Profile information Member settings
Logout
Sign up Sign in

What is a DPIA?

Data protection impact assessment (DPIA) is a process designed to help organisations identify and minimise the data protection risks of a project. When the processing (eg obtaining or recording) of personal data  (eg names and addresses) is likely to result in a high risk to individuals, a DPIA needs to be completed.

The processing of special category 'sensitive' personal data (eg information about racial/ethnic origin, political opinions or sexual life) is given greater protection than other types of personal data. This means that further conditions for processing need to be met and recorded in a DPIA. For more information, read Data protection impact assessments and Compliance for DPIAs.

Substantial public interest

Substantial public interest is one of the conditions for the processing of special category personal data. The processing must be necessary for reasons of substantial public interest. Being of ‘substantial public interest’ means that the public interest needs to be real and of substance. Read Compliance for DPIAs for more information. Being ‘necessary’ doesn’t mean that the processing has to be absolutely essential, but it must be more than useful or habitual. It must also be a reasonable and proportionate way of achieving the purpose, and the organisation must not use more data than they need.

For an organisation to be able to rely on the condition of substantial public interest, certain ‘associated conditions’ need to be met.

What are the associated conditions?

If the substantial public interest condition is relied upon, the organisation will also need to meet at least one of the 23 associated conditions set out below:

Statutory and government purposes

The processing is necessary for reasons of substantial public interest and for the exercise of a function:

  • given to a person by an enactment or rule of law

  • of the Crown, a Minister of the Crown or a government department

Administration of justice and parliamentary purposes

The processing is necessary for:

  • the administration of justice

  • the exercise of a function of either House of Parliament

Equality of opportunity or treatment

This is where the processing is of a specified category of personal data that identities groups of people in relation to that data, and includes personal data:

  • revealing racial/ethnic origin (ie people of different racial or ethnic origins)

  • revealing religious/philosophical beliefs (ie people holding different religious or philosophical beliefs)

  • concerning health (ie people with different states of physical or mental health)

  • concerning an individual’s sexual orientation (ie people of different sexual orientation)

The processing must also be necessary to identify or review the existence/absence of equality of opportunity or treatment between the groups of people specified in relation to the category of personal data to enable such equality to be promoted/maintained.

Racial and ethnic diversity at senior levels

The processing is of personal data revealing racial/ethnic origin and:

  • is carried out to identify individuals to hold senior positions in organisations (ie either a specific organisation, a type of organisation or organisations generally), and

  • is necessary to promote/maintain diversity in the racial and ethnic origins of individuals holding senior positions in organisations, and

  • can reasonably be carried out without the consent of the data subject (ie the individual the data relates to). This is the case if:

    • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

    • the organisation is not aware of the data subject withholding consent

Senior positions in an organisation include:

  • directors, secretaries or similar corporate officers

  • members of a limited liability partnership

  • a partner in a partnership, a limited partnership or an entity of a similar character formed outside the UK

  • someone involved in senior management (ie someone who plays a significant role in making decisions about how the organisation’s activities are to be managed or in the actual managing of those activities)

Preventing or detecting unlawful acts

The processing is necessary for the purposes of the prevention or detection of an unlawful act and:

  • is carried out without the data subject’s consent in order to not prejudice those purposes, and

  • is necessary for reasons of substantial public interest

Protecting the public

The processing is necessary for the exercise of a protective function. This is an action intended to protect members of the public against:

  • dishonesty, malpractice or other seriously improper conduct

  • unfitness or incompetence

  • mismanagement in the administration of a body or association

  • failures in services provided by a body or association

The processing must also be carried out without the data subject’s consent in order to not prejudice the exercise of that function and must be necessary for reasons of substantial public interest.

Regulatory requirements

The processing is necessary for reasons of substantial public interest and necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has:

  • committed an unlawful act

  • been involved in dishonesty, malpractice or other seriously improper conduct

In these circumstances, the organisation cannot reasonably be expected to obtain the consent of the data subject to the processing.

Journalism, academia, art and literature

The processing:

  • consists of the disclosure of personal data for journalistic, academic, artistic or literary purposes

  • is carried out in connection with any of the following (whether alleged or established):

    • a person's commission of an unlawful act

    • a person’s dishonesty, malpractice or other seriously improper conduct

    • a person’s unfitness or incompetence

    • mismanagement in the administration of a body or association

    • a failure in services provided by a body or association

  • is necessary for reasons of substantial public interest

  • is carried out with a view to the publication of the personal data by any person, and

  • the organisation reasonably believes that the publication of the personal data is in the public interest

Preventing fraud

The processing is necessary to prevent fraud or a particular kind of fraud and:

  • the personal data is disclosed by a member of an anti-fraud organisation

  • the personal data is disclosed in accordance with arrangements made by an anti-fraud organisation

  • the personal data is processed after being dislocated by a member of or in accordance with arrangements made by an anti-fraud organisation

An anti-fraud organisation is any body corporate, unincorporated association or other person that enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has the prevention of fraud or any kind of fraud as its purpose (or one of its purposes).

Suspicion of terrorist financing or money laundering

Where the processing is necessary to make a disclosure in good faith under the:

  • Terrorism Act 2000 - this is disclosure between certain entities within the regulated sector in relation to suspicion of commission of terrorist financing offence or to identifying terrorist property

  • Proceeds of Crime Act 2002 - this is disclosure within the regulated sector in relation to suspicions of money laundering

Support for individuals with a particular disability or medical condition

The processing: 

  • is carried out by a not-for-profit body providing support to individuals with a disability or medical condition

  • if the type of data being processed is personal data:

    • revealing racial/ethnic origin

    • revealing genetic data

    • revealing biometric data

    • concerning health

    • concerning an individual’s sex life/sexual orientation

  • is necessary to:

    • raise awareness of the disability or medical condition, or

    • provide support to (or enable individuals to provide support to) individuals who have: 

      • the disability/condition mentioned 

      • had that disability or condition or 

      • a significant risk of developing that disability or condition

  • is necessary for reasons of substantial public interest, and 

  • can reasonably be carried out without the consent of the data subject. This is the case if:

  • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

  • the organisation is not aware of the data subject withholding consent

Counselling

The processing is:

  • necessary to provide confidential counselling, advice, support or other similar confidential service

  • necessary for reason of substantial public interest, and

  • carried out without the consent of the data subject for one of the following reasons:

    • where, in the circumstances, the data subject cannot consent to the processing

    • where, in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the provision of the confidential (counselling) service

Safeguarding of children and individuals at risk

The processing is:

  • necessary to protect:

    • an individual from neglect or physical, mental or emotional harm

    • the physical, mental or emotional wellbeing of an individual

  • related to an individual under 18 or over 18 and at-risk (eg because they have care/support needs or is experiencing neglect)

  • necessary for reasons of substantial public interest, and

  • carried out without the consent of the data subject for one of the following reasons:

    • where, in the circumstances, the data subject cannot consent to the processing

    • where, in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the protection of the individual

Safeguarding of economic wellbeing of certain individuals

The processing is:

  • necessary to protect the economic wellbeing of an individual at economic risk who is over 18 (ie anyone less able to protect their economic wellbeing by reason of physical or mental injury, illness or disability)

  • of personal data concerning health

  • necessary for reasons of substantial public interest, and

  • carried out without the consent of the data subject for one of the following reasons: 

    • where, in the circumstances, the data subject cannot consent to the processing

    • where, in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the protection of the individual

Insurance

The processing is:

  • necessary for an insurance purpose, including:

    • advising on, arranging, underwriting or administering an insurance contract (ie a general- or long-term insurance contract)

    • administering an insurance claim

    • exercising a right (or complying with an obligation) arising in connection with an insurance contract

  • of personal data revealing racial/ethnic origin, religious/philosophical beliefs, genetic data/data concerning health or trade union, and

  • necessary for reasons of substantial public interest

Where: 

  • the processing isn’t carried out for the purposes of measures or decisions with respect to the data subject, and

  • the data subject doesn’t have and isn’t expected to acquire:

    • rights against (or obligations in relation to) a person insured under an insurance contract to which the insurance purpose  above apply

    • other rights or obligations in connection with such a contract

The processing doesn’t meet the conditions for processing for insurance purposes unless, in addition to meeting the conditions for insurance processing, it can reasonably be carried out without the consent of the data subject. This is the case if:

  • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

  • the organisation is not aware of the data subject withholding consent

Occupational pension

If the processing:

  • is necessary to make a determination in connection with eligibility for (or benefits payable under) an occupational pension scheme

  • is of data concerning health, relating to the data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme, and

  • can reasonably be carried out without the consent of the data subject. This is the case if:

    • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

    • the organisation is not aware of the data subject withholding consent

Political parties

The processing is:

  • of personal data revealing political opinions

  • carried out by a person/organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and

  • necessary for the purposes of the person’s or organisation’s political activities (include campaigning, fund-raising, political surveys and case-work)

The processing does not meet the above conditions:

  • if it is likely to cause substantial damage or substantial distress to a person, or

  • the data subject (or one of the data subjects) gives notice in writing to the organisation requiring them not to process their personal data (and has not given notice in writing withdrawing that requirement), and

  • the notice gave the organisation a reasonable period in which to stop processing such data, and

  • that notice period has ended

Elected representatives responding to requests

The processing is:

  • carried out: 

    • by an elected representative (eg a member in the House of Commons, the Mayor of London or a police and crime commissioner) or a person acting with the authority of such a representative

    • in connection with the discharge of the elected representative’s functions

    • in response to a request by an individual that the elected representative take action on behalf of the individual, and

  • necessary for the purposes of (or in connection with) the action reasonably taken by the elected representative in response to that request

Where the request is made by someone other than the data subject, the above conditions are met only if the processing must be carried out without the data subject’s consent for one of the following reasons:

  • where, in the circumstances, the data subject cannot consent to the processing

  • where, in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • where obtaining the data subject’s consent would prejudice the action taken by the elected representative

  • the processing  is necessary in the interests of another individual and the data subject has withheld consent unreasonably

Disclosure to elected representatives

This condition is met if the:

  • processing consists of the disclosure of personal data:

    • to an elected representative (eg a member in the House of Commons, the Mayor of London or a police and crime commissioner) or a person acting with the authority of such a representative, and

    • in response to a communication to the organisation from that representative which was made in response to a request from an individual

  • personal data is relevant to the communication’s subject matter, and

  • disclosure is necessary for responding to that communication

Where the request to the elected representative is made by someone other than the data subject, the above conditions are met only if the disclosure must be made without the data subject’s consent for one of the following reasons:

  • where, in the circumstances, the data subject cannot consent to the processing

  • where, in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • where obtaining the data subject’s consent would prejudice the action taken by the elected representative

  • the processing  is necessary in the interests of another individual and the data subject has withheld consent unreasonably

Informing elected representatives about prisoners

This condition is met if the:

  • processing is of personal data about a prisoner for the purpose of information a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and

  • member is under an obligation not to further disclose the personal data

Publication of legal judgments

The processing:

  • consist of the publication of a judgment (or other decision of a court or tribunal)

  • is necessary for the purposes of publishing such a judgment (or decision)

Anti-doping in sport

The processing is necessary for the purposes of:

  • measures designed to eliminate doping (including includes measures to identify or prevent doping) which are undertaken by (or under the responsibility of) a body/association responsible for eliminating doping in a sport, at a sporting event or in sport generally

  • providing information about doping, or suspected doping, to such a body/association

Standards of behaviour in sport

The processing:

  • is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event

  • must be carried out without the data subject’s consent so as not to prejudice those purposes, and

  • is necessary for reasons of substantial public interest

‘Measures designed to protect the integrity of a sport or a sporting event’ means measures to protect a sport of sporting event against:

  • dishonesty, malpractice or other seriously improper conduct

  • failure by someone participating in the sport or event (in any capacity) to comply with behaviour standards set by a body/association with responsibility for the sport or event

 

For some of the above conditions, an Appropriate policy document (APD) must be in place at the time of processing. For more information, read Appropriate policy documents and the ICO’s guidance on substantial public interest.

If you have any questions or require assistance, Ask a lawyer.


Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a legal pro**

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

**Subject to terms and conditions. Document Review not available for members in their free trial.