Disclaimer: This document is provided for illustrative purposes only, based on our experience with customers. It does not constitute a complete DPIA and should not be relied upon as such. Completion and validation of this document should be undertaken in consultation with your Data Protection Officer (DPO).
Usage Guidance: Please review the whole document and amend accordingly. Sections denoted in yellow are specifically highlighting sections that need completing.
Download: Populated Word version of this document here
Data Protection Impact Assessment (DPIA)
Example Template:
Healthcare Customers
Version
1.0
Date:
11/09/2025
Document Revision History
| Version | Date | Author | Comment |
|---|---|---|---|
| 1.0 | 11/09/2025 | Simeon Drage | Document Creation |
Contents
Section A: Data Protection Impact Assessment
Section 1: Nature of the Processing
Section 2: Necessity and Proportionality
Section 3: Special Characteristics
Section 4: Lawfulness of Processing
Section 5: Secondary Uses of Personal Data
Section 6: The Rights of the Data Subject
Section 7: Accuracy and Currency of Personal Data as a Safeguard
Section 8: Third parties and Commercial Partners
Section 10: Retention of Personal Data
Section 11: International Transfers of Personal Data
Section 12: Consultation Process
Section B: Identification and Assessment of Risk
Section C: Identification of Measures to Mitigate Risks outlined in Section B
Section D: Risk Assessment Matrix
Screening Questions
Answering “Yes” to any of the following screening questions represents a potential Information Governance risk factor that will have to be further analysed to ensure those risks are identified, assessed and mitigated through a Data Protection Impact Assessment (DPIA) (For further guidance on the questions below, please click here):
| Question | Category | Screening Question | Yes | No |
| #1 | Systematic and Extensive Profiling with Significant Effects |
Will the service/project use systematic and extensive profiling or automated decision-making to make significant decisions about people? |
☐ | ☒ |
| #2 | Large Scale Use of Sensitive Personal Data | Will the service/project process special category data or criminal offence data on a large scale? | ☐ | ☒ |
| #3 | Public Monitoring | Will the service/project systematically monitor a publicly accessible place on a large scale? | ☐ | ☒ |
| #4 | New Technologies | Will the service/project use new technologies? | ☒ | ☐ |
| #5 | Denial of Service | Will the service/project use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit? | ☐ | ☒ |
| #6 | Large-scale Profiling | Will the service/project carry out profiling on a large scale? | ☐ | ☒ |
| #7 | Biometrics | Will the service/project process biometric data? | ☐ | ☒ |
| #8 | Genetics | Will the service/project process genetic data? | ☒ | ☐ |
| #9 | Data Matching | Will the service/project combine, compare or match data from multiple sources? | ☐ | ☒ |
| #10 | Invisible Processing | Will the service/project process personal data without providing a privacy notice directly to the individual? | ☐ | ☒ |
| #11 | Tracking | Will the service/project process personal data in a way which involves tracking individuals’ online or offline location or behaviour? | ☐ | ☒ |
| #12 | Targeting of Children or Other Vulnerable Individuals | Will the service/project process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them? | ☐ | ☒ |
| #13 | Risk of Harm | Will the service/project process personal data which could result in a risk of harm in the event of a security breach? | ☒ | ☐ |
| #14 | Location of Processing | Will the processing of personal data take place in a country outside of the UK? | ☒ | ☐ |
| #14.1 | Location of Processing |
If you have selected ‘Yes’ above, where?
|
||
|
Video: Dublin, Ireland (Amazon Web Services) AI Analysis of video transcripts: Sweden (Microsoft Azure) - Optional Feature
| ||||
| Summarise why you identified the need for a full DPIA, or provide your reasons for not completing a full DPIA. |
|
The organisation wishes to implement iConnect, a secure digital platform that enables trainee healthcare students, healthcare professionals, supervisors, and trainers to record, share, and review learning and practice-based activities through a role-based login system. Once uploaded, recordings, reflective notes, or case-based discussions can be selectively shared with supervisors, trainers, or peer groups within the organisation, or across partner institutions, subject to approval by Data Protection Officers. The platform provides tools that enable analysis of recorded practice, structured feedback, and reflective discussion in line with high-quality professional education and training standards. Trainees and professionals can use iConnect to reflect on their clinical practice, receive constructive input from supervisors, and access examples of best practice. Over time, the system supports healthcare professionals to refine their clinical and professional skills, strengthening both individual competence and overall quality of care. This data processing has a number of risk considerations which must be taken into account:
The AI analysis tools within the iConnect system are supplementary and optional but can potentially introduce new risks. The iConnect implementation and advice on how to use them reduces the risks associated with such processing such as not supporting automated decision-making, profiling, or large-scale analysis of personal data. While digital video platforms are becoming mainstream for trainee professional development, the system is still relatively new to the sector and therefore may be considered an innovative organizational solution.
Whilst the processing of genetic data may only occur incidentally, through captured conversations with patients, it remains possible. A DPIA is therefore required when processing special category data, as this type of information is highly sensitive and, if misused or exposed, could cause significant harm such as discrimination, loss of privacy, or damage to an individual’s rights and freedoms.
Whilst the processing of special category data may only occur incidentally, through captured conversations with patients, it remains possible. A DPIA is therefore required when processing special category data, as this type of information is highly sensitive and, if misused or exposed, could cause significant harm such as discrimination, loss of privacy, or damage to an individual’s rights and freedoms.
|
Section A: Data Protection Impact Assessment
Section 1: Nature of the Processing
|
Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? | ||||||
|
Data Collection: Video data is collected via the dedicated iConnect ‘Record’ mobile application which encrypts the video locally and automatically uploads to the user’s account on the iConnect servers. All data in transit is encrypted. Once the upload is completed the video is automatically deleted from the local device. For further information about the Record app - see here
Data is accessed via the iConnect platform. This is a highly secure closed system which operates role-based login and privacy by design. Once the video is uploaded only the user who recorded the video has full access to it. Further information about the iConnect security measures and controls can be found here
Further information about iConnect’s approach to downloading can be found here
Sharing can only take place via the iConnect web platform via user accounts. If user A shares a video with user B, user B does not have the ability to share or download the video. Further information regarding sharing can be found here.
SARs can be managed through the videos being tagged automatically by date and the user who recorded it. Additional data of title and tagging is recommended to be added by the user post recording.
The following users will be set up as system administrators: 1) 2) 3)
Administrators have access to thumbnail images drawn from the videos uploaded, so that they can see a basic preview of the content to ensure that all video uploaded is appropriate. Further information regarding the roles and responsibilities of administrators can be found here.
Appropriateness will be based upon the videos meeting the purpose of the data processing; user professional development, and to consider any safeguarding needs are being met. Thumbnails provide a general overview of a video to highlight any obviously inappropriate content. When reviewing the thumbnails, if the admin has any concern of the content and appropriateness of the recording they can request full access via the feature within the platform. The admin can also delete any video from this interface.
Personal Data Personal data that will be captured within the iConnect system includes: 1) User account information: User’s avatar (profile picture), email address/username, first name and second name 2) Video data: Recordings will include faces and voices of anyone present within the room, although this can be minimised through the use of camera placement/audio only mode/ anonymisation mode and the editing feature.
| ||||||
| Is this a change to an existing process? | ||||||
| ☐ Yes | ☒ No | |||||
|
Describe the scope of the processing: Thinking about the proposed processing of personal data, describe the flows of personal data, i.e., where it is first collected, where it is used, how it is used, where it is shared, how it is stored and when it is deleted. |
||||||
|
The nature of the data collection is video of patient consultations with both real patients and role play. The video may be anonymised via the use of the iConnect anonymisation feature. If the video is not anonymized, the participants’ appearance will be apparent. The anonymisation feature will be off by default, however the organisation may decide to utilise this feature for particular needs such as with data subjects who require additional safeguarding, or when sharing data outside of the organisation. Additionally, if the user refers to the patient by name, the video may include the name of and appearance of a data subject.
All members of organisation staff and all patients are potentially subject to data processing within the iConnect. iConnect recordings will be exclusively restricted to learning environments on the organisation site. The devices used for video capture are mobile devices that can record sections of a room (less than 180 degrees), however dual view recordings with two devices used at the same time may be used. The aim of the recording is to capture as much of the environment as possible. Both staff and patients will be recorded in the video, so that the system can provide a high-quality professional development experience to the user. It is understood that the personal data of both staff and patients will be processed by the system.
Only a small proportion of this data is likely to be shared between users and an even smaller fraction shared via inter-organisation collaboration.
Further information regarding sharing can be found here.
Data will be stored with the iConnect platform for the entirety of its lifecycle. Any requirements to export outside of the platform must be approved by the administrator and enabled by iConnect.
Customer data is deleted by the user when no longer required or by the organisation in line with their data retention policy or by iConnect in line with its data retention policy.
The organisation will delete data when: - it is no longer useful for the user’s professional development. This will be managed by the individual users who will review their recordings as required by their organization policy. This will be communicated to the users via the DPO) - the user leaves the organisation. This will be managed by the administrator.
| ||||||
| 1.2.1. | Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? | |||||
|
The data subjects are the healthcare professionals and the patients.
There has always been a degree of concern within society pertaining to the collection of video data, however, once the purpose, scope and security measures are explained this tends to lead to very low levels of objection. Patients will be informed by our privacy notice and will have the right to opt out of being recorded. Recording of minors and vulnerable groups will not take place [delete according to your usage plans] There are no known security flaws in the iConnect system which has operated for over a decade without incident. The iConnect system is a mature platform which is well supported and has a high level of compliance with data security best practices.
| ||||||
|
Is what you are proposing to do part of a project? Please populate below according to your usage plans |
||||||
| ☐ No, this is separate from any project. | ||||||
| ☐ Yes, it is part of the [project name] project. | ||||||
| How many individuals’ personal data will be involved? | ||||||
|
Please populate according to your usage plans | ||||||
| 1.5. | How many people with have access, or already have access to, the personal data? (i.e., data subjects themselves, organisation staff, third party organisation etc.) | |||||
|
Please populate according to your usage plans | ||||||
| 1.6. | Where does the personal data come from, i.e., from data subjects themselves, multiple sources or other organisations? | |||||
| Data comes from data subjects | ||||||
|
Section 2: Necessity and Proportionality | ||||||
| 2.1. | Have you considered any other methods to achieve your purpose that are less privacy-intrusive? (For example, collecting fewer personal data items or using a different method entirely that perhaps doesn’t use personal data). | |||||
| ☒ Yes | ☐ No | |||||
| 2.1.1. | Explain your answer to 2.1. | |||||
|
The only alternative to video-based observation and professional development is in-person observation and monitoring. The limitations of this, covering time, ineffectiveness, and lack of scalability lead to video being deemed the only effective approach for professional development, both in terms of cost and results.
| ||||||
| 2.2. | Will all data items that you collect (see Section 3 below) serve a specific, justifiable purpose? | |||||
| ☒ Yes | ☐ No | |||||
| 2.1.2. |
Explain your answer to 2.2. Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? |
|||||
|
Purpose, Intended Effects & Benefits Significant educational and clinical research shows that the quality of healthcare professionals, and therefore the quality of their training and ongoing professional development, is the single largest controllable factor affecting patient outcomes and the safety of care. Consequently, there are multiple statutory and regulatory requirements for healthcare staff to engage in and promote continuous professional learning within and across healthcare organisations. Yet, such obligations are often difficult to achieve given the barriers of time, distance, staffing pressures, and cost. These barriers can be overcome through the use of secure digital video and collaboration technology. By removing the practical obstacles to effective professional learning, we can engage more healthcare professionals more frequently in high-value development activities such as reflecting upon their practice, analysing and refining their impact on patient care, observing examples of best practice, and giving and receiving high-quality contextualised feedback from supervisors. In educational settings, 95% of users using iConnect report improvements in their professional practice. Our objective is to achieve these same benefits in the healthcare context, supporting trainees, supervisors, and practising professionals to continually improve. In turn, this will lead to safer, higher-quality care and improved outcomes for patients, with significant and wide-reaching societal benefits. Why is the use of video necessary to achieve these objectives? There is now a substantial body of evidence demonstrating that the use of video enhances both healthcare professional self-reflection and clinical supervision and training, as it helps to address fundamental cognitive biases and flaws in recollection that arise during practice. For trainees, video-based learning provides a powerful tool for structured training, enabling them to observe and reflect on their own performance, receive targeted feedback from supervisors, and access a wider range of examples of best practice. Video also supports a higher frequency of supervisory interactions, as well as broader access to training opportunities, than traditional in-person observation methods alone. We therefore deem it justifiable to collect the data items listed with this document.
| ||||||
| 2.3. | How will you intend to prevent or manage function creep? (For example, if it is established that additional personal data will be required, who will you report this to, how will you consider this?) | |||||
|
Function creep will be avoided through our commitment to the use of iConnect solely for the use of training and professional development.
The iConnect system is for professional development, educational research and learning development, consequently, you agree: 4.4.1 To ensure that the use of the system is aligned with the stated purpose and that the system is not used for surveillance of staff or learners Users will be made aware of this during their iConnect training and a communication will be sent out to all staff from the DPO.
| ||||||
| 2.4. | How will you ensure that the data you collect is accurate and minimised to what is necessary? | |||||
|
Data Retention Data will be minimised to what is necessary through ensuring the users only record and retain what is useful for their professional development. This will be managed by the individual users who will review their recordings on a [enter time frame] basis. This will be communicated to the users via the DPO and added to the organisation’s data retention policy.
Additionally data will be deleted when the trainee/GP leaves the training cohort GP/practice. This will be managed by the iConnect administrator.
Reporting We will have a clear procedure for users to be able to report inaccurate data which will be communicated by the DPO
Minimisation tools iConnect has several tools that assist users achieve data minimisation such as editing and anonymisation. See these articles on data capture and data retention. Quality of Video Data: iConnect ensures that the video data is of high quality and clearly captures the necessary details, sufficient to fulfil the purpose for the data processing. This involves having good resolution, good quality microphones and tripods to aid the recording quality and to avoid misinterpretation. Videos can be easily edited within the platform if any discrepancies are identified. Please see here for editing information. Metadata Accuracy: Users will be instructed to ensure that the metadata associated with the video data, such as title, comments and tags are accurate. These elements can be easily edited within the platform if any discrepancies are identified. Data Storage and Handling: By using iConnect system for storage this will ensure the data is robustly and securely stored to prevent data corruption or loss. Regular backups and data integrity checks are part of their security measures and controls. User Training: We will ensure staff who will use the iConnect system are trained in proper procedures to ensure consistency and accuracy in recording and processing the data.
| ||||||
| 2.5. | Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? | |||||
|
We will operate a multi-faceted stakeholder engagement and consultation. We will actively inform patients including the purpose and provide them with clear mechanisms to ask questions and object to processing. We will engage users from the healthcare profession in a programme of orientation and induction which makes clear the system's privacy by design model, as well as their rights and obligations in the use of the system. We will clearly communicate that the use of the system is on an opt-in basis. [delete if use if required for your users] We will engage our network manager in a review of the iConnect system to ensure that it is compatible with our network and does not present a security risk.
| ||||||
|
Section 3: Special Characteristics | ||||||
|
This section considers the special characteristics of the personal data that could be processed. The law establishes that certain types of personal data presents greater degrees of risk than others, and as a consequence has to be treated differently.
| ||||||
| Please identify whether the personal data will include any of the following categories: | ||||||
| 3.1. | Category: | Yes | No | |||
| 3.1.1. | Name (User only. Needed for the user account) | ☒ | ☐ | |||
| 3.1.2. | Address (home or business) | ☐ | ☒ | |||
| 3.1.3. | Identifying Number (WCCIS) | ☐ | ☒ | |||
| 3.1.4. | Email Address (User only. Needed for the user account) | ☒ | ☐ | |||
| 3.1.5. | Date of Birth | ☐ | ☒ | |||
| 3.1.6. | Employee Number | ☐ | ☒ | |||
| 3.1.7. | Driving Licences | ☐ | ☒ | |||
| 3.1.8. | IP Address | ☐ | ☒ | |||
| 3.1.9. |
Financial Information…………………………... If “Yes”, does this include credit card info?..... |
☐ | ☒ | |||
| ☐ | ☐ | |||||
| If “Yes” to 2.1.9., please provide additional details about all financial information collected/processed: | ||||||
|
| ||||||
| 3.2. |
Special Category Data (sensitive personal data): |
|||||
| 3.2.1 | Information about the racial background of an individual(s) | ☐ | ☒ | |||
|
If “Yes”, please provide additional details about the personal data:
Likely to be collected through video and audio recordings |
||||||
| 3.2.2 | Information about the ethnicity of an individual(s) | ☒ | ☐ | |||
|
If “Yes”, please provide additional details about the personal data:
Likely to be collected through video and audio recordings |
||||||
| 3.2.3 | Information about the physical or mental health of an individual(s) | ☒ | ☐ | |||
|
If “Yes”, please provide additional detail about the personal data:
Likely to be collected through video and audio recordings |
||||||
| 3.2.4 | Information about the religion or philosophical beliefs of an individual(s) | ☒ | ☐ | |||
|
If “Yes”, please provide additional details about the personal data: Possibly collected through video and audio recordings |
||||||
| 3.2.5 | Information about the sexuality of an individual(s) | ☒ | ☐ | |||
|
If “Yes”, please provide additional details about the personal data:
Likely to be collected through video and audio recordings |
||||||
| 3.2.6 | Information about the political views of an individual / individuals | ☐ | ☒ | |||
| If “Yes”, please provide additional details about the personal data: | ||||||
| 3.2.7 | Information about the Trade Union membership of an individual / individuals | ☐ | ☒ | |||
| If “Yes”, please provide additional details about the personal data: | ||||||
| 3.2.8 | Genetic information of an individual / individuals | ☒ | ☐ | |||
|
If “Yes”, please provide additional details about the personal data:
Possibly collected through video and audio recordings |
||||||
| 3.2.9 | Biometric data of an individual / individuals | ☐ | ☒ | |||
| If “Yes”, please provide additional details about the personal data: | ||||||
| 3.2.10 | Information about the criminal offences or conviction(s) of an individual / individuals (including alleged offences or convictions). | ☐ | ☒ | |||
| If “Yes”, please provide additional details about the personal data: | ||||||
|
| ||||||
Section 4: Lawfulness of Processing | ||||||
|
In order to assess the level of risk associated with the personal data and its proposed use, it is necessary to look to the justification for processing.
| ||||||
|
On what basis will the personal data be processed? Tick all relevant conditions below.
| ||||||
| 4.1. | Processing is necessary for the performance of a contract between the organisation and the individual / individuals whose data is being processed. |
☐ |
||||
| 4.2. |
Processing is necessary for compliance with a legal obligation If so, what legislation places this obligation on the organisation? |
☐ |
||||
| 4.3. | Processing is necessary in order to protect the vital interests of the individual or individuals whose data is being processed. |
☐ |
||||
| 4.4. | Processing is necessary for the performance of a public task. |
☐ |
||||
|
What legislation supports the public task being carried out? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
Answer below: |
||||||
| 4.5. | Processing is necessary for legitimate interests. (Legitimate Interest Assessment required, seek DPO advice). |
☐ |
||||
| 4.6. | Processing is based on the consent of an individual(s). (Seek DPO advice) | ☒ | ||||
| 4.6.1. |
If consent (3.6) has been selected, then please answer the following: Can an individual(s) withdraw their consent with ease and whenever they want to? *
|
Yes:
☒ |
No:
☐ |
|||
| 4.6.2. | If consent has been selected, please indicate the consequences of withdrawal and refusal of consent for both the individuals and the organisation. (For example, will the service to the individual be terminated?) | |||||
|
Lawful Basis for Processing The lawful basis for processing video data in the context of healthcare professional development and training is Consent Providing Consent Patients will be asked prior to recording if they consent to being recorded Following a positive response the user will start the recording and get the consent from the patient recorded on the video. At the end of the recording, before stopping the recording the user will again ask the patient if they still consent and then will subsequently save or delete the file. A note will be made on the patients file that the consultation was recorded so it will be easy to locate later on if consent is withdrawn. Withdrawing Consent Users can contact the organisation if they subsequently decide to withdraw their consent.
Is there another way to achieve your objectives: User reflection central to professional development is virtually impossible to achieve meaningfully without the use of video. To provide users with the same frequency of high impact professional learning interactions would be impossible for the organisation through other means. The process of experiencing high quality teaching and giving and receiving high quality feedback, in the absence of video collaboration, would require in-person consultation observation. In-person consultation observation represents a subjective one-off experience, with no record for analysis and discussion post event. This leads to low quality professional discussion with lower impact upon professional practice. Additionally in-person observation requires another professional to be available to provide the physical observation and debrief process. Within a busy organisation environment this will entail significant additional cost for the organisation as we would have to employ more cover staff to free up the observer. The process of providing high quality examples of teaching practices is even more difficult to achieve through other means. It is difficult to know when it would occur so you would have little control of whether the observing user would get the experience they would need from their observation. Furthermore, the organisation would like all staff to have a shared understanding of what a high quality practice looks like. It is physically impossible to fit the entire teaching staff in a single classroom on the off chance a particular high strategy will be demonstrated with sufficient quality. Finally inter-organisation collaboration would be very difficult through other means. It would have all of the drawbacks already identified with the addition of significant travel and accommodation costs. Function Creep: We will prevent function creep by making a clear declaration of purpose and maintaining an ongoing open door policy for staff to be able to report use of the system which is not aligned with the purpose. Data quality and data minimisation: The iConnect system will collect high quality video and audio sufficient to fulfil the purpose. We will ensure that all analysis and data entry is as accurate as possible. We will have a clear procedure for users to be able to report inaccurate data. Video data will not be kept for longer than its useful purpose in line with the organisation’s data retention policy. Information and rights: Organisation staff will be informed via our onboarding consultation and training process, the DPO will be responsible for ensuring that staff are aware of their rights and know how to exercise them. Patients will be informed via appropriate notices and will have a clear pathway to raise their objections. Compliance of Processors We have engaged with iConnect to ensure their policies and procedures are compliant with the GDPR. | ||||||
|
For the processing of special category data, you need to identify a legal basis (4.1 – 4.6) as well as at least one of the conditions below (4.7 – 4.16): | ||||||
| 4.7. | The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law | ☐ | ||||
| 4.8. | The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent | ☐ | ||||
| 4.9. | The processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects | ☐ | ||||
| 4.10. | The processing relates to personal data which are manifestly made public by the data subject | ☐ | ||||
| 4.11. | The processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | ☐ | ||||
| 4.12. | The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity | ☐ | ||||
| 4.13. | The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law | ☒ | ||||
| 4.14. | The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy | ☒ | ||||
| 4.15. | The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | ☐ | ||||
| 4.16. |
The data subject (or subjects) has given explicit consent. (Seek DPO advice)
|
☐ | ||||
| 4.16.1. |
If consent (3.16) has been selected, then please answer the following:
Can an individual(s) withdraw their consent with ease and whenever they want to? *
*Individuals should be able to withdraw consent at any time and every step the processing of their information without detriment. It should be as easy to withdraw consent as it is to give it. Consent requires prior information and an explicit indication of the intent to consent, separate from other individual options (like accepted terms and conditions) |
Yes:
☐ |
No:
☐ |
|||
| 4.16.2. | If consent has been selected, please indicate the consequences of withdrawal and refusal of consent for both the individuals and the organisation. (For example, will the service to the individual be terminated?) | |||||
Section 5: Secondary Uses of Personal Data
| ||||||
| 5.1. |
Will the proposed processing involve the use of existing personal information for new purposes? (For example a CRM system that will enable certain data about clients to be combined with other data and used in a new way.) |
Yes:
☐ |
No:
☒ |
|||
| 5.1.1. | If, yes, will the proposed processing be compatible with the original purposes for which the personal data were first collected? |
Yes: ☐ |
No: ☐ |
|||
| 5.1.2. | Please explain your response to question 5.1.1. | |||||
Section 6: The Rights of the Data Subject
This section examines whether the rights of individuals are protected and supported. | ||||||
|
Individuals have the following rights in respect to the processing of information about them. They are:
You can find more information on these rights here.
| ||||||
| 6.1. | Will the proposed processing be communicated to the data subjects in a privacy notice? |
Yes ☒ |
No ☐ |
|||
| 6.2. | Will the proposed processing enable the data subjects to exercise their rights of access. |
Yes ☒ |
No ☐ |
|||
| 6.3. | Will the proposed processing enable personal data to be rectified? |
Yes ☒ |
No ☐ |
|||
| 6.4. | Will the proposed processing enable personal data to be erased? *under certain circumstances |
Yes ☒ |
No ☐ |
|||
| 6.5. | Will the proposed processing enable data subjects to exercise their right to restrict processing? *under certain circumstances |
Yes ☒ |
No ☐ |
|||
| 6.6. | Will the right to data portability be supported by the proposed processing? *under certain circumstances |
Yes ☒ |
No ☐ |
|||
| 6.7. | Will the right to object be supported by the proposed processing? *under certain circumstances |
Yes ☒ |
No ☐ |
|||
| 6.8. | Will the proposed processing involve automated decision making or profiling? |
Yes ☐ |
No ☒ |
|||
Section 7: Accuracy and Currency of Personal Data as a Safeguard
| ||||||
| 7.1. | Will the proposed processing be supported by checks on the accuracy of personal data. |
Yes ☒ |
No ☐ |
|||
| If ‘Yes’, explain how: | ||||||
|
Quality of Video Data: iConnect ensures that the video data is of high quality and clearly captures the necessary details. This involves having good resolution, good quality microphones and tripods to all aid the recording quality and to avoid misinterpretation. Videos can be easily edited within the platform if any discrepancies are identified. Please see here for editing information. Metadata Accuracy: Users will be instructed to ensure that the metadata associated with the video data, such as title, comments and tags are accurate. These elements can be easily edited within the platform if any discrepancies are identified. Data Storage and Handling: By using iConnect system for storage this will ensure the data is robustly and securely stored to prevent data corruption or loss. Regular backups and data integrity checks are part of their security measures and controls. User Training: We will ensure staff are training who will use the iConnect system in proper procedures to ensure consistency and accuracy in recording and processing the data.
| ||||||
| 7.1.2. | Describe the possible impact on an individual, considering the possible consequences of processing outdated information for the individuals concerned. For instance, in some cases, an incorrect date of birth for an individual could be a LOW impact, whereas in other contexts an incorrect address for an individual could have a HIGH impact; the converse could be true in other circumstances: | |||||
| Mostly HIGH |
☐
|
|||||
| Mostly MEDIUM |
☐
|
|||||
|
Mostly LOW
Low has been selected here due to the purpose of the data collection on iConnect. The data is being used solely for professional development. Therefore, if video data or user account data that is being processed and stored within iConnect is not accurate or up to date there is limited impact to that professional development process or any secondary impacts. |
☒
|
|||||
Section 8: Third parties and Commercial Partners
| ||||||
| 8.1. | Is it likely that the proposed processing will involve third parties or require a contract or other written agreement (Data Processing Agreement)? |
Yes ☒ |
No ☐ (If selected, please proceed to the next Section). |
|||
| 8.1.1. | If Yes to 7.1., please list the organisations that will require a contract: | |||||
|
iConnect and the organisation will enter into a Data Processing Agreement. A copy of which can be found here
| ||||||
| 8.1.2. |
Is it likely that the organisation will engage with sub-contractors (known as sub-processors)
These are listed within Appendix B of the DPA
|
Yes ☒ |
No ☐ |
|||
| 8.2. | There are a number of different terms used in data protection legislation to describe the roles taken by organisations in their dealings with third parties. Consider the following definitions, and select the position that best described the organisation’s role in the proposed processing: | |||||
|
A CONTROLLER: A natural or legal person or organisation which determines the purposes and means of processing personal data. |
☒
|
|||||
|
A PROCESSOR: A natural or legal person or organisation which processes personal data on behalf of a controller. The organisation’s Contractors and suppliers are usually processors if they process personal data solely on its behalf. |
☐
|
|||||
|
A JOINT CONTROLLER (Controller in common): A natural or legal person or organisation which, with another Controller or Controllers jointly determines the purposes and means of processing personal data. |
☐
|
|||||
Section 9: Security Measures
| ||||||
| 9.1. | What technical and organisational security measures are in place for the proposed processing? (Please list the proposed security measures, for example, locks, passwords, device encryption etc.): | |||||
|
The iConnect system is a closed system that requires user authentication to record and access uploaded data. Taking into account the existing policies that are in place with regard to cyber security and passwords, no additional measures are required.
| ||||||
| 9.2. | Will staff involved in the proposed processing require additional and specific data protection training? |
Yes ☒ |
No ☐ |
|||
| 9.3. | (For ICT System procurement) Have you sought advice surrounding the systems security from the ICT Cyber Security Manager? |
Yes ☐ |
No N/A ☒ ☐
|
|||
| 9.3.1. | Please detail the advice given, or why you do not need to seek advice from, the Cyber Security Manager, including any identified risks: | |||||
|
iConnect is used by 1000s of organisations internationally. They have very high security standards and have achieved Cyber Essentials Plus and conform to NIST standards.
All data covered under this DPIA will be processed and stored by iConnect.
| ||||||
| 9.4 | Will the proposed processing involve storage or transfer via the cloud? |
Yes ☒ |
No ☐ |
|||
Section 10: Retention of Personal Data | ||||||
| 10.1 | How long is it intended to keep the personal data for as part of the proposed processing? (Tick which apply) | |||||
| 10.1.1. | The personal data will be destroyed after the completion of the proposed processing. |
☐
|
||||
| 10.1.2. |
Information is to be retained for a specific period after the completion of the proposed processing.
|
☒
|
||||
|
For how long?
|
||||||
|
As long as the user remains an employee of the organisation or until the data is no longer useful for the user’s professional development. Users will review their recordings [enter time period].
| ||||||
|
Section 11: International Transfers of Personal DataThis presents a risk as not all countries ensure the same level of protection for personal data.
| ||||||
| 11.1. |
Will the proposed processing involve transferring, storing and/or disclosing personal data to a country or territory outside of the European Economic Area (EEA)?
The EEA consists of the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxemburg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden, |
Yes ☐ |
No ☒
(If selected, please proceed to the next Section).
The data is processed in Ireland, Dublin |
|||
| 11.1.1. |
If yes is selected in 10.1., are measures in place to ensure an adequate level of security if personal data are transferred outside the EEA?
|
Yes ☐ |
No ☐
|
|||
| 11.2. | If personal data is transferred outside of the EEA, how will the safeguards be set out? (Tick which apply) | |||||
| 11.2.1. | Standard Contractual Clauses (SCCs) |
☐
|
||||
| 11.2.2. | Binding Corporate Rules |
☐
|
||||
| 11.2.3. | Other |
☐
|
||||
| 11.2.3. | If any of the above have been selected, please provide an explanation. | |||||
|
Section 12: Consultation ProcessThis section describes when and how individual’s views will be sought, or details why it is not appropriate to do so.
| ||||||
| 12.1. | Do you need to consult with relevant experts, e.g. Equality Officer, or the Legal Department |
Yes ☐ |
No ☒ |
|||
| 12.2. | Do you need to consult with relevant data subject groups? |
Yes ☐ |
No ☒ |
|||
| 12.2.1. | If you have already consulted with data subject groups, please provide further details | |||||
| It was deemed not necessary to consult with either the users or patients due to the requirement of Public Task to provide user professional development. The data subjects will however we able to raise any questions or concerns with the organisation who will deal with these on a case by case basis. | ||||||
| 12.3. | Do data processors need to have an input to this assessment? |
Yes ☐ |
No ☒ |
|||
| Section 13 |
Documentation
Please provide a copy of, or a link to, any supporting data protection documentation, such as a privacy notice (either produced by the service or a third party), sharing agreements or contracts etc. |
|||||
|
iConnect Data Processing Agreement Organisation Privacy Notice [Link] | ||||||
Section B: Identification and Assessment of Risk:
The following grid is to be completed using the organisations Risk Assessment Matrix included in Section D below. A type of risk might include individuals trying to attack or access a new ICT system/application.
| Risk Number |
Describe the source of risk and nature of potential impact on individuals (Include associated compliance and corporate risks as necessary) |
Probability of Harm: | Impact of Harm: | Overall Risk |
| 1 – 5 | 1 – 5 | 1 - 25 | ||
| #01 |
Data breach
|
2 | 2 | 4 |
| #02 |
Subjects not expecting their data to be processed in this way
|
2 | 1 | 2 |
| #03 |
The system not being used for the intended purpose
|
2 | 1 | 2 |
| #04 |
Individual patients withdrawing consent on an ad hoc basis
|
3 | 1 | 3 |
Section C: Identification of Measures to Mitigate Risks outlined in Section B:
The following grid should encompass all risks identified in Section B. Measures to mitigate risks can include for example double factor authentication (to reduce the risk of an individual’s attempts to access a new ICT system/application inappropriately.
| Risk Number | Option to Reduce or Eliminate Risk | Effect on Risk | Residual Risk | Measure Approved |
| Eliminated, reduced or accepted | 1 – 25 | Yes/No | ||
| #01 |
The iConnect system adheres to the highest standards of data protection and security.
Further information about the iConnect security measures and controls can be found here
Password policy strictly enforced throughout the organisation
|
Reduced | 1 | Yes |
| #02 |
Clear privacy notices, patients, staff and trainees engaged and informed. Home organisation agreement aligned with use and clear pathways to opt out open to all parties
|
Reduced | 1 | Yes |
| #03 |
A clear organisationwide statement of purpose and an open door policy for users to report instances of the system being used in a way which is not aligned with purpose.
Training provided to all users.
|
Reduced | 1 | Yes |
| #04 |
Use of data minimisation strategies to not capture certain data subjects - anonymisation/editing/camera positioning or not recording some consultations if patients have opted out.
|
Reduced | 1 | Yes |
| Risk assessment completed by: | ||||
| Date: | ||||
| Date considered by Data Protection Officer: |
Section D: Risk Assessment Matrix:
Each risk should be assessed against the likelihood of an incident occurring and the severity of the consequences should one arise.
| Likelihood | |
| Almost Certain | Could happen at any moment |
| Very likely | Repeatedly encountered |
| Likely | Likely to occur several times |
| Unlikely | Unlikely to occur |
| Improbable | Remote likelihood of occurring |
| Impact | |
| Catastrophic | May result in the highly costly loss of major tangible assets or resources; or may significantly violate, harm or impede an organization’s reputation, or interest; or may result in human death or serious injury. |
| Major | Loss of face, costly to remediate, could be combined with other factors to elevate the impact |
| Moderate | Chance of service or information loss combined with inconvenience to business. |
| Minor | No loss of information, temporary loss of service |
| Insignificant | Cannot be exploited or information safe. |
| Almost certain | 5 | 10 | 15 | 20 | 25 |
|
Likely |
4 |
8 |
12 |
16 |
20 |
|
Possible |
3 |
6 |
9 |
12 |
15 |
|
Unlikely |
2 |
4 |
6 |
8 |
10 |
|
Rare |
1 |
2 |
3 |
4 |
5 |
|
Insignificant |
Minor |
Moderate |
Major |
Catastrophic |