Conduct a DPIA
Part 3 of the DPA18 states that where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must complete a DPIA prior to the processing beginning.
Processing that is likely to result in a high risk includes (but is not limited to):
- systematic and extensive processing activities, including profiling and where decisions that have legal effects, or similarly significant effects, on individuals;
- large scale processing of special categories of data (or ‘sensitive data’ when processing for a law enforcement purpose) or personal data relation to criminal convictions or offences;
- using new technologies (for example surveillance systems).
Therefore, if you are considering using data analytics, then you are required to carry out a DPIA.
A DPIA must contain:
- at least a general description of your processing operations and the purposes;
- an assessment of the risks to the rights and freedoms of individuals;
- the measures envisaged to address those risks;
- the safeguards, security measures and mechanisms in place to ensure you protect the personal data; and
- a demonstration of how you are complying with Part 3 of the Act, taking into account the rights and legitimate interests of the data subjects and any other people concerned.
There is no explicit definition of ‘risk’ in the DPA18, but the various provisions on DPIAs make clear that this is about the risks to individuals’ interests. The concept of potential harm or damage to individuals’ links to risk. Examples of risks are where processing may lead to physical, material or non-material damage, in particular; where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
Example
A police force is considering using a data analytics system in order to detect incidences of domestic abuse. The system will analyse police data and produce outputs, which predicts whether a person is a victim or perpetrator of domestic abuse. This prediction will be used to inform police decisions on intervening in situations where domestic abuse is suspected, and therefore could have a very significant impact on people’s lives.
If inaccurate data is fed into this system, a person could be erroneously marked as a perpetrator of domestic abuse, leading to unnecessary and potentially distressing intervention.
Similarly, erroneous or incomplete data could lead to the system failing to detect and safeguard victims of abuse with potentially life-threatening consequences.
Further risks can arise which are inherent to the use of an analytics system. Where human biases are present in the data used to train the system, the system may extrapolate these resulting in discrimination against certain groups.
It is therefore clear that the risks to the individuals affected by this processing activity are high, and a DPIA is required.
You must consider the nature, scope and context of the processing when assessing the risk to individuals’ rights and freedoms. In particular, you should consider that risks you have already identified may be heightened in the context of processing children’s personal data. Children will be less aware of their information rights and how they can exercise them. Additionally, some risks arising from the processing might disproportionately impact children.
Example
The same police force is considering using their data analytics system to identify children who are at risk of domestic violence. The risks differ from those outlined in our previous example; where a child is the victim, they are less able to speak out or seek help for themselves. If the data analytics system fails to identify them as possibly requiring intervention, there could be a serious risk of harm to that child.
The opposite is also true. If a child were incorrectly identified as a potential victim, they and their family could be subject to unnecessary intervention causing harm and distress.
Part of the role of the DPO is to provide advice on carrying out DPIAs. If you are unsure whether a DPIA is needed, you should seek input from your DPO.
Completing a DPIA is a good opportunity to evidence your accountability, and is a useful tool in implementing data protection by design and default.
We have published more information about how to conduct a DPIA. Our guidance on AI and data protection contains specific guidance on DPIAs in the context of AI.