Shorter Reads

No Data Protection Impact Assessment (DPIA) undertaken for Test and Trace programme – but what is a DPIA, anyway?

1 minute read

Published 20 July 2020

Authors

Share

Key information

Earlier today, the BBC reported the latest in an increasingly long line of problems to have plagued the country’s COVID-19 ‘Test and Trace’ programme: it has not complied with the General Data Protection Regulation (GDPR).

Following a legal challenge from privacy campaigners, the Department of Health has admitted that the programme, which aims to trace contacts of those infected with COVID-19 in order to prevent further spreading of the virus, was launched without any Data Protection Impact Assessment (DPIA) having been undertaken.

But what exactly is a DPIA and when is one needed?

A DPIA is a process designed to assess whether a proposed activity that involves processing personal data is necessary and proportionate. It should be used to assess and manage any risks to the rights and freedoms of individuals that might result from that processing activity by determining ways of addressing them. DPIAs are key tools in demonstrating a business’s compliance with its accountability obligations under the GDPR.

The GDPR requires that DPIAs be carried out if any processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Guidance on the matter recommends considering the need for a DPIA if a business plans to:

  • process any ‘special category’ personal data on a large scale, as is the case with the ‘Test and Trace’ programme (health data constitutes ‘special category’ personal data);
  • implement any automatic decision making or profiling that significantly affects the person whose data is processed (for example, to provide or refuse a service to that person);
  • systematically monitor individuals (for example, via CCTV);
  • deploy innovative technology that uses personal data (for example, facial recognition software implemented at offices to enable access to certain areas); and/or
  • process personal data of vulnerable individuals (which might include employees) where there is an imbalance of power in the relationship and, consequently, those individuals have no genuine option to object.

DPIAs should be considered at the start of any new project that fits one or more of the above criteria, so that potential risks to the relevant personal data are addressed in advance of implementation (which is what the Department of Health failed to do in this case).

If your business has already undertaken a DPIA in respect of a processing activity, it will need to review that DPIA periodically (and ideally at least once every 2 to 3 years), particularly if there is any change in the context or nature of the processing.

Undertaking a DPIA will not only help your business demonstrate accountability and compliance with a GDPR, but will also build trust amongst those whose personal data is processed. This is much easier to lose than it is to gain. The risk to the UK government posed by this latest development is that fewer UK citizens, having lost confidence in its handling of their personal data, may participate in the Test and Trace scheme. Without significant participation across the population, the country is unlikely to have an effective contact tracing system.

https://www.bbc.co.uk/news/technology-53466471

Message us with any questions

Related latest updates
PREV NEXT

Arrow Back to Insights

Shorter Reads

No Data Protection Impact Assessment (DPIA) undertaken for Test and Trace programme – but what is a DPIA, anyway?

Published 20 July 2020

Associated sectors / services

Authors

Earlier today, the BBC reported the latest in an increasingly long line of problems to have plagued the country’s COVID-19 ‘Test and Trace’ programme: it has not complied with the General Data Protection Regulation (GDPR).

Following a legal challenge from privacy campaigners, the Department of Health has admitted that the programme, which aims to trace contacts of those infected with COVID-19 in order to prevent further spreading of the virus, was launched without any Data Protection Impact Assessment (DPIA) having been undertaken.

But what exactly is a DPIA and when is one needed?

A DPIA is a process designed to assess whether a proposed activity that involves processing personal data is necessary and proportionate. It should be used to assess and manage any risks to the rights and freedoms of individuals that might result from that processing activity by determining ways of addressing them. DPIAs are key tools in demonstrating a business’s compliance with its accountability obligations under the GDPR.

The GDPR requires that DPIAs be carried out if any processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Guidance on the matter recommends considering the need for a DPIA if a business plans to:

  • process any ‘special category’ personal data on a large scale, as is the case with the ‘Test and Trace’ programme (health data constitutes ‘special category’ personal data);
  • implement any automatic decision making or profiling that significantly affects the person whose data is processed (for example, to provide or refuse a service to that person);
  • systematically monitor individuals (for example, via CCTV);
  • deploy innovative technology that uses personal data (for example, facial recognition software implemented at offices to enable access to certain areas); and/or
  • process personal data of vulnerable individuals (which might include employees) where there is an imbalance of power in the relationship and, consequently, those individuals have no genuine option to object.

DPIAs should be considered at the start of any new project that fits one or more of the above criteria, so that potential risks to the relevant personal data are addressed in advance of implementation (which is what the Department of Health failed to do in this case).

If your business has already undertaken a DPIA in respect of a processing activity, it will need to review that DPIA periodically (and ideally at least once every 2 to 3 years), particularly if there is any change in the context or nature of the processing.

Undertaking a DPIA will not only help your business demonstrate accountability and compliance with a GDPR, but will also build trust amongst those whose personal data is processed. This is much easier to lose than it is to gain. The risk to the UK government posed by this latest development is that fewer UK citizens, having lost confidence in its handling of their personal data, may participate in the Test and Trace scheme. Without significant participation across the population, the country is unlikely to have an effective contact tracing system.

https://www.bbc.co.uk/news/technology-53466471

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.