? indidvidual's access to a service.

Step Two - Describe the information flows

Record the following in the DPIA template:

 How personal data will be obtained

 How personal data will be processed (including potential future uses)
 How personal data will be stored
 To whom personal data will be disclosed (individuals or organisations, if any).

Consultation should begin during this step (see Consultation section beneath Step 6 below).

Step Three - Identify and assess the privacy risks

Record the identified risks in the DPIA template. This forms the core of the DPIA process. The
aim is to compile a comprehensive list of all of the privacy risks associated with the initiative,
whether or not the risks require action.

For each privacy risk identified, the following should be recorded:

 A unique identifier
 A description of the risk
 An assessment of the impact of the risk (severe, major, moderate, minor, insignificant)
 An assessment of the likelihood of the risk (very likely, likely, neither likely nor unlikely,
unlikely, very unlikely).

Step Four - Identify and approve the controls

Identify controls to mitigate the risks and record them in the DPIA template. The aim is to
identify sufficient controls to eliminate each of the risks identified in Step Three, or to reduce
them to a level which is acceptable to the University. For some identified risks, no controls may
be required because the likelihood is so low and/or the impact so small that the risks are
acceptable to the University.

Controls may take many forms, such as:

 Additional terms and conditions in a contract

 A privacy notice
  Documented operational procedures
 Disabling certain product features
 User training
 Technical controls, such as encryption.

Once a control is identified, the expected result of its implementation should be recorded i.e.
whether it is likely to:

 Eliminate the risk

 Reduce the risk to an acceptable level
 Require acceptance as there is no reasonable control to eliminate or reduce it.

Proposed controls should then be approved by an appropriate individual. Normally this should be
the information asset owner or their nominated delagate, but it could also be:

 The project sponsor

 The chair of a relevant committee.

Step Five - Assign responsibility for implementing controls

Allocate the controls to appropriate individuals and record an agreed deadline for
implementation.

In the case of formal University projects, the implementation of many of the controls will fall
within the scope of the project, so should be managed in the same way as any other project task.
However, the implementation of some controls will be beyond the scope of the project (such as a
change to University policy) so related tasks should be assigned through the University's normal
management processes and added to the list of project dependencies. Where initiatives are being
run informally, or as 'business as usual' activities, the University's normal management processes
should be used to identify who will implement the controls and agree an appropriate deadline. In
all cases, a named individual and deadline for completion should be assigned and recorded.

In the absence of formal project management documentation, the DPIA should be used to record
when controls are implemented.

Step Six - Re-assess and accept the risks

After the controls have been implemented, re-assess the risks and record the outcome in the
DPIA template. The risks then need to be accepted by an appropriate individual. Normally this
should be the information asset owner or their nominated delagate, but it could also be:

 The project sponsor

 The chair of a relevant committee.

The individual who signs off the risks should have a clear understanding of the initiative,
particularly the privacy risks and how the controls address them. If any risk has not been reduced
to an acceptable level after implementation of the controls identified in Step Four, additional
controls will need to be identified and Step Five and Step Six will need to be repeated