Skip to Content

Data Privacy Impact Assessment

  • What is a Data Privacy Impact Assessment (DPIA)?

    A Data Privacy Impact Assessment (DPIA) is a process which helps assess privacy risks to individuals during the collection, use and disclosure of personal information. A DPIA is a legal requirement for certain types of processing.

    Under the General Data Protection Regulation (GDPR), the Privacy by Design principle has been strengthened, and DPIAs should be used to evaluate risks to the rights and freedoms of data subjects resulting from data processing. Click here to view the QUB Student Privacy Notice.

    Whilst a DPIA does not eradicate all risk, it should help determine an acceptable level of risk depending on the benefit of the outcomes of the data processing. The conclusions of the DPIA should be integrated back into the plan, and maintained under review for the duration of the processing.

    Please be aware, failure to carry out a DPIA when legally required may leave the University open to enforcement action, including large monetary penalties.

  • Do I need to conduct a DPIA?

    The Information Commissioner’s Office provides guidelines on when a DPIA is required. These instances include:

    • Use of new technologies
    • Profiling individuals on a large scale
    • Processing biometric or genetic data

    As such, if you are processing Qsis data on a large scale or if new Qsis functionality is being introduced whereby the privacy of the individual needs to be considered, a DPIA may be a requirement.

    The DPIA procedure should be considered in the following circumstances:

    • Introduction of any new paper or electronic information system which will collect and hold personal data fed to or from Qsis
    • Updates to Qsis which alter the way in which the organisation uses, monitors or reports on personal information, e.g. new functionality
    • Changes to Qsis whereby additional personal data will be collected e.g. due to changes in statutory reporting requirements requiring new Qsis fields to be included
    • Collecting personal data in Qsis for a new purpose or activity
    • Plans to outsource business processes involving the storing and processing of personal data from Qsis

    This list is not exhaustive.

    A DPIA is not required for systems which do not identify individuals in any way. For further advice, contact us directly.

  • Is there a DPIA template?

    A pre-screening questionnaire can be downloaded below. If you answer "Yes" to any of the questions, a full assessment should be undertaken. 

    QSIS DPIA Screening Checklist.

    A Data Privacy Impact Assessment template can be downloaded below:

    QSIS Full DPIA Template.

Back to Homepage
Qsis Governance