Shortly after we did out first Data Protection Impact Assessments, on the Janet Security Operations Centre and the Jisc Learning Analytics Service, the ICO published its DPIA guidance. This contained a few minor additions, which have been added to this new version of our information gathering cribsheet:
- In section (a) the nature of processing should mention any new technologies or novel processing and retention periods for data. There’s also specific information about the context: how many data subjects there are, where they are located, what our relationship is with them and what expectations they are likely to have of us and our processing.
- In section (c) the harms considered should include discrimination, fraud, financial loss, reputational damage, physical harm, loss of confidentiality, reidentification, other significant economic or social disadvantage
- In section (d) measures and safeguards include training, documentation, pseudonymisation, and reduced retention.
We’ll be using this revised cribsheet for future DPIAs, including when we revisit the existing ones.
You can find it at: DPIA collection cribsheet v2.0