Purpose
The purpose of this policy is to provide a template privacy impact assessment (“PIA”) to be used by Dr Thuha Jabbar on an ongoing basis, as necessary. That policy also explains when to conduct a PIA.
Dr Thuha Jabbar will ensure that they will determine when a PIA is required and will complete the PIA, with input as necessary from colleagues and teams.
To meet the legal requirements of the regulated activities that Dr Thuha Jabbar is registered to provide:
- General Data Protection Regulation 2016
- Data Protection Act 2018
- Scope
The following roles may be affected by this policy:
The following people may be affected by this policy:
The following stakeholders may be affected by this policy:
- Family
- Advocates
- Representatives
- Commissioners
- External health professionals
- Local Authority
- NHS
- Objectives
- The objective of this policy is to ensure Dr Thuha Jabbar considers the potential data protection and GDPR implications of any new processes or systems it introduces, or of any changes that impact on its processing of personal data.
- By reviewing and utilizing the form set out in this policy Dr Thuha Jabbar will be able to provide evidence of the decisions it has taken and changes it has made that may impact on the processing it carries out.
- Policy
- Dr Thuha Jabbar understands that a PIA will enable it to identify and minimize the risks of any project it wishes to carry out.
- Dr Thuha Jabbar understands that PIAs must be conducted for specified types of processing (listed in the Procedure section below) as well as for processing that may result in a high risk for affected individuals.
- Dr Thuha Jabbar understands that a PIA should:
- Describe the processing nature, scope, context and purpose;
- Assess whether the processing is necessary and proportionate and in compliance with GDPR
- Identify and assess risks to affected Data Subjects; and Dr Thuha Jabbar understands that if a PIA identifies that processing may be high risk and it is unable to take steps to mitigate those risks, it should notify the ICO and seek advice from the ICO as to whether it should carry out the
- Procedure
- Dr Thuha Jabbar will implement a process for deciding whether a PIA is necessary and, if so, the steps that it will take to conduct the PIA. Dr Thuha Jabbar will use the form attached to this policy when conducting a PIA.
- Dr Thuha Jabbar will provide training to its employees about when a PIA is necessary and how to conduct a PIA.
- Dr Thuha Jabbar will conduct PIAs in the following scenarios:
- Where Dr Thuha Jabbar intends to use systematic and extensive profiling or automated decision-making to make significant decisions about Data Subjects
- Where personal data relating to children will be processed for profiling or automated decision making, for marketing to offer online services directly to the children
- Where Dr Thuha Jabbar will process special categories of data or criminal offence data on a large scale
- Where Dr Thuha Jabbar intends to monitor a publicly accessible place on a large scale
- Where new technologies are introduced by Dr Thuha Jabbar that may impact on its processing activities
- Where Dr Thuha Jabbar intends to process biometric or genetic data
- Where Dr Thuha Jabbar intends to combine, compare or match personal data from multiple sources
- Where Dr Thuha Jabbar processes personal data without providing a privacy policy directly to the affected Data Subject
- Where the processing will involve tracking individuals’ behavior (whether online or offline)
- Where the processing could result in a physical harm if there is a breach of security
- Dr Thuha Jabbar will consider carrying out PIAs in the following circumstances, as well as in any other circumstances which Dr Thuha Jabbar considers to be potentially high risk:
- Where Dr Thuha Jabbar processes special categories of data or personal data of a highly personal nature
- Where Dr Thuha Jabbar conducts large-scale processing; and
- Where the processing concerns vulnerable Data Subjects
Dr Thuha Jabbar acknowledges that because of the types of services it provides, it may need to conduct PIAs on a regular basis to ensure that Data Subjects, including Patients, are protected.
- Dr Thuha Jabbar will also conduct a PIA if the nature or purpose of the processing it carries out changes.
- Dr Thuha Jabbar will document the steps taken as part of the PIA and the outcomes in line with the form attached to this policy.
- Dr Thuha Jabbar will take any steps it identifies as being necessary to mitigate risks associated with the processing and will document the steps taken and the outcome of those steps.
- Definitions
Data Subject
The individual about whom Dr Thuha Jabbar has collected personal data.
Data Protection Act 2018
The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It follows the General Data Protection Regulation and applies the EU Directive on Enforcement of Laws.
GDPR
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two- year transition period became enforceable on 25 May 2018
ICO
The Information Commissioner’s Office
Personal Data
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
PIA
A Privacy Impact Assessment, also known as a Data Protection Impact Assessment
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it
Special Categories of Data
Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
- Key Facts – Professionals
Professionals providing this service should be aware of the following:
- All staff should be made aware of how GDPR impacts on their role and ensure that they know who in the Dr Thuha Jabbar organization has overall responsibility for data protection
- A PIA is essentially a risk assessment of proposed processing of personal If Dr Thuha Jabbar is processing personal data that is likely to result in a high risk to the Data Subject’s rights, a PIA must be carried out prior to commencing that processing.
- A six-step process maps the lifecycle of the personal data in order to establish: the provenance of the data, the manner of the processing involved, the location of the processing, the relevant stakeholders and the deletion/anonymization process
Key Facts – People Affected by The Service
People affected by this service should be aware of the following:
PIAs will be conducted by Dr Thuha Jabbar to ensure that if its processing of personal data changes, any associated risks will be understood and acted upon
- Further Reading
There is no further reading for this policy, but we recommend the ‘Underpinning Knowledge’ section of the review sheet to increase your knowledge and understanding.
- Outstanding Practice
To be ‘Outstanding’ in this policy area you could provide evidence that:
- You have implemented a PIA policy and all staff are aware of the potential need to conduct a PIA