Digital data protection impact assessment (DPIA) tool

Full Application: Funded

Data Protection Impact Assessment (DPIA) are a requirement of data protection legislation but are seen as an intensive and onerous process. We know a range of templates are currently used resulting in a complicated and fragmented approach particularly across partnerships. Challenges include that process are reliant on a small number of specialist staff causing capacity issues. Process are not user friendly enough to enable general staff to complete them and there is a lack of confidence / understanding to answer key questions appropriately. There are issues around document control including tracked changes and responses to Data Protection Officer recommendations. A more coherent approach to access and storage is also need, DPIAs are living documents – A central repository will allow ease of access across delivery teams and the sharing of best practice. There is also the opportunity to reduce duplication by ensuring information collated through DPIA processes is used to support complementary processes e.g. risk registers and risk identification.

Our solution is the creation of a universal and compliant Digital DPIA Tool to empower and support staff. It will also support the generation of a privacy risk register, an aspect that has been highlighted as a challenging area of work.

At a basic level success would the creation of an easy to use product with minimal IT support, hosting costs and training requirements that would be used with GM and has the potential to be used at scale. Creating a more ergonomic and user friendly DPIA process that all staff feel comfortable with and providing crucial technical support. Saving partners time and capacity but ultimately removing barriers to the creation of compliant DPIA. Supporting a culture shift that meets the legal requirement of ‘data protection by design and by default’. Success would be measured by user engagement, key partner feedback and ultimately through the quality of DPIAs produced with GM.

We would appoint an external company to produce the digital tool product in line with our specification (we have already identified a suitable framework to aid a swift procurement process) with other elements being managed in house. Due to the nature of our users (employees) insight is embedded through the project lifespan to create a user centric approach. Our starting point will be insight on current tools and resources and identifying common challenges. This will lead into user journey testing and ultimately product testing. Aspects of this work have started and have influenced this bid.

A critical success point will be working in partnership with the Information Sharing Gateway (ISG). This web based tool (which has been audited by the ICO) enables the creation and sign off for DPIA process when sharing information and is utalised across GM. We want to build upon the ISG to avoid duplication and ensure a seamless functional approach. A key learning point for this programme and its future development is how we can integrate through an automatic programming interface. This workstrand will run alongside the tools development

An initial project plan has been developed. Key milestone include:

  • Discussion with the ISG team have already started to ensure a feasible bid.
  • Outline technical specifications are currently being created to enable swift procurement if successful (completed WC 31/1/19)
  • Creation of the tools technical content – based on legislative requirements (completed WC 10/12/18)
  • Consultations and revision of content / user journey – early 2019 (completed WC 18/2/19) to enable product testing
  • Alpha Product Testing (WC 1/4/19)
  • Competition of relevant reports including recommendations, insight and business case (WC 22/4/19)

We are confident that we will be able to provide the outputs detailed within our bid. Our aspirations is to create a product that is available for other areas to use and that can facilitate a national approach to the DPIA.

The DPIA process is a requirement of data protection legislation and therefore a lawful requirement for the projects and processes that local government undertakes. Having a simplified process will save staff time for those involved in the completion of the DPIA. Taking the time for completion down from 30 hours plus, down to an anticipated 10 or less. An analysis of the ISG showed that the implementation of this digital tool reduced the total staff time on the process from over 300 hours in total to around 24 hours plus saving around £2384 per agreement. We anticipate that a DPIA tool could have a similar benefit and saving.

Additionally having a simple approach will support a cultural change within organisations, which will support the governance of projects. Allowing the security and IG issues to be considered from the start. Reducing the financial implications of changing systems near completion. Or worse going live and suffering a breach of requirements. Also by simply undertaking the DPIA process, will ensure organisations do not leave themselves at risk of significant fines by the ICO due to none compliance with statutory requirements.

With the product being aimed at none specialist staff, it also will free up time for the IG officers in organisations. Allowing them to deal with issues that need specialist input. As well as reducing the time needed for the DPO to spend reviewing and authorising.

Further by integrating with the ISG we would further reduce duplication of effort in the projects that involve sharing. With the ISG being a nationally recognised product whose methodology we are emulating, it should support use and integration.

Having a consistent approach allows local authority areas to share their completed DPIA. This could save implementation time and duplication of work for any number of organisations. But by sharing DPIAs between areas, we can use the DPIA as a tool to improve standards locally, regionally and nationally.

GM IG Leads have already worked together to create a standard DPIA Template as it acknowledged that a consistent approach to the DPIA process was needed. However whilst technically complaint the templates have not been welcomed or adopted by general staff. This was identified anecdotally from staff feedback from those attempting to use the template, the late completion of DPIAs delaying projects and the use of alternative templates. There was also feedback from DPO’s in relation to the process of reviewing and approving DPIAs. As they are senior members of staff they are time poor and required a simpler process of notification, access and response.

Attempt were then made to find a suitable product on the commercial market. The nearest solution being the CNIL produced by the French Data Protection Regulator. Tool was reviewed by IG leads and although an excellent example of what could be achieved found it lacking in key areas. This view was support by the ICO who also pointed out that it did not support the UK Data Protection Act 2018. Although as CNIL is a free open source software package it does provide an adaptable starting point for the digital format of the resource.

In addition to this demand we know from our implementation for the ISG that this approach will work. It is generally accepted by user of the ISG that it has simplified the sharing process for them and it has been adopted with currently over 1790 DPIAs for sharing of the ISG. We have a methodology that both work and that we can integrate and build from. The ISG has also been audited by the ICO who were pleased with the product. The owners of the ISG accept this as we are looking to work with them and not replace their tool.

We are confident that the resource we create will meet the need of the sector both across GM and ultimately further afield. Providing a time effective and streamlined solution to a compliance challenge

The need for this project has already been identified and we already have established groups that will support collaboration and it’s successful delivery. The GM wide IG officer group has already done work supporting this bid. Due to our nature as the GMCA we will be working across all GM areas on this project including proactively encouraging their commitment via the Local Digital Declaration.  However, to ensure delivery we have identified Stockport as the lead partner within GM.

Other key users groups are the area DPOs whilst IT managers will be engaged via the GM IT Managers Group utilising their technical expertise and perspective as LAs on their ability to host and support any product.  None specialist staff will be engaged using our internal staff and partner area insight.

Broader usage is at the heart of the tools design and business case and anything created could be used by GM local authorities but also other council and broader public sector partners.

The benefits case – we will gather additional information from local authority IG lead and DPOs to make a like for like comparison of the old and new offering to provide a clear case of the costs saving of a streamlined process but also the cost avoidance resulting from less DPIAs being produced late or behind schedule.

User Research Report – The user journey and experience is a critical part of this project. In order to share our learning from this aspect of the project will map and highlighting key challenges and feedback given and the solutions and changes made to resolve these. We envisage much of this will not be around specific digital competencies but more surrounding the terminology and communication for Information Governance process. The sharing of this insight via report will aid colleague across local authorities with how they approach not just the creation of DPIAs but also the embedding IG within their organisation.

Implementation Model – We will provide details of the step we took to create the DPIA tool (linked to user research report) but also the initial user journey map, tool design map and prototype that accounts for all stage of the DPIA process.

Conclusion and Recommendations – outlining the recommendation and next steps required to further develop the tool into a fully working Beta project.

The LA IG leads will be a key part of our design process so our main focus for user’s engagement is LA DPOs and none IG specialist staff. As previously mentioned we will be engaging with them from the start of the project and throughout.

We want to know from users:

    • That the process is ease to engage with and understand
    • That the format leads them through the process organically.
    • Feedback and authorisation can be achieved efficiently.

With none specialist staff, we will engage to ensure that questions are appropriately word with user friendly language and terminology. Also to assess what additional help and information is required such as pop-ups and examples. We would also want to test the user journey and how it leads you through the process. Ensuring that it does not feel arduous but that still allows users to identify external areas they may need to consider. Essentially by working your way through the DPIA tool should enable a user to work through all the privacy risks they need to consider on any project.

Consultation with LA DPOs will also be undertaken. Not only building assurance that the tool meets their needs but also as part of the ergonomic testing we would want to ensure the review and authorisation process is quick and simple enough for them. Allowing them to access a DPIA and review the content and risks quickly with a mechanism for effective or authorisation.

The project has been designed to be deliverable without requiring additional support requirements. However if possible we would like to be able to benefit from:

  • Access to training and professional development for our team including agile awareness for the team as well as training in user research and service design for key staff.
  • Help with sharing our outputs with the local government sector
  • Access to the digital marketplace so we can consider the best possible range of specialist support for the tools development

We have not been grant funded for this phase of the project in the past. We have also not received funding for the initial developments of this programme. This has been done by GMCA with the support of the local authorities.