The purpose of this policy is to provide a template privacy impact assessment (“PIA”) to be used by Prive Clinics (Teeth n Gums) on an ongoing basis, as necessary. That policy also explains when to conduct a PIA.
Prive Clinics (Teeth n Gums) will ensure that the will determine when a PIA is required and will complete the PIA, with input as necessary from colleagues and teams.
To meet the legal requirements of the regulated activities that Prive Clinics (Teeth n Gums) is registered to provide:
General Data Protection Regulation 2016
Data Protection Act 2018
The following roles may be affected by this policy:
The following people may be affected by this policy:
The following stakeholders may be affected by this policy:
External health professionals
The objective of this policy is to ensure Prive Clinics (Teeth n Gums) considers the potential data protection and GDPR implications of any new processes or systems it introduces, or of any changes that impact on its processing of personal data.
By reviewing and utilising the form set out in this policy Prive Clinics (Teeth n Gums) will be able to provide evidence of the decisions it has taken and changes it has made that may impact on the processing it carries out.
Prive Clinics (Teeth n Gums) understands that a PIA will enable it to identify and minimise the risks of any project it wishes to carry out.
Prive Clinics (Teeth n Gums) understands that PIAs must be conducted for specified types of processing (listed in the Procedure section below) as well as for processing that may result in a high risk for affected individuals.
Prive Clinics (Teeth n Gums) understands that a PIA should:
Describe the processing nature, scope, context and purpose;
Assess whether the processing is necessary and proportionate and in compliance with GDPR
Identify and assess risks to affected Data Subjects; and Prive Clinics (Teeth n Gums) understands that if a PIA identifies that processing may be high risk and it is unable to take steps to mitigate those risks, it should notify the ICO and seek advice from the ICO as to whether it should carry out the processing.
Prive Clinics (Teeth n Gums) will implement a process for deciding whether a PIA is necessary and, if so, the steps that it will take to conduct the PIA. Prive Clinics (Teeth n Gums) will use the form attached to this policy when conducting a PIA.
Prive Clinics (Teeth n Gums) will provide training to its employees about when a PIA is necessary and how to conduct a PIA.
Prive Clinics (Teeth n Gums) will conduct PIAs in the following scenarios:
Where Prive Clinics (Teeth n Gums) intends to use systematic and extensive profiling or automated decision-making to make significant decisions about Data Subjects
Where personal data relating to children will be processed for profiling or automated decision making, for marketing to offer online services directly to the children
Where Prive Clinics (Teeth n Gums) will process special categories of data or criminal offence data on a large scale
Where Prive Clinics (Teeth n Gums) intends to monitor a publicly accessible place on a large scale
Where new technologies are introduced by Prive Clinics (Teeth n Gums) that may impact on its processing activities
Where Prive Clinics (Teeth n Gums) intends to process biometric or genetic data
Where Prive Clinics (Teeth n Gums) intends to combine, compare or match personal data from multiple sources
Where the processing will involve tracking individuals’ behaviour (whether online or offline)
Where the processing could result in a physical harm if there is a breach of security
Prive Clinics (Teeth n Gums) will consider carrying out PIAs in the following circumstances, as well as in any other circumstances which Prive Clinics (Teeth n Gums) considers to be potentially high risk:
Where Prive Clinics (Teeth n Gums) processes special categories of data or personal data of a highly personal nature
Where Prive Clinics (Teeth n Gums) conducts large-scale processing; and
Where the processing concerns vulnerable Data Subjects
Prive Clinics (Teeth n Gums) acknowledges that because of the types of services it provides, it may need to conduct PIAs on a regular basis to ensure that Data Subjects, including Patients, are protected.
Prive Clinics (Teeth n Gums) will also conduct a PIA if the nature or purpose of the processing it carries out changes.
Prive Clinics (Teeth n Gums) will document the steps taken as part of the PIA and the outcomes in line with the form attached to this policy.
Prive Clinics (Teeth n Gums) will take any steps it identifies as being necessary to mitigate risks associated with the processing and will document the steps taken and the outcome of those steps.
The individual about whom Prive Clinics (Teeth n Gums) has collected personal data.
Data Protection Act 2018
The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It follows the General Data Protection Regulation and applies the EU Directive on Enforcement of Laws.
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two- year transition period became enforceable on 25 May 2018
The Information Commissioner’s Office
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
A Privacy Impact Assessment, also known as a Data Protection Impact Assessment
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it
Special Categories of Data
Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
Key Facts – Professionals
Professionals providing this service should be aware of the following:
All staff should be made aware of how GDPR impacts on their role and ensure that they know who in the Prive Clinics (Teeth n Gums) organisation has overall responsibility for data protection
A PIA is essentially a risk assessment of proposed processing of personal data. If Prive Clinics (Teeth n Gums) is processing personal data that is likely to result in a high risk to the Data Subject’s rights, a PIA must be carried out prior to commencing that processing.
A six-step process maps the lifecycle of the personal data in order to establish: the provenance of the data, the manner of the processing involved, the location of the processing, the relevant stakeholders and the deletion/anonymisation process
Key Facts – People Affected by The Service
People affected by this service should be aware of the following:
PIAs will be conducted by Prive Clinics (Teeth n Gums) to ensure that if its processing of personal data changes, any associated risks will be understood and acted upon
There is no further reading for this policy, but we recommend the ‘Underpinning Knowledge’ section of the review sheet to increase your knowledge and understanding.
To be ‘Outstanding’ in this policy area you could provide evidence that:
You have implemented a PIA policy and all staff are aware of the potential need to conduct a PIA