Outsourced DPO: DPIA revisited

The Outsourced DPO wrote a blog about Data Protection Impact Assessments (DPIA) last November shortly before the ICO revised their guidance. In this blog, we review the ICO’s updated guidance and share the Outsourced DPO’s experiences from auditing in the lovely Essex this week.

It is actually very easy to miss changes to ICO guidance these days because it is generally all provided on-line and is updated seemingly without any version control. As far as I can see, there is no revision date on the DPIA guidance to suggest that it changed in December. It would help if the ICO Guidance Index was up-to-date and something of a document master list indicating version and last revision date and less of a series of links to pages on their website.

Must read guidance

But this DPIA guidance is a must read for privacy professionals.

Under the heading “When do we need to do a DPIA”, the ICO states that you must do a DPIA before you begin any type of processing that is likely to result in a high risk. In practice when you commence a DPIA you won’t have assessed the types of risk nor the actual level of risk so you need to review the processing in question and screen it for factors that suggest that it might have the potential for a widespread or serious impact on individuals. Ideally your DPIA policy details your own stance on what kinds of things should be reviewed in the screening process.

The Outsourced DPO was reviewing DPIAs during an audit this week at an organisation whose policy it is to decentralise the doing of DPIAs (i.e. people who are not privacy professionals are responsible for undertaking DPIAs for operations under their responsibility). The DPIA documentation reviewed at audit showed a grave lack of understanding of privacy risk by lay-people resulting in DPIAs not being undertaken when they should be because they are filtered out in the screening process by project owners. Fortunately, these are unlikely to completely slip through the net due to the internal audit policy which incorporates a periodic review of DPIAs both those undertaken and those not undertaken.

European guidelines

The guidance goes on to say that you should consider the relevant European guidelines published in October 2017 which define nine criteria of processing operations likely to result in high risk:

  1. Evaluation or scoring, including profiling and predicting;
  2. Automated-decision making with legal or similar significant effects;
  3. Systematic monitoring;
  4. Sensitive data or data of a highly personal nature;
  5. Data processed on a large scale;
  6. Matching or combining data sets;
  7. Data concerning vulnerable data subjects ;
  8. Innovative use or applying new technological or organisational solutions;
  9. When the processing in itself prevents data subjects from exercising a right or using a service or a contract.

ICO expectations

The ICO’s guidance states that you are also required you to do a DPIA (by the ICO) if you plan to:

  • use innovative technology (in combination with any of the criteria from the European guidelines);
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data (in combination with any of the criteria from the European guidelines);
  • process genetic data (in combination with any of the criteria from the European guidelines);
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Clearly there is some over-lap between the two lists but their contents need some consideration.

Use cases

Social Housing Providers

For example, several of our social housing clients track the location of their employees (e.g. maintenance staff and lone workers). This location tracking is subject to a DPIA regardless of its scale. They also use special category data to determine services to provide to their tenants. For example some of their tenants need adaptations to their property due to medical conditions such as grab rails, modified door handles or chair lifts. These decisions should be subject to a DPIA. Equally, in most English counties, the local authority provides a centralised system to applying for social housing. Often one person completes an application form for the family unit thereby providing the personal data of other data subjects into the application process which is then disclosed to one or more social housing providers. This “invisible processing” as the ICO calls it is also subject to a DPIA. Now these use cases are well established and would seem to be perfectly justifiable and legitimate – but it would seem that they still need to be subject to a DPIA and in my audit activities this week, there was no evidence of DPIAs being undertaken for any of these processing activities.

Social housing providers may also use personal data to predict the likelihood of payment default through services such as Experian’s Rental Exchange or Mobysoft’s RentSense. These activities require the combining of datasets from different sources and thus again, should be subject to a DPIA.

Finally, some social housing providers house offenders being released from prison. They are very aware of the importance of maintaining very tight confidentiality over such data, particularly for sex offenders. I would have said that information about such data subjects might endanger their physical safety in the event of a breach and therefore also is subject to a DPIA.

Creating Single Customer Views

During the late 90s and early noughties, the Outsourced DPO worked in the professional football industry at clubs such as Leeds United and Everton. During that time there was an emphasis on combining data sets to create a single customer view to help understand and therefore predict fan behaviour. Every night, information from retail, ticketing, lotteries, websites and other data systems was matched, deduplicated, and updated to create a “golden” record for each fan. These golden records were tagged with transactional data, communications history etc. building an individual picture of each fan picture. There were around sixty different segments of the database and this combined data used for marketing and communications purposes. I am sure that these practices have improved in the last 10 to 15 years but now are subject to a DPIA.

Facebook custom audiences

Similarly, many organisations we work with use social media marketing such as Facebook Custom Audiences and Look-a-Like audiences both of which involves combining data sets from different sources. Facebook’s data is combined with data from CRM system or web cookie data. These data sets can be used to identify particular consumer traits and create groups of data subjects known as audiences. Before embarking on this kind of processing, the ICO would expect you to have undertaken a DPIA.

Phil Brining

January 17th 2019