Data protection by design and default
The Data Protection Act 2018 (DPA 2018) / UK General Data Protection Regulation (UK GDPR) places a general obligation on data controllers to adopt a data protection by design and default approach to protect the personal data they process. Controllers are required to implement appropriate technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This means that the necessary safeguards have been integrated into their processing activities at the planning and development stage.
Data Protection Impact Assessments (DPIAs)
DPIAs are tools that help organisations deliver data protection by design and default by ensuring they meet the expectations of individuals regarding the security and privacy of their personal information. The DPIA process helps identify and minimise the data protection risks of a project. By law a DPIA must be done for processing that is likely to result in a high risk to individuals but it is good practice for assessments to be carried out for any other major projects which require the processing of personal data.
A DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks
Our policy is that any change project involving personal data processing is assessed via the DPIA process. DPIAs are reviewed by our Data Protection Officer to ensure compliance with data protection requirements and approved by our Senior Information Risk Owner to ensure that suitable actions are taken to mitigate any risks identified.
Below is a summary of the DPIAs completed during the last financial year:-
Project name |
Project overview |
Approval date |
Cardiac diagnostic management system |
ECG management system |
31/08/2023 |
Community stroke pilot |
New questionnaire functionality |
20/02/2024 |
Procurement collaboration |
Implementation of specialist Trust procurement alliance |
04/07/2023 |
Healthcare management analysis |
Analysis on step down area and telemetry beds |
14/04/2023 |
Urgent referral dashboard |
Update to existing dashboard |
07/06/2023 |
Web application |
Medical device and web application |
26/09/2023 |
Mentoring platform |
Staff mentoring software |
01/09/2023 |
New software |
Research project software |
05/07/2023 |
Data transfer mechanism |
New data transfer mechanism |
18/10/2023 |
Content management system |
Website |
01/09/2023 |
Medical device |
New clinical chemistry analyser |
11/07/2023 |
Web application |
Update to existing web application |
18/10/2023 |
Data lake |
Radiology and imaging data lake |
29/08/2023 |
Content management system |
Intranet |
29/11/2023 |
Service amendment |
New support arrangement for Friend and Family Test |
08/02/2024 |
New service |
Staff stop smoking service |
27/11/2023 |
Analytics support |
Third party analytics support and report development |
08/02/2024 |
Web application |
Recruitment system |
08/02/2024 |
Research study |
Image analysis |
08/02/2024 |
For more information about our process or completed DPIAs please contact the Information Governance Team - by email to FOIRequests@lhch.nhs.uk. Requests will be processed in line with the Freedom of Information Act 2000.