Data protection impact assessments ensure that data protection principles are integral to the design of processes by helping to identify, assess and mitigate risks.
Data protection legislation requires that a DPIA is undertaken before processing when:
you are using new data processing technologies
for example, if you introduce a new initiative to issue canvassers with tablets, you need to undertake a DPIA first.
A DPIA is not required where a processing operation has a lawful basis that regulates the processing and a DPIA has already been undertaken. For example, if your canvassers are already using tablets and processing is underway you are not required to conduct a retrospective DPIA. However, you should ensure that data protection principles are integral to your existing processing operations, and a DPIA can help evidence this.
When you undertake any new process, you should undertake DPIAs as a matter of good practice. This will enable you to demonstrate that data protection is integral to your processes and support the principle of accountability.
We have produced the following template DPIA which is used by the Electoral Commission.
The template relates to our activities, so you will need to adapt it to make it relevant, but it may support you in undertaking your own DPIAs. You should speak to your council’s Data Protection Officer/Information Officer before undertaking a DPIA.
DPIAs and anonymous registration applications
Applications for anonymous registration contain data relating to anonymous electors’ or applicants’ personal safety. The lawful basis for processing this data is set out in legislation but the processing is high risk due to the nature of the data.
You should have a DPIA in place for processing anonymous registration applications, and if you don’t you should undertake one.