DPIA
General goal and planning
As a part of the ethics management in DE4A, the project is required to provide a data protection impact assessment (DPIA), that satisfies the requirements of European data protection law (principally the GDPR).
This is not a formal deliverable, but delivery was a recommendation in our ethics review, and DE4A has committed to provide it.
A DPIA must contain:
(a) a systematic description of the envisaged processing operations and the purposes of the processing
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes
(c) an assessment of the risks to the rights and freedoms of data subjects
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR
The wiki will be used principally to collect inputs on points c and d; points a and b can be based on existing deliverables.
Timeline
Given that the DPIA is not a formal deliverable, there is some flexibility. However, in order to be useful, the DPIA should be done by mid December at the latest. This will also allow its content to be re-used in the deliverable D7.2 (Initial Report on legal and ethical recommendations and best practices), which must be submitted by the end of December.
For that reason, the following timeline will be followed:
| Step | Description | Deadline |
|---|---|---|
| 1 | Initial wiki set-up - collecting initial inputs from prior deliverables | 5/11/2021 |
| 2a | Draft inputs collected from pilot participants and Member States | 26/11/2021 |
| 2b | WP7 team collects data on points a and b of the DPIA (see introduction above) | 26/11/2021 |
| 3 | WP7 bundles, reviews and completes first draft DPIA, containing all four points above | 5/12/2021 |
| 4 | Draft is circulated to pilot participants and Member States | 6/12/2021 |
| 5 | Feedback and review | 13/12/2021 |
| 6 | Finalisation | 17/12/2021 |
Current inputs on data protection risks
This section summarises current inputs on the risks to the rights and freedoms of data subjects (needed for point d above). The table should be concise - the goal is to collect inputs, not to draft the DPIA here.
All DE4A partners may provide inputs and suggestions. Examples of risks include (but are not limited to):
- illegitimate access to data (loss of confidentiality);
- unwanted change (loss of integrity);
- disappearance (loss or corruption) of data(loss of availability);
- disproportionate collection of data;
- unlawful monitoring or crosslinking of data
- inadequate transparency on data collection, use or access
- disregard of data subject rights (loss of access or deletion rights)
- unlawful data sharing or re-use
- disproportionate retention
However, for the avoidance of doubt:
- a DPIA should identify risks for data subjects. Risks for systems, data, or public administrations can be included only if they are presented from the perspective of the data subject. E.g. rather than saying "the government database could be corrupted", consider saying "the citizen's data could get corrupted"; rather than saying "the servers could go offline", consider saying "the citizen may not be able to use the e-government service".
- when describing risks, the fact that other Member States lawfully use data differently than in the citizen's home country is not a risk. E.g. if data is retained for 5 yeas and cannot be shared with other administrations in Member State A, but Member State B allows retention for 20 years and sharing with designated other administrations, that is not considered a risk, since it is lawful and remains within the confines of the GDPR.
| Description of the data protection risk | Risk type | Likelihood of the risk (low, medium, high | Severity of the impact (low, medium, high) | Applicable to all pilot areas, or specific to a pilot? |
|---|---|---|---|---|