To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is also good practice to do a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.
The DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
Here at University Hospitals Sussex NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.
Below you will find a summary of all DPIAs carried out since 1 April 2021 following the merger of Brighton and Sussex University Hospitals NHS Trust and Western Sussex Hospitals NHS Foundation Trust. The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact [email protected]
Data Protection Impact Assessments (DPIAs) since 1 April 2021