Data Protection Impact Assessments (DPIAs) PDF

Summary

This document provides an overview of Data Protection Impact Assessments (DPIAs). It details the key takeaways, background, and assessments involved in conducting a DPIA. The document is suitable for those interested in data protection and information technology.

Full Transcript

8. DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

The ‘key takeaways’ from this chapter are about conducting a Data Protection Impact
Assessment.

143
8.1 Background and purpose of a Data Protection Impact Assessment (DPIA)

_________________________________________________________________________

8.1.1 A Data Protection Impact Assessment (DPIA) involves identifying, assessing and
addressing personal data protection risk based on an organisation’s functions, needs
and processes. In doing so, an organisation would be better positioned to assess if
their handling of personal data complies with the PDPA or data protection best
practices, and implement appropriate technical or organisational measures to
safeguard against data protection risks to individuals.

8.1.2 An organisation could conduct a DPIA:

(a) on its IT system(s), including public-facing websites, cloud storage platforms,
customer relationship management (CRM) systems; and

(b) on its processes – for example, going through a health screening and receiving
the medical report or purchasing an item from an online portal and receiving
the item from a courier.

8.1.3 Organisations should conduct a DPIA for:

(a) new IT systems or process; or

(b) existing IT systems or processes that are undergoing changes.

144
8.2 Assessments under the PDPA

_________________________________________________________________________

8.2.1 The new provisions on deemed consent by notification and legitimate interests
exception, in section 15A and paragraph 1 of Part 3 of the new First Schedule of the
PDPA respectively, require organisations which seek to rely on those provisions to
assess the impact of their processing of personal data under those provisions.

8.2.2 In particular, organisations are required to undertake the following (amongst other
conditions):

(a) conduct an assessment which identifies any adverse effect that the proposed
processing of personal data is likely to have on the individual;

(b) identify and implement reasonable measures to eliminate the adverse effect,
reduce the likelihood that it will occur or mitigate the adverse effect.

8.2.3 In general, the PDPC considers adverse effect to include any physical harm,
harassment, serious alarm or distress to the individual. There may be circumstances
where individuals may be affected by businesses’ decisions resulting from the use of
personal data (e.g. differential pricing for customers of differing purchase history or
payment track records). While the collection, use or disclosure of an individual’s
personal data could result in differentiated treatment of individuals, not all instances
of differential charges (e.g. insurers charging persons with pre-existing health
conditions a higher insurance premium) or refusal to provide services (e.g. rejecting
loan application from an individual with poor credit rating) will be considered “adverse
effect”.

8.2.4 In determining the likely adverse effect on the individual, the organisation should
consider the following:

(a) The impact of the collection, use or disclosure of the personal data on the
individual;

(b) The nature and type of personal data and whether the individuals belong to a
vulnerable segment of the population;

(c) The extent of the collection, use or disclosure of personal data and how the
personal data will be processed and protected;

(d) Reasonableness of the purpose of collection, use or disclosure of personal
data; and

(e) Whether the predictions or decisions that may arise from the collection, use or
disclosure of the personal data are likely to cause physical harm, harassment,
serious alarm or distress to the individual.

8.2.5 As part of the assessment, organisations are also required to identify and put in place
reasonable measures to eliminate, reduce the likelihood of or mitigate any adverse

145
 effect to the individual. Examples of reasonable measures and safeguards include
minimising the amount of personal data collected, encrypting or immediate deletion of
personal data after use, functional separation, access controls, and other technical or
organisational measures that lower the risks of personal data being used in ways that
may adversely impact the individual.

8.2.6 Where it is assessed that there are likely residual adverse effects to the individual
after implementing the measures, organisations will not be able to rely on deemed
consent by notification to collect, use or disclose personal data for the purpose.
Whereas for the legitimate interests exception, organisations are required to conduct
a balancing test as an additional step in the assessment to determine whether the
legitimate interests of the organisation or other person (including other organisations)
outweigh any likely residual adverse effect on the individual. Organisations may rely
on the legitimate interests exception if the legitimate interests outweigh any likely
residual adverse effect to the individual.

146
8.3 Overview of how to do a Data Protection Impact Assessment

_________________________________________________________________________

8.3.1 The key tasks in a DPIA include:

(a) identifying the personal data collected, used, disclosed and stored by the
IT system or process and the reasons for doing so;

(b) identifying how the personal data flows through the IT system or process;

(c) identifying data protection risks by analysing the personal data collected, used,
disclosed and stored and its data flows against PDPA requirements or personal
data protection best practices;

(d) addressing the identified risks by:

(i) amending the IT system or process design; or

(ii) introducing new organisational personal data protection policies and
practices / SOPs;

(e) checking to ensure that identified risk are adequately addressed before the
IT system or process is in effect or implemented;

8.3.2 A DPIA involves the following life-cycle:

(a) phase 1 – assess the need for a DPIA

(b) phase 2 – plan the DPIA

(c) phase 3 – identify the personal data and personal data flows

(d) phase 4 – identify and assess data protection risks

(e) phase 5 – create an action plan

(f) phase 6 – implement the action plan and monitor its results

147
8.4 Phase 1 – assess the need for a DPIA

_________________________________________________________________________

8.4.1 In assessing the need for a DPIA, the DPO or the PDPA Project Team of an
organisation should determine whether the IT system or the process involves the
collection, use, disclosure and storage of personal data. If it does not, there is no need
(or context) for a DPIA.

8.4.2 When an organisation determines that an existing or proposed new IT system or
process does involve the collection, use, disclosure and/or storage of personal data, it
should conduct a DPIA if the IT system or process:

(a) is a new IT system or process that the organisation is introducing, developing
or implementing, such as a new IT system or a new manual process for
collecting, using, disclosing and storing personal data (for example, an
IT system or a process for a receptionist collecting personal data from visitors,
an IT system or a process for disposing of physical documents containing
personal data, an IT system or process for submitting physical medical claims,
etc.); or

(b) is an existing IT system or process that the organisation is reviewing or
substantially redesigning for collecting, using, disclosing and storing
personal data (for example, a redesign of an operational process workflow that
involves different groups of users who collect, use, disclose and/or store
personal data).

8.4.3 ‘Screening’ questions in connection with making a decision in 8.4.2 include, for
example:

(a) will this new or changed IT system or process involve the organisation
collecting new personal data?

(b) will the organisation disclose personal data to organisations or individuals that
have not had access to that personal data previously?

(c) will the organisation be using personal data:

(i) for a purpose for which the organisation does not use it currently or

(ii) in a way that the organisation does not currently use it

(iii) for a purpose to which the individual has not consented?

(d) does this new or changed IT system or process involve using new technology
that may be intrusive from the perspective of the individual (for example, does
it use facial recognition technology)?

(e) is the system/process that is collecting personal data that is more sensitive in
nature (for example, where the personal data is, or includes, health records,

148
 criminal records or financial records) likely to raise concerns or expectations in
the minds of relevant individuals?

8.4.4 When an organisation determines that an IT system or process:

(a) does involve the collection, use, disclosure and/or storage of personal data, but

(b) does not satisfy any of the requirements in 8.4.2,

the organisation should ensure that the need for a DPIA is assessed again when there
is a change in risks associated with the collection, use, disclosure and/or storage of
personal data in the IT system or the process.

149
8.5 Phase 2 – plan the DPIA – decide who should be involved

_________________________________________________________________________

8.5.1 After an organisation has assessed the need for a DPIA and concluded that it should
do a DPIA the next step is to decide who should be involved in it and form a
DPIA Project Team. The members of the DPIA Project Team typically include:

(a) a project manager;

(b) the organisation’s DPO;

(c) a DPIA steering committee; and

(d) other organisational functions or departments that have some level of
involvement in the project, external parties such as subject matter experts or
even potentially affected individuals,where needed.

8.5.2 The below table lists out typical roles and responsibilities of key parties involved in the
DPIA:

Who is involved? Who are they? Role in DPIA?
Project Manager Person in charge DPIA lead, overall in-charge of the DPIA
of the project
and could be supported by a DPIA team
Assesses the need for DPIA, plans the
DPIA, and conducts the DPIA
Identifies and seeks input from relevant
stakeholders, including project team, on:
- potential data protection risks and
challenges to the project from an
implementation perspective
- how identified personal data protection
risks should be addressed and possible
solutions
Documents DPIA report (which includes
proposing detailed action plan) for
management approval
Monitors DPIA outcomes, reviews the DPIA
when there is a change in risks to personal
data protection
Data Protection Person Advises DPIA lead through the DPIA
Officer (DPO) responsible for
process, including:
creating and
enforcing the data - Identifying and mitigating identified data
protection policies protection risks by providing support
within the based on best practices adapted to
organisation organisation’s needs and
circumstances

150
 May tap on DPO -Defining and applying the risk
networks or assessment framework
associations for - Ensuring that DPIAs are conducted
resources or
according to the organisation’s policies,
advice from other
DPOs to guide the recommends improvement to DPIA
DPIA lead on methodology based on industry best
carrying out the practices
DPIA - Reviewing DPIA report prior to
submission to management
Develops the templates / DPIA
questionnaire necessary to complete the
DPIA
Assists in reviewing the DPIA when there
is a change in risks to personal data
protection
Project Steering Management of Commissions the DPIA
Committee organisation that
Approves the risk assessment framework
approved the
project Approves the DPIA plan and proposed
action plans and solutions arising from the
DPIA
Others Other Provides input on potential risks and
organisational
challenges to the project with respect to
functions or
departments that their function. For example:
have some level - Information Technology (IT): Advising
of involvement in the DPIA lead on possible IT solutions
the project, and security risks in implementing
external parties measures to protect personal data. This
such as subject may also include advising on potential
matter experts or
challenges on system design and
even potentially
affected development.
individuals, where - Customer Service or Communications:
needed Advising the DPIA lead on possible
consumer impact (e.g. in terms of
usability) if the DPIA outcomes
warrants a change to consumer
interaction or day-to-day operations.
- Human Resource or Staff Capability:
Advising on the appropriate training
programmes or resources should the
DPIA outcomes require staff to be able
to carry out new data protection
measures or activities.

151
8.6 Phase 2 – plan the DPIA – substantive considerations

_________________________________________________________________________

8.6.1 Having assessed the need for a DPIA and concluded that it is needed and formed a
DPIA Project Team (see 8.5.1) the next step is for the leader of the DPIA Project Team
to plan the DPIA. The elements in the plan for a DPIA are:

(a) project description:

(i) provide an overview of the project (for example, its objective /
background, the organisation department / functions involved,
timeline);

(ii) explain why a DPIA is needed; and

(iii) set out the key considerations surrounding the DPIA, if any;

(b) scope of the DPIA: describe in detail the specific IT system or process on
which the DPIA needs to be carried out;

(c) define the risk assessment framework and methodology: this includes
establishing the risk assessment criteria and the methods of calculating risk;

(d) parties involved: identify relevant internal departments / functions or external
stakeholders (for example, subject-matter experts, consultants, regulatory
authorities and/or customers) whose inputs or views would have to be sought
during consultation or interview sessions and describe how their views would
be sought;

(e) DPIA timeline: provide an estimate of the time required for key tasks and the
overall timeline for conducting the DPIA.

152
8.7 Phase 3 – identify the personal data and personal data flows

_________________________________________________________________________

8.7.1 After planning the DPIA, the next step, phase 3, in the DPIA process is for the DPIA
Project Team to prepare for the identification of personal data and personal data flows
involved in the relevant IT system or process, which may be done by:

(a) collating and reviewing documentation related to the relevant IT system or
process in order to determine how the organisation will collect, use, disclose
and store personal data as part of the IT system or process – examples of
documentation include the project plan, contracts with third parties, assessment
reports and, if the DPIA is for an IT system, functional specifications; and

(b) consulting with the organisation’s relevant departments and/or functions to
ensure comprehensiveness and accuracy of the information gathered about the
personal data and personal data flows; and

(c) where possible, conducting an on-site inspection of the relevant IT system or
process with ground personnel.

8.7.2 Next, the DPIA Project Team must identify the personal data and personal data
flows in the new or changed IT system or process – they should include potential use
and/or potential disclosure of the personal data (in addition to actual use and/or actual
disclosure), even though it is not necessary at present. (See Chapter 4 for more on
identifying the personal data and personal data flows)

8.7.3 As the DPIA Project Team maps the flow of personal data for the purpose of the DPIA
they may start noticing areas for improvement and/or gaps – for example:

(a) ensuring reasonable security measures are taken to protect an electronic
database;

(b) training staff to ensure only necessary personal data is extracted from
databases and sent to appointed third party service providers; and

(c) ensuring no unauthorised disclosure of personal data.

153
8.8 Phase 4 – identify and assess data protection risks

_________________________________________________________________________

8.8.1 Phase 4 of a DPIA requires the DPIA Project Team to identify and assess personal
data risks. The DPIA Project Team can do this in various ways, including by:

(a) create a DPIA checklist/questionnaire and use it to assess the relevant
IT system or process against the requirements in the PDPA and/or data
protection best practice – the checklist/questionnaire might include questions
similar to, for example:

(i) is consent obtained from individuals for any collection, use and
disclosure of their personal data?

(ii) are the purposes for which personal data is collected, used and
disclosed considered reasonable in the circumstances?

(iii) are the purposes for the collection, use and disclosure of personal data
documented?

(iv) will the appointed third party service providers use the personal data
disclosed to them by the organisation only in line with the pupose(s)
intended by the organisation?

(b) identifying areas in the personal data flow that could lead to a failure to comply
with the PDPA (for example, a loss of personal data) and areas that are gaps
compared with industry best practice; and

(c) analysing the potential impact and likelihood of identified gaps and risks based
on the pre-defined risk framework.

8.8.2 As IT systems and processes that are subjected to a DPIA vary across types (such as
automated systems and digital or manual processes) and vary for different project
stages (such as entirely new projects versus existing projects undergoing major
changes), there is no ‘one-size-fits-all’ method to identify the data protection and
related risks.

8.8.3 The DPIA Project Team also needs to consider the organisation’s specific
circumstances in assessing its data protection risk and may also have to retrace earlier
steps or activities undertake in earlier phases to obtain more information or to clarify
certain data handling processes at various stages of the project for the relevant
IT system or process.

154
8.9 Phase 5 – create an action plan

_________________________________________________________________________

8.9.1 Next, the leader of the DPIA Project Team needs to create an action plan that
proposes how the organisation should treat / manage the identified data protection
risks. The action plan should:

(a) indicate the action owner(s) responsible for the implementation of specific
recommendations (such as technical and organisational measures);

(b) provide a mechanism for monitoring plan implementation outcomes and
implementation timelines; and

(c) as a good practice, provide a contact point for responding to queries regarding
the DPIA process and/or implementation of the action plan.

8.9.2 The approach to developing the action plan should be informed by the risk assessment
conducted by the leader of the DPIA Project Team in phase 4, as well as specific
circumstances (for example, operational or resource constraints and legal or regulatory
requirements). This will impact how the identified personal data protection risks would
be treated / managed.

8.9.3 Personal data protection risks may also be prioritised based on their likelihood and
impact levels, rather than implementing all the recommendations all at once though all
recommendations and justifications should all be documented for future reference.

155
8.10 Phase 6 – implement the action plan and monitor its results

_________________________________________________________________________

8.10.1 The final phase of a DPIA is to implement the action plan and monitor its results.
The leader of the DPIA Project Team should document the entire DPIA process (that
is, how the DPIA was scoped, planned and carried out, its findings, and the proposed
action plan) into a DPIA report. This report should be reviewed by the organisation’s
DPO to ensure that the proposed action plan is in line with the organisation’s policies
and contains effective personal data protection practices.

8.10.2 Once a DPIA report has been reviewed by an organisation’s DPO, the leader of the
DPIA Project Team should submit the report to senior management of the organisation
and seek approval for implementing the project plan.

8.10.3 When senior management of the organisation has approved implementation of a
project plan resulting from a DPIA, the respective action owners identified in the DPIA
action plan can and should start to implement it. The DPO should monitor the
outcomes of the action plan to ensure that identified personal data protection risks are
addressed as planned and that the organisation continues to manage risks to personal
data responsibly.

8.10.4 If and when there is a change in risks associated with the collection, use, disclosure
and/or storage of personal data in an IT system or a process that has been the subject
of a DPIA, the organisation should ensure that DPIA – and, inparticular, the outcomes
in its action plan – is reviewed and updated where needed so that the organisation
addresses any new gaps or risks to personal data. Examples where risks may change
include:

(a) instances where there are changes to the IT system or process proposal after
senior management of the organisation has approved implementation of the
action plan, such as changes to:

(i) the purposes or context of the IT system or process;

(ii) the type of personal data collected, used, disclosed and stored; and/or

(iii) how the processing is conducted;

(b) technology or security developments, such as when an IT system may face
new security vulnerabilities; and

(c) broader environmental changes, such as legislative amendments.

8.10.5 As a good practice, organisations should consider reviewing their DPIA processes
regularly (including their DPIA questionnaire) to ensure relevant as part of business
planning and performance management. Organisations should provide a redacted
version of the DPIA report, or a summary of it, upon request and/or consider publishing
such a summary.

156
8.10.6 An organisation should consult with its internal and external stakeholders (i.e.
employees, volunteers, third party service providers, etc.) throughout the DPIA
process. This is to ensure that the organisation gets their buy in and support, which is
essential during the implementation of the action plan arising from the DPIA outcomes.

157
Resources For Chapter 8 Data Protection Impact Assessments (DPIAs)

For further information to key principles and illustrations for conducting a DPIA, which is
a process that identifies, assesses and addresses personal data protection risks see
PDPC’s Guide to Data Protection Impact Assessments (DPIA Guide)
https://www.pdpc.gov.sg/og

158