Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Adopters - Complying with the UK GDPR Steps 1 - 7: an introduction- Step 2: Consider doing a DPIA

Reviewed: 13 January 2023

Reviewed by: Health and Care IG Panel

Before you start processing health and care data involving the use of new technology, including in the context of deploying a technology in a health or social care setting, you should consider doing a DPIA. This will help you identify and minimise any data protection problems early on, and to fully consider the risks to patients and service users. It will also help you build public trust because it will help you consider how to make your data processing transparent (such as through creating privacy notices).

You can use the standardised DPIA template developed by the Health and Care IG Panel. It will also help you carry out the assessments required in steps 3 and 4 below.

A DPIA is required by law before you carry out processing of special category data on a large scale by an innovative technology, because this constitutes a high risk (see ICO's examples of processing ‘likely to result in high risk’). Failure to carry one out when required could result in a fine, prosecution and damage to reputation.

You may need to modify the DPIA or create a new one at later stages of the technology adoption pathway if you change an existing processing activity. For example, if you make significant changes to how or why personal data is processed, or the type or amount of data being processed. In other words, a DPIA should be considered a ‘live’ document, started as early as possible and updated throughout the life of your project.

Learn how to do a DPIA and take a risk-based approach using ICO's guide to DPIAs, which includes an example template and practical checklists.

Also see the HRA’s guidance on DPIAs for research. DPIAs for the processing of personal data that is done for the purpose of research are the responsibility of the sponsor.

In the context of technology adoption, doing a DPIA would normally be the responsibility of the relevant NHS or social care organisations in England and Wales.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Get more support

To discover how the regulatory organisations can assist you and for contact details, visit our 'Get Support' page.

Is this article useful?

How can we improve this piece?

Error:Select how we can improve this piece
Cancel

Thank you for your feedback!

To share additional insights about this page, please use the following link (opens in a new tab) to submit your observations.

Print this guidance (opens a PDF in a new tab)

Regulations are regularly updated. For the latest information, check the website as printed documents may be outdated.