Data Protection Impact Assessment (DPIA) - Procedure

Version: 1.0 Owner: [SIRO Name] (DPO)

1. When to Conduct a DPIA

A DPIA is mandatory at CheckTick for any project or feature that:

  • Involves the processing of health data (Special Category).
  • Introduces new technology (e.g., integrating a new AI/LLM component).
  • Involves large-scale processing or profiling.
  • Matches any of the ICO's "High Risk" criteria.

2. The Step-by-Step Process (ICO Aligned)

  1. Screening: Use the ICO Screening Checklist to determine if a full DPIA is required.
  2. Description: Document the nature, scope, context, and purpose of the processing.
  3. Consultation: Consult with [DPO Name] (CTO) on technical risks and, where appropriate, data subjects or clinical partners.
  4. Necessity & Proportionality: Verify that the processing is necessary for the goal and that no less intrusive method exists.
  5. Risk Identification: Identify risks to individuals, including the likelihood and severity of impact.
  6. Mitigation: Identify measures to reduce risk (e.g., encryption, data minimization).
  7. Sign-off: The SIRO/DPO must approve the residual risk.

3. Integration with Risk Management

Any risks identified in a DPIA that cannot be fully mitigated are transferred to the Data Security & Protection Risk Register for ongoing monitoring at board level.

4. Review

DPIAs are live documents and must be reviewed:

  • Every 12 months.
  • Whenever a significant change is made to the data flow or technology stack.