OFFICIAL
Data Protection Impact Assessment (DPIA)
Title: CFS - Accessing Social Media
Version: 1.0
Document Reference: CFS/ASM/01-19
<Report Name>
OFFICIAL
Document Control
Status:
Live
Document Version History
Date
Version
Author
Comments
30/05/18
v1.0
Baseline template
05/06/18
v1.1
Minor updates from cascade feedback:
Fix numbering issue
Update tracker table
Add 3rd party question (section 4.3)
Add related documents (section 4.7)
Review and Approval Register
Note: RACI = R- Responsible, A- Accountable, C-Consulted, I-Informed
Name
Position
RACI Role
Fiona Innes
Head of Counter Fraud Services
A
DPO
DPO
C
Information Governance Officer (GDPR)
C
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 2 of 21
The Student Loans Company Ltd
1. DPIA Status
1.1 Current DPIA Status:
The following DPIA statement should be completed for any change at SLC to the processing of Personal
Information (This includes operational, procedural, project driven change and changes in the relationships with 3rd
Party processors etc.)
DPIA Statement: As at 17/12/2018 a Full DPIA screening has been conducted.
The Result of DPIA Screening Questions (section 3) is:
A low level of risk has been identified and will be treated by existing CFS processes around investigation
techniques.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 3 of 21
The Student Loans Company Ltd
link to page 2 link to page 3 link to page 3 link to page 3 link to page 4 link to page 5 link to page 5 link to page 5 link to page 5 link to page 6 link to page 6 link to page 7 link to page 9 link to page 9 link to page 9 link to page 10 link to page 11 link to page 11 link to page 12 link to page 12 link to page 13 link to page 14 link to page 14 link to page 15 link to page 15 link to page 17 link to page 18 link to page 19 link to page 19 link to page 19 link to page 19 link to page 20 link to page 21
Contents
Document Control ............................................................................................................................ 2
1.
DPIA Status ............................................................................................................................ 3
1.1 Current DPIA Status: ............................................................................................. 3
1.2 DPIA Progress Tracker for projects only ................................................................ 3
Contents ............................................................................................................................................ 4
2.
What is Data Protection Impact Assessment (DPIA)? ........................................................... 5
2.1 What is the DPIA legislation? ................................................................................. 5
2.2 Why Does SLC Need a DPIA? ............................................................................... 5
2.3 What does a DPIA Deliver? ................................................................................... 5
2.4 DPIA Roles and Responsibilities ............................................................................ 6
2.5 How to Complete a DPIA ....................................................................................... 6
2.6 Guidance for projects ............................................................................................. 7
3.
Data Protection Impact Assessment (DPIA) - Screening Questions ...................................... 9
3.1 DPIA Screening Questions .................................................................................... 9
3.2 Information about the Change ................................................................................ 9
3.3 Data Impact ......................................................................................................... 10
3.4 Business Process Impact ..................................................................................... 11
3.5 Technology Impact............................................................................................... 11
3.6 3rd Party Impact .................................................................................................. 12
3.7 Screening Questions Assessment ....................................................................... 12
3.8 Screening Question Statement ............................................................................ 13
4.
Data Protection Impact Assessment .................................................................................... 14
4.1 New Data Details ................................................................................................. 14
4.2 Re-Use of Existing Data ....................................................................................... 15
4.3 DPIA - Assessment Questions ............................................................................. 15
4.4 DPIA – Remaining unknowns .............................................................................. 17
4.5 Privacy issues identified and risk analysis ............................................................ 18
4.6 RESULTS / CONCLUSION/ OUTCOME .............................................................. 19
4.7 Related Documents ............................................................................................. 19
5.
Appendices .......................................................................................................................... 19
5.1 Appendix A – Lawful Processing .......................................................................... 19
5.2 Appendix B – Personal Information Definition ...................................................... 20
5.3 Appendix C – 3rd party considerations .................................................................. 21
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 4 of 21
The Student Loans Company Ltd
2. What is Data Protection Impact Assessment (DPIA)?
2.1 What is the DPIA legislation?
Performing a Data Protection Impact Assessment (DPIA) is a legal requirement under EU GDPR legislation that SLC
must comply with. For background an extract from the legislation is provided as follows:
Article 35 - Data Protection Impact Assessment
I.
Where a type of processing in particular using new technologies, and taking into account the nature,
scope, context and purposes of the processing, is likely to result in a high risk to the rights and
freedoms of natural persons, the controller (SLC) shall, prior to the processing, carry out an assessment
of the impact of the envisaged processing operations on the protection of personal data. A single
assessment may address a set of similar processing operations that present similar high risks.
II.
The controller (SLC) shall seek the advice of the data protection officer, where designated, when
carrying out a data protection impact assessment.
III.
A Data Protection Impact Assessment referred to in paragraph 1 shall in particular be required in the
case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural living persons which is
based on automated processing, including profiling, and on which decisions are based that produce
legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal
data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
2.2 Why Does SLC Need a DPIA?
DPIAs are required for all changes to the processing of Personal Information at SLC
A DPIA may need to be submitted / shared with the Information Commission Office (ICO) as evidence to
demonstrate SLC’s commitment to our customers’ Data Privacy
The need for a DPIA is defined within Article 35 of the GDPR (as outlined above)
The GDPR Definitions as defined in Article 4 of the regulation for personal data (see Appendix C) is any
information relating to an identified or identifiable natural person (referred to as a data subject); an identifiable
natural living person is one who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, and identification number, location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.3 What does a DPIA Deliver?
A DPIA is a process to identify and minimise the Risks to individuals and to SLC for all changes to the processing of
Personal Information (this includes operational, procedural, project driven change and changes in the
relationships with 3rd Party processors etc).
A DPIA must be completed for certain listed types of processing, or any other processing that is likely to result in a
high risk to individuals’ interests. As a minimum the screening questions must be completed to evidence there is
no anticipated high risk.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 5 of 21
The Student Loans Company Ltd
A DPIA must:
Describe the nature, scope, context and purposes of the processing;
Assess necessity, proportionality and compliance measures;
Identify and assess risks to individuals; and
Identify any additional measures to mitigate those risks.
To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered.
High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
If a high risk is identified that cannot be mitigated then the Information Commission Office (ICO) must be
consulted before commencing with delivery. (The Information Commission Office (ICO) will give SLC written
advice within eight weeks, or 14 weeks in complex cases. They may also issue a formal warning not to process
the data, or ban the processing altogether.)
2.4 DPIA Roles and Responsibilities
A collaborative approach from different disciplines within SLC is needed to answer all of the DPIA questions. (The
below list illustrates some of the key contributors but is not a fully comprehensive list of all contributors as this
may vary depending on the details of the change.)
Information Asset Owner (IAO) / Information Asset Lead (IAL)
Data Protection Officer (or his/her Deputy)
Project Manager
Commercial Management
IT Security Ops
Business Architect (BDL/BA)
If you are unable to answer any of the questions please seek guidance from your relevant Information Asset
Owner (IAO) or Information Asset Lead (IAL) in the first instance (and escalate to the Data Protection Office (DPO)
after that if required).
2.5 How to Complete a DPIA
The latest template should be downloaded from SLC Document Control System
The Relevant change specific details should be updated as appropriate and version control updated
DPIA screening should be initiated as soon as possible, (i.e. at the start of any continuous improvement change, at
the start of a new project and before engaging with any new 3rd parties etc).
The screening should be led by the person responsible for the change in SLC (e.g. new IT System, changes to
existing system or process) regardless of business area in SLC– e.g. Continuous Improvement Area, Project
Management Office, Front Line Operations etc.
Completed DPIA should be emailed to the Data Protection Office (DPO) (xxx@xxx.xx.xx)
A DPIA must be reviewed and signed off by the Information Asset Owner. – (Email trail / History)
Guidance:
If you are unable to answer any of the questions please seek guidance from the relevant Information
Asset Owner (IAO) or Information Asset Lead (IAL) in the first instance (and escalate to the Data
Protection Office (DPO) after that if required).
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 6 of 21
The Student Loans Company Ltd
After completing screening please send the completed answers to the Data Protection Office (DPO) for
review. The Data Protection Office (DPO) will advise whether a full DPIA assessment will be required.
2.6 Guidance for projects
DPIAs are required for all projects at SLC in order to progress through the Project Delivery Framework and
ultimately gain Approval to Operate. A DPIA is a living document and you must revisit your screening answers or
DPIA at the end of every project stage as part of project delivery.
A DPIA may need to be submitted / shared with the Information Commission Office (ICO) as evidence to
demonstrate SLC commitment to our customers Data Privacy
DPIA screening should be initiated as soon as possible at the start of a new project. The screening should be led
by Project Manager and reviewed and signed off by Information Asset Owner (IAO)
After completing, please send the completed answers to Data Protection Office (DPO) for review. The DPO will
advise whether a full DPIA assessment will be required
You must revisit your DPIA answers at the end of every project stage as part of project delivery. Material
changes to project scope or understanding may change the risk outcome of the DPIA and consultation with
Information Asset Owner (IAO) or Information Asset Lead (IAL) & Data Protection Office (DPO) will be required.
Notes:
If you are unable to answer any of the questions please seek guidance from your Information Asset Owner
(IAO) or Information Asset Lead (IAL) in the first instance (and escalate to the Data Protection Office (DPO)
after that if required).
If you can’t answer a question at new demand, discovery, inception or run, then the project can still proceed
(after taking advice and guidance from your Information Asset Owner (IAO) or Information Asset Lead (IAL)
and the Data Protection Office (DPO) if required). For delivery and beyond, activity cannot progress with
‘unknowns’ remain in the DPIA.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 7 of 21
The Student Loans Company Ltd
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 8 of 21
The Student Loans Company Ltd
3. Data Protection Impact Assessment (DPIA) - Screening
Questions
3.1 DPIA Screening Questions
This section is required to document the anticipated change (e.g. new IT System, changes to existing system or
process). It is required for Corporate Memory purposes for the Data Protection Officer & SLC as a Data Controller
to discharge its obligations and as such may be shared with the Information Commissioner’s Office.
3.2 Information about the Change
3.2.1 What are the business objective(s) that this change is aiming to deliver?
Answer
Safeguarding Public Money
3.2.2 What is the scope of the change (departmental or organisational wide?)
(e.g. Payroll change may only impact Finance, but a change to Staff policy could impact across SLC)
Answer
Data identified on Social Media will be used as necessary by investigators within Counter Fraud
Services to identify any potential inconsistencies with information provided as part of the student
finance application.
Social Media will also be used to support the avoidance of Repayment Evasion.
The information will not be used in isolation and will only inform a potential line of questioning.
3.2.3 Provide details of any previous Privacy Impact Assessment (PIA) or DPIA
(if this is a change to an existing system then a PIA/DPIA may have been undertaken previously
Answer
No previous assessments available.
3.2.4 Stakeholders - Who is involved in making this change happen?
Please list stakeholders, including internal, Information Asset Owner (IAO) or Information Asset Lead (IAL), external,
organisations (public/private/third) and cohorts that are implementing this system/change
Answer
Fiona Innes – HoS
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 9 of 21
The Student Loans Company Ltd
3.2.5 Stakeholders - Who is affected by the change?
Please list stakeholders, including internal, Information Asset Owner (IAO) or Information Asset Lead (IAL)external,
organisations (public/private/third) and cohorts that may be affected by this system/change (i.e. Customer
contact, front line support, etc)
Answer
Customers may be impacted by the use of Social Media if the content of their accounts is
inconsistent with other information provided as part of their Student Finance Application.
Further evidence may be required to support their application which may delay payments
being made.
3.3 Data Impact
3.3.1 Does the change capture new Personal Information or Sensitive Personal Information
See Appendices for guidance on data field applicability
Answer:
Please provide details for ‘yes’ answers
Yes
Specifics cannot be captured here however information may be provided by a customer via
Social media that has not been submitted via the application form or while in the Repayment
stage of their journey.
3.3.2 Does your change combine any existing SLC data sets?
Answer:
Please provide details for ‘yes’ answers
No
3.3.3 Will the change involve any analysis of data that would be deemed a profiling activity?
i.e. analysis of the data to facilitate targeted emails, contacts etc.. (as defined in Articles 21 & 22 Automated individual
decision-making, including profiling) (including in post implementation)
i.e. using SLC’s existing data in for a purpose that it was not initially captured for
Answer:
Please provide details for ‘yes’ answers
No
Although information will be identified through Social Media no profiling will take place.
Investigators will however use personal information for the purpose it was not originally
captured for, i.e. fraud prevention.
No automated decision making will take place.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 10 of 21
The Student Loans Company Ltd
3.3.4 Will the change deliver any
new automated decision making?
(as defined in 22 Automated individual decision-making, including profiling )
Answer:
Please provide details for ‘yes’ answers
No
3.4 Business Process Impact
3.4.1 Is there a change in the use of existing SLC data as a result of this change?
I.E. Will the data be used for a new purpose? What is the justification for this? (e.g. Government Policy)
Answer:
Please provide details for ‘yes’ answers
No
3.5 Technology Impact
3.5.2 Will the change affect where the personal Information is hosted by SLC? (on SLC infrastructure or on 3rd
party infrastructure on SLC’s behalf?)
Answer:
Please provide details for ‘yes’ answers
No
3.5.1 Will the change introduce new technology into SLC?
(note: changing a version of a product is not a new technology, however moving platform or jumping many increments of a
version could be)
Answer:
Please provide details for ‘yes’ answers
No
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 11 of 21
The Student Loans Company Ltd
3.5.3 Does the change include the use and/or processing of CCTV or audio recording in a public area? (as
defined in Article
35 - Section 4 - Item C )
Answer:
Please provide details for ‘yes’ answers
No
3.6 3rd Party Impact
3.6.1 Will this project interact with any new 3rd parties?
Please see Appendix C
Answer:
Please provide details for ‘yes’ answers
No
3.6.2 Will there be any changes to how the personal data is used/collected/stored as a result of changes to
existing arrangements with existing 3rd party(s)?
Please see Appendix C
Answer:
Please provide details for ‘yes’ answers
No
3.7 Screening Questions Assessment
If you have answered “Yes” to any of the questions in the sections listed below you will need to proceed and
complete a Full DPIA (Section 3):
3.3 Data Impact
3.4 Business Process Impact
3.5 Technology Impact
3.6 3rd Party Impact
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 12 of 21
The Student Loans Company Ltd
3.8 Screening Question Statement
DPIA screening as at 17/12/2018 for CFS Accessing Social Media has been conducted by Fiona Innes.
As a result a full DPIA is required.
Complete Screening statement and update ‘Current Status’ on page 3.
Completed DPIA should be emailed to the Data Protection Office
(xxx@xxx.xx.xx) A DPIA must be reviewed and signed off by the Information Asset Owner. (Email trail / History)
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 13 of 21
The Student Loans Company Ltd
4. Data Protection Impact Assessment
Data Protection Impact Assessment (DPIA) Questions
4.1 New Data Details
If you are
capturing any new personal data attribute then please either complete the table below or link to your
Data Dictionary.
Note – if linking to a Data Dictionary please ensure you add the columns from the table (if your Data Dictionary
doesn’t already include these details). This information is required as part of the assessment.
If you are
not introducing any new data attributes (i.e. only using existing data) then please move straight to
question 1 in section 4.2
4.1.1 Are you collecting a new attribute about a data subject?
(An attribute is a specific piece of information about a person from eye colour to National Insurance Number)
when completing DPIA is important to SLC that we clearly track all the information we gather from our
customers to ensure that we have the legal right to gather this data and understand why we are gathering it
and how long we will retain it)
Attribute
Sensitive or Personal
Description of Attribute
Reason Why We are
Data?
Gathering this Data?
i.e. Eye Colour
<Delete as appropriate>
Sensitive / Personal
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 14 of 21
The Student Loans Company Ltd
4.2 Re-Use of Existing Data
4.2.1 Personal & Sensitive Information:
Are you changing how existing Personal and/or Sensitive Information is being used within SLC?
No Please list any change in use of an existing data attribute and the reason(s) for the change.
Attribute
Sensitive or Personal
Description of Attribute
Reason why we are changing
Data?
the use of this Data?
i.e. Eye Colour
<Delete as appropriate>
No Change
Sensitive / Personal
4.3 DPIA - Assessment Questions
Question
Response
1. What is the legal basis for
Under GDPR Article 6(3) we are able to perform
processing the information?
this exercise as a public task.
See Appendix A on lawful processing
? l
2. Does the purpose for processing
SLC Privacy Notice states:
fu
the data fall under any of the
wa
d
l
categories noted in SLC’s Privacy
e
d
We may use also your personal information for
e
Notice?
See Appendix A If not,
N
an
the following purposes:
g
ri
please provide information of new
nis
fa
categories to be included. (seek
s
t
e
i
to detect, investigate and prevent crime
c
si
guidance from Information Asset
o
r
–
Owner (IAO) or Information Asset
including fraud;
P
e
s
c
s
n
Lead (IAL)if required)
e
a
n
i
isu
mpl
B
o
3. If you are relying on consent to
N/A
c
process personal data, how will
consent be obtained and
Legal
recorded, what information will be
provided to support the consent
process and what will you do if
permission is withheld or given
but later withdrawn?
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 15 of 21
The Student Loans Company Ltd
o
4. How are you ensuring that
Open Source data is used for information only to
t
personal data obtained from
inform a line of questioning. Data captured is
up
d
individuals or other organisations
n
viewed only and not used to change any fields on
tea
is accurate and kept up to date?
any of SLC’s systems. CFS will not update or
te a
d
ar
amend information held on customers Social
u
Media accounts.
Acc
5. What are the retention periods for In line with SLC’s Information & Retention Policy.
the personal information and how
will this be implemented?
(Please link / embed a retention
schedule if appropriate)
6. Are there any exceptional
Where fraud is identified, data on these specific
circumstances for retaining certain customers may be kept for longer than non-
n
o
data for longer than the normal
ti
fraudulent cases.
period?
7. How will information be
The data will not be anonymised.
Reten
anonymised For use in non-
production environments
n
n
o
o
8. Will data be deleted after it is no
Yes, as per company policy.
ti
ti
longer required & how will this be
ten
ten
Delivered / monitored
Re
Re
&
&
e
g
e
9. If not covered by the Corporate
Covered - Notes will be applied to the customer’s
a
g
r
ar
l
DSAR Process, how will you
to
a
account and any action taken will be added to the
S
toS f the u
o
d
action requests from individuals
s
i
CFS database where details can be extracted from
t
vi
h
d
(or someone acting on their
g
n
if necessary. Full Audit trail captured.
i
Ri
behalf) for access to their
personal information once held?
d
s
10. If not covered by a corporate
N/A
n
e
a
r
approach, have you identified a
l
us
ac
a
requirement for additional Data
i
e
n
h
m
Handling? If so what is the
c
lan
anticipated nature of the training
oi
te te
t
or awareness?
ai
a
r
si
11. Is there a documented Risk
Data not being transferred
p
n
o
a
r
g
Assessment (Security Review)
r
o
this has identified and residual
App
Security Risks?
l
12. For any personal data
Data not being transferred
a
g
e
n
ni
g
r
d
A
transferred out with SLC
n
u
E
a
te
l
E
boundaries , has the Corporate
h
n i cni
Data Transfer Process and Form
Exc
th
l
f the
been used and logged in the
&
bo
o
s
s
e
s
r
d
Data Transfer Tracker (held by
e
i
fe
terna
s
ex
ts
u
the Information Governance &
Acc
na d
r
n
o
Compliance Team)
T
a
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 16 of 21
The Student Loans Company Ltd
13. Will personal data be transferred Data not being transferred
to a country outside of the
European Economic Area?
If yes has the transfer been
logged on the SLC Cloud /
Offshore Tracker?
14. Where a new 3rd party is being
N/A
s
introduced or there is a change
eit
to existing 3rd party
r
Pa
arrangements, has commercial
rd
governance and due diligence
3
been conducted?
15. If there is an identified High Risk
N/A
g
ni
that it appears cannot be
s
s
n
mitigated, SLC must consult the
ec
o
o
ti
Information Commission Office
r
d
e
ta
P
l
(ICO) prior to commencement of
s
e
u
s
N
s
e
n
the activity.
ni
o
s
C
Please provide a summary of the
u
B
outcome of that consultation if
applicable.
16. If not comprehensively answered No new IT system being introduced.
n
oi
in 3.5.1, provide details of any
ta
y
ci
g
new information technology
fi
ol
s
systems being introduced.
s
o
a
n
l
h
C
ce
ta
T
Da
4.4 DPIA – Remaining unknowns
4.4.1 Are there any remaining unknowns?
Answer:
Please provide details for ‘yes’ answers
No
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 17 of 21
The Student Loans Company Ltd
4.5 Privacy issues identified and risk analysis
4.5.1 Guidance on SLC Risk Management Framework
Guidance on SLC’s Governance & Information Risk Management framework can be found on SLC Document
Control System (see ‘Related Documents’ section 4.7):
Notes:
You can use your answers from section 4.1 to identify privacy risks
The attached spreadsheet may be helpful when calculating and documenting Risk
Risk Assessmentr
matrix DPIA 1.0.xlsx
4.5.2 Document the Privacy and related risks and mitigations
Complete the following table to document the risks, their Rating and Mitigations:
4.5.2.1 RISK tracker
Ref
Risk
RISK Description
Mitigation
rating
1
Low
Customer Concern - Selection Process for
Sample Checking - Methodology ensures customers are selected
undertaking Social Media Checks
at random and clear reasons are given for undertaking the
activity.
Fraud Referral – Social Media checks may be conducted where
concerns around suspected fraud are raised from either internal
or external sources.
Privacy Notices to be updated to reflect checks which may be
undertaken.
For Projects:
Privacy risks should be documented in the Project ARIAD and the ARIAD should be embedded here clearly
calling out the Privacy Risk lines.
Mitigations for Privacy risks should be documented in the Project ARIAD and replicated here.
Mitigations must be Integrated into the DPIA outcomes into the project plan
Information privacy and risks documented in project level ARIAD log. Signposts to the most recent version of
DPIA must be recorded.
Any actions as a result of this DPIA must be managed by the project manager as part of project.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 18 of 21
The Student Loans Company Ltd
4.6 RESULTS / CONCLUSION/ OUTCOME
As a result of this DPIA the risk summary is:
LOW - to be treated by existing CFS processes around investigation techniques and customer selection.
Complete DPIA statement and update ‘Current Status’ on page 3.
Completed DPIA should me emailed to the Data Protection Office
(xxx@xxx.xx.xx) A DPIA must be and reviewed and signed off by the Information Asset Owner.
At Project Close Down any residual privacy risks in the ARIAD must be transferred to the Data Governance
Risk Register (Held by the Information Governance & Compliance Team)
If a high risk is identified that cannot be mitigated then the Information Commission Office (ICO) must be
consulted before commencing with delivery. (The Information Commission Office (ICO) will give SLC written
advice within eight weeks, or 14 weeks in complex cases. They may also issue a formal warning not to process
the data, or ban the processing altogether.)
4.7 Related Documents
Document Description
Link
Governance & Information Risk Management
POL-15-051 IA Governance & Information Risk
Framework
Management Framework
5. Appendices
5.1 Appendix A – Lawful Processing
What are the lawful bases for processing?
The SLC privacy notice sets out SLC’s legal basis for processing personal information.
You can find the Privacy Notice on the following URL: https://www.slc.co.uk/about-us/privacy-notice.aspx
Any processing outside of this basis
MUST be escalated to Information Asset Owner (IAO) & Data Protection
Office (DPO) & legal team for further guidance before proceeding further
GDPR: legislation article
Article 6
(a) Consent: the individual has given clear consent for you to process their personal data for a specific
purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have
asked you to take specific steps before entering into a contract.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 19 of 21
The Student Loans Company Ltd
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual
obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task:
the processing is necessary for you to perform a task in the public interest or for your
official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate
interests of a third party unless there is a good reason to protect the individual’s personal data which
overrides those legitimate interests. (This cannot apply if you are a public authority processing data to
perform your official tasks.)
5.2 Appendix B – Personal Information Definition
GDPR definition of personal information and Sensitive personal information:
GDPR Personal Data definition Examples
Name
Address
Date of Birth
National Identification Number
Location data (electronic or otherwise)
Online identifier i.e. email address and IP address
Mobile device ID
Physical data
Physiological data
Genetic data
Mental data
Economic data
Cultural data
Social identity data
Passport Number
Driving License Number
Employee ID
Customer Reference Number
GDPR Sensitive Personal Data definition Examples
Racial Origin
Ethnic Origin
Political Opinions
Religious Beliefs
Philosophical Beliefs
Trade Union membership
Genetic data
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 20 of 21
The Student Loans Company Ltd
Biometric data
Health data
Sex Life
Sexual Orientation
Criminal convictions/offences
5.3 Appendix C – 3rd party considerations
Any change to an existing 3rd party agreement, or engagement with a new 3rd party, where SLC shares Personal
Information SLC is required to complete commercial governance and due diligence before implementing or amending a
contractual agreement
For example
Roles and responsibilities i.e. who is the Data controller, data processor, sub-processors etc
For what purpose is the data sharing taking place - not sufficient to say it is under a contract. A high level
statement is needed, detailing what the contract would be for and why the data sharing is necessary to facilitate
delivery of the contracted service
What data is moving about e.g. Name, N.I.? No, D.O.B etc. I.e. Specifically attributed labels are required. It’s
sufficient to specify headings such as; "personal identifiers" or "government identifiers"
The category of data subject this sharing relates to i.e. is it SLC Customers, SLC employees etc
Data retention - how long does it need to be held for and what happens at contract end i.e. There is a need to
understand the intended exit strategy.
TEM-18-004 Data Protection Impact Assessment (DPIA) Template
OFFICIAL
Page 21 of 21
The Student Loans Company Ltd