Digital Data Protection Impact Assessment (DPIA) ALPHA

Project details:

Organisation Greater Manchester Combined Authority
Department Digital - Information Governance
Collaboration Level Share Ideas
Budget £50K > £100k
Key Contact Stephen Girling
Phase start 03 December 2018
Phase Estimated end 22 May 2019

Tags

Description

Data Protection Impact Assessment (DPIA) are a requirement of data protection legislation but are seen as an intensive and onerous process. We know a range of templates are currently used resulting in a complicated and fragmented approach particularly across partnerships. Challenges include that process are reliant on a small number of specialist staff causing capacity issues. Process are not user friendly enough to enable general staff to complete them and there is a lack of confidence / understanding to answer key questions appropriately. There are issues around document control including tracked changes and responses to Data Protection Officer recommendations. A more coherent approach to access and storage is also need, DPIAs are living documents – A central repository will allow ease of access across delivery teams and the sharing of best practice. There is also the opportunity to reduce duplication by ensuring information collated through DPIA processes is used to support complementary processes e.g. risk registers and risk identification.

Our solution is the creation of a universal and compliant Digital DPIA Tool to empower and support staff. It will also support the generation of a privacy risk register, an aspect that has been highlighted as a challenging area of work.

At a basic level success would the creation of an easy to use product with minimal IT support, hosting costs and training requirements that would be used with GM and has the potential to be used at scale. Creating a more ergonomic and user friendly DPIA process that all staff feel comfortable with and providing crucial technical support. Saving partners time and capacity but ultimately removing barriers to the creation of compliant DPIA. Supporting a culture shift that meets the legal requirement of ‘data protection by design and by default’. Success would be measured by user engagement, key partner feedback and ultimately through the quality of DPIAs produced with GM.


People

Watchers

Contributors

Status Updates

05 April 2019

  • Stephen Girling

    Project Update Friday 5th April

    This week Peter and I attended the LocalGovDigitalCamp North West event in Manchester. We were invited along to give a presentation on the Digital DPIA project. 

    It was great to give people an overview of the project and what we are looking to achieve. The reaction from the attendees was warm with many paying their compliments to the presentation throughout the day. 

    I chatted to one person whose experience of DPIA's reflected very much the people we have spoken to: they are long, hard work, hard to understand and go endlessly back and forth before they are approved. He stressed how good it would be for there to be guidance within a DPIA which explains what the more complex questions mean and prompt what the user should be thinking of when they complete the form. It is reassuring that we have already considered this and worked it into our development but it is always good to hear from different people the issues we are addressing.

    Another person I spoke to asked me if I had knowledge of a specific DPIA being completed for a particular type of processing. It wasn’t something I was familiar with however this lead to us chatting about how it might be good if it was possible to access existing DPIA's that had been completed for a particular system or type of processing to give people a head start on completing their own. I mentioned this kind of functionality currently exists in the Information Sharing Gateway for Sharing Agreements and it is an intriguing idea for the later phases of this project to look to build a similar functionality or perhaps a stock library of DPIA's. No doubt there are a lot of things to consider with the actual practicalities of this but as a suggestion for consideration, I found it very interesting. 

    Along with ourselves there was a mixture of speakers on the day talking in different ways about digital innovation and ways of working. A common theme running through a lot of the presentations was keeping people, whether that be staff, residents or customers at the heart of what we are doing. It was perhaps surmised best by Vimla Appadoo from FutureGov who said "Digital is the journey, not the outcome." 

    There was a consistent message from a number of speakers regarding taking an Agile approach to digital. The idea of working iteratively, having a big vision but starting small to achieve it, not being afraid to fail, and being able to work in small dynamic teams echoed the MHCLG approach to their Local Digital Funded projects. It seems increasingly, more and more people are moving away from traditional 'Big Bang' Waterfall approaches to an Agile approach that better facilitates changes to scope, and also the ability to stop a project if it is not working without huge financial implications. Moving to a truly Agile approach requires a top down system change and so for now we find ourselves in a hybrid world of agile delivery but often with the requirement for the more traditional styles of project governance. I am sure though, that we are all on a journey and overtime Agile will become the normalised way of working. 

    I enjoyed staying for the remainder of the day to attend the workshops in the afternoon. I particularly enjoyed a lively discussion regarding Councils having a Digital Strategy as this was very relevant to some other work me and my team are doing regarding a Greater Manchester Information Strategy. The Digital DPIA will become one of the key tools that underpin this strategy so hearing people discuss what they want from a Digital strategy gave good learning to inform the Information strategy. 

    Another interesting workshop in the afternoon was a demonstration of how Kirklees Council have developed an Alexa skill so that residents can ask Alexa about their bin collections and report missed collections. This, along with advancements to AI, chatbots etc. demonstrate some exciting times ahead in this arena.

    Oh, and I also won some pretty decent Bluetooth headphones in a raffle which was a lovely bonus!

    There will hopefully more opportunities such as this one to go to events and present on the work we are doing. I chatted to Shelley from the iNetwork and we think the Digital DPIA project could certainly be a topic at their next events. 

    Development on the Digital DPIA tool continued this week with the focus being on the legal section. 

    Show and Tell sessions are planned for Tuesday 16th and Tuesday 23rd April so look out for invitations to these soon!

    If you haven't checked out the latest Digital DPIA video, do so! The link is in the post below!

    Arrivederci! 

    Steve

    Here are some photos from the event including a particularly powerful quote from Madeleine Albright