Template Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) Policy was released by the Beaumont Hospital Data Protection Office on the 29th May 2018.

The Threshold Screening Questions were revised on the 14 September 2018

The formatting in the Template DPIA was adjusted on the 14 September 2018

Instructions for Submitting the DPIA were issued on the 14 September 2018

A DPIA is required if at least two of these 10 criteria are reached:

  1. Evaluation or scoring- especially to do with someone's work performance or health e.g. a biotechnology firm offering genetic testing to customers in order to predict disease/health risks;
  2. Automated-decision making with legal or similar effect - the processing may lead to discrimination or exclusion;
  3. Systematic monitoring - e.g. cctv in a public space;
  4. Sensitive Data- e.g. health data, genetic data and all article 9 special categories of data;
  5. Data Processing on a large scale;
  6. Datasets that have been matched or combined;
  7. Data concerning vulnerable data subjects - power imbalance between data controller and data subject e.g. patients,children, the elderly, employees, persons with disabilities;
  8. Innovative use or applying technological or organisational solutions - e.g. fingerprint or facial recognition;
  9. Data transfer outside the EU;
  10. Where the processing itself prevents a data subject from accessing a service- e.g. credit screening by banks to decide whether to give someone a loan.

In terms of health research, criteria 4 & 7 nearly always apply, and sometimes 1,5 & 9 also.