Privacy and data protection
Data Protection Impact Assessment
[Insert name of project]
SPD-Privacy
A Data Protection Impact Assessment (‘DPIA’) is required when a new project or procedure will materially affect how the Bank
processes information that relates to individuals. The purpose of this assessment is to identify possible risk sources to individuals’
privacy, to put forward mitigating actions to reduce or eliminate this risk, and to record how these have been taken forward.
A DPIA is required in high risk circumstances prescribed by the General Data Protection Regulation (Article 35) and associated
guidance. Where risks cannot be mitigated, it may be necessary to engage the Information Commissioner’s Office.
3.
SCOPE
This assessment is limited in scope to the [
PROJECT], which covers the [
DESCRIPTION (SPECIFY
BUSINESS AREAS AFFECTED, HOW)]. This PIA should be read in conjunction with documents related to
this project.
This document is based on information provided by the project owners as at [
DATE] and the actions and
conclusions included may no longer be valid should any part of the process materially change.
The following are outside the scope:
Drafting note:
Include any Code of Conduct/Certification Scheme that the Bank has signed up to which is
relevant to the project scope.
Bank of England
3
4.
INFORMATION FLOWS
Bank of England
4
8.
LEGAL DIRECTORATE
DPIA reviewed by:
Date reviewed:
Comments:
Legal Directorate views should be sought on all PIAs. The Legal Directorate
contact should complete this box, even if only to confirm that Legal Directorate
have no comments or that their views have been reflected in the PIA.
Where Legal Directorate disagrees with a proposal, or where there are significant
legal issues, a summary of its views must be included.
Bank of England
13
9.
REFERENCES
European Data Protection Board Guidelines on Data Protection Impact Assessment and determining
whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679
ICO Guide to the General Data Protection Regulation – Data Protection Impact Assessments
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-
impact-assessments-dpias/how-do-we-carry-out-a-dpia/
https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Data Protection Act 2018 UK http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
Version History
Description/Change
Version
Date
Author
Summary
Review History
Version
Date
Reviewer
Department/Role
Comments
Bank of England
14
INITIAL ASSESSMENT OF PIC BY SPD PRIVACY
C Rating is 5
Presumed DPIA required
If C Rating is 4 or above + 12 is
Presumed DPIA required
checked
C Rating is 3 or above and 9 is
Presumed DPIA required
checked
If 13 + 16 are checked
Presumed DPIA required
If 14 is checked
Presumed DPIA required
C Rating is 3 or above and 17 is
Presumed DPIA required
checked
17 is checked
Optional, for review in the circumstances
15 is checked
Optional, for review in the circumstances (eg. Staff, non-staff and
expectations of CCTV use)
If C Rating is 4 or above
Optional, for review in the circumstances
If C Rating is 3 or above + 12 is
Optional, for review in the circumstances
checked
C Rating is 3 or above +16 is checked
Optional, for review in the circumstances
Any of 1-9 is checked and the C
Privacy review or compliance advice (unless DPIA also triggered)
Rating is 1 or 2
Any of 1-9 is checked and the C rating
Discretion with privacy team as to whether a privacy review or a
is 3
PIA (unless DPIA also triggered)
Any of 1-9 is checked and the C rating
PIA required (unless a DPIA is also triggered)
is 4 or above
Is a full PIA or DPIA required?
Summarise why you identified the need for a PIA:
Confirmation by SPD-Privacy:
Date:
Bank of England
17