Document Reference: CFS/ASM/01-19

OFFICIAL

Data Protection Impact Assessment (DPIA)

OFFICIAL

Title: CFS - Accessing Social Media

Version: 1.0

Document Reference: CFS/ASM/01-19

<Report Name>

TEM-18-004 Data Protection Impact Assessment (DPIA) Template

OFFICIAL of 21 The Student Loans Company Ltd

Document Control

Status: Live

Document Version History

Date Version Author Comments

30/05/18 v1.0

Baseline template

05/06/18 v1.1 Minor updates from cascade feedback:

Fix numbering issue

Update tracker table

Add 3rd

party question (section 4.3)

Add related documents (section 4.7)

Review and Approval Register

Note: RACI = R- Responsible, A- Accountable, C-Consulted, I-Informed

Name Position RACI Role

Fiona Innes Head of Counter Fraud Services A

DPO DPO C

Information Governance Officer (GDPR) C



1. DPIA Status

1.1 Current DPIA Status:

The following DPIA statement should be completed for any change at SLC to the processing of Personal

Information (This includes operational, procedural, project driven change and changes in the relationships with 3rd

Party processors etc.)

DPIA Statement: As at 17/12/2018 a Full DPIA screening has been conducted.

The Result of DPIA Screening Questions (section 3) is:

A low level of risk has been identified and will be treated by existing CFS processes around investigation

techniques.



Contents

Document Control ............................................................................................................................ 2

1. DPIA Status ............................................................................................................................ 3

1.1 Current DPIA Status: ............................................................................................. 3

1.2 DPIA Progress Tracker for projects only ................................................................ 3

Contents ............................................................................................................................................ 4

2. What is Data Protection Impact Assessment (DPIA)? ........................................................... 5

2.1 What is the DPIA legislation? ................................................................................. 5

2.2 Why Does SLC Need a DPIA? ............................................................................... 5

2.3 What does a DPIA Deliver? ................................................................................... 5

2.4 DPIA Roles and Responsibilities ............................................................................ 6

2.5 How to Complete a DPIA ....................................................................................... 6

2.6 Guidance for projects ............................................................................................. 7

3. Data Protection Impact Assessment (DPIA) - Screening Questions ...................................... 9

3.1 DPIA Screening Questions .................................................................................... 9

3.2 Information about the Change ................................................................................ 9

3.3 Data Impact ......................................................................................................... 10

3.4 Business Process Impact ..................................................................................... 11

3.5 Technology Impact............................................................................................... 11

3.6 3rd Party Impact .................................................................................................. 12

3.7 Screening Questions Assessment ....................................................................... 12

3.8 Screening Question Statement ............................................................................ 13

4. Data Protection Impact Assessment .................................................................................... 14

4.1 New Data Details ................................................................................................. 14

4.2 Re-Use of Existing Data ....................................................................................... 15

4.3 DPIA - Assessment Questions ............................................................................. 15

4.4 DPIA – Remaining unknowns .............................................................................. 17

4.5 Privacy issues identified and risk analysis ............................................................ 18

4.6 RESULTS / CONCLUSION/ OUTCOME .............................................................. 19

4.7 Related Documents ............................................................................................. 19

5. Appendices .......................................................................................................................... 19

5.1 Appendix A – Lawful Processing .......................................................................... 19

5.2 Appendix B – Personal Information Definition ...................................................... 20

5.3 Appendix C – 3rd party considerations .................................................................. 21



2. What is Data Protection Impact Assessment (DPIA)?

2.1 What is the DPIA legislation?

Performing a Data Protection Impact Assessment (DPIA) is a legal requirement under EU GDPR legislation that SLC

must comply with. For background an extract from the legislation is provided as follows:

Article 35 - Data Protection Impact Assessment

I. Where a type of processing in particular using new technologies, and taking into account the nature,

scope, context and purposes of the processing, is likely to result in a high risk to the rights and

freedoms of natural persons, the controller (SLC) shall, prior to the processing, carry out an assessment

of the impact of the envisaged processing operations on the protection of personal data. A single

assessment may address a set of similar processing operations that present similar high risks.

II. The controller (SLC) shall seek the advice of the data protection officer, where designated, when

carrying out a data protection impact assessment.

III. A Data Protection Impact Assessment referred to in paragraph 1 shall in particular be required in the

case of:

(a) a systematic and extensive evaluation of personal aspects relating to natural living persons which is

based on automated processing, including profiling, and on which decisions are based that produce

legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal

data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

2.2 Why Does SLC Need a DPIA?

DPIAs are required for all changes to the processing of Personal Information at SLC

A DPIA may need to be submitted / shared with the Information Commission Office (ICO) as evidence to

demonstrate SLC’s commitment to our customers’ Data Privacy

The need for a DPIA is defined within Article 35 of the GDPR (as outlined above)

The GDPR Definitions as defined in Article 4 of the regulation for personal data (see Appendix C) is any

information relating to an identified or identifiable natural person (referred to as a data subject); an identifiable

natural living person is one who can be identified, directly or indirectly, in particular by reference to an identifier

such as a name, and identification number, location data, an online identifier or to one or more factors specific to

the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.3 What does a DPIA Deliver?

A DPIA is a process to identify and minimise the Risks to individuals and to SLC for all changes to the processing of Personal Information (this includes operational, procedural, project driven change and changes in the relationships with 3rd Party processors etc).

A DPIA must be completed for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. As a minimum the screening questions must be completed to evidence there is no anticipated high risk.



A DPIA must:

Describe the nature, scope, context and purposes of the processing;

Assess necessity, proportionality and compliance measures;

Identify and assess risks to individuals; and

Identify any additional measures to mitigate those risks.

To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

If a high risk is identified that cannot be mitigated then the Information Commission Office (ICO) must be consulted before commencing with delivery. (The Information Commission Office (ICO) will give SLC written advice within eight weeks, or 14 weeks in complex cases. They may also issue a formal warning not to process the data, or ban the processing altogether.)

2.4 DPIA Roles and Responsibilities

A collaborative approach from different disciplines within SLC is needed to answer all of the DPIA questions. (The

below list illustrates some of the key contributors but is not a fully comprehensive list of all contributors as this

may vary depending on the details of the change.)

Information Asset Owner (IAO) / Information Asset Lead (IAL)

Data Protection Officer (or his/her Deputy)

Project Manager

Commercial Management

IT Security Ops

Business Architect (BDL/BA)

If you are unable to answer any of the questions please seek guidance from your relevant Information Asset

Owner (IAO) or Information Asset Lead (IAL) in the first instance (and escalate to the Data Protection Office (DPO)

after that if required).

2.5 How to Complete a DPIA

The latest template should be downloaded from SLC Document Control System

The Relevant change specific details should be updated as appropriate and version control updated

DPIA screening should be initiated as soon as possible, (i.e. at the start of any continuous improvement change, at

the start of a new project and before engaging with any new 3rd parties etc).

The screening should be led by the person responsible for the change in SLC (e.g. new IT System, changes to

existing system or process) regardless of business area in SLC– e.g. Continuous Improvement Area, Project

Management Office, Front Line Operations etc.

Completed DPIA should be emailed to the Data Protection Office (DPO) ([email protected])

A DPIA must be reviewed and signed off by the Information Asset Owner. – (Email trail / History)

Guidance:

If you are unable to answer any of the questions please seek guidance from the relevant Information

Asset Owner (IAO) or Information Asset Lead (IAL) in the first instance (and escalate to the Data

Protection Office (DPO) after that if required).



After completing screening please send the completed answers to the Data Protection Office (DPO) for

review. The Data Protection Office (DPO) will advise whether a full DPIA assessment will be required.

2.6 Guidance for projects

DPIAs are required for all projects at SLC in order to progress through the Project Delivery Framework and

ultimately gain Approval to Operate. A DPIA is a living document and you must revisit your screening answers or

DPIA at the end of every project stage as part of project delivery.

A DPIA may need to be submitted / shared with the Information Commission Office (ICO) as evidence to

demonstrate SLC commitment to our customers Data Privacy

DPIA screening should be initiated as soon as possible at the start of a new project. The screening should be led

by Project Manager and reviewed and signed off by Information Asset Owner (IAO)

After completing, please send the completed answers to Data Protection Office (DPO) for review. The DPO will

advise whether a full DPIA assessment will be required

You must revisit your DPIA answers at the end of every project stage as part of project delivery. Material

changes to project scope or understanding may change the risk outcome of the DPIA and consultation with

Information Asset Owner (IAO) or Information Asset Lead (IAL) & Data Protection Office (DPO) will be required.

Notes:

If you are unable to answer any of the questions please seek guidance from your Information Asset Owner (IAO) or Information Asset Lead (IAL) in the first instance (and escalate to the Data Protection Office (DPO) after that if required).

If you can’t answer a question at new demand, discovery, inception or run, then the project can still proceed (after taking advice and guidance from your Information Asset Owner (IAO) or Information Asset Lead (IAL) and the Data Protection Office (DPO) if required). For delivery and beyond, activity cannot progress with ‘unknowns’ remain in the DPIA.



3. Data Protection Impact Assessment (DPIA) - Screening

Questions

3.1 DPIA Screening Questions

This section is required to document the anticipated change (e.g. new IT System, changes to existing system or

process). It is required for Corporate Memory purposes for the Data Protection Officer & SLC as a Data Controller

to discharge its obligations and as such may be shared with the Information Commissioner’s Office.

3.2 Information about the Change

3.2.1 What are the business objective(s) that this change is aiming to deliver?

Answer

Safeguarding Public Money

3.2.2 What is the scope of the change (departmental or organisational wide?)

(e.g. Payroll change may only impact Finance, but a change to Staff policy could impact across SLC)

Answer

Data identified on Social Media will be used as necessary by investigators within Counter Fraud

Services to identify any potential inconsistencies with information provided as part of the student

finance application.

Social Media will also be used to support the avoidance of Repayment Evasion.

The information will not be used in isolation and will only inform a potential line of questioning.

3.2.3 Provide details of any previous Privacy Impact Assessment (PIA) or DPIA

(if this is a change to an existing system then a PIA/DPIA may have been undertaken previously

Answer

No previous assessments available.

3.2.4 Stakeholders - Who is involved in making this change happen?

Please list stakeholders, including internal, Information Asset Owner (IAO) or Information Asset Lead (IAL), external,

organisations (public/private/third) and cohorts that are implementing this system/change

Answer

Fiona Innes – HoS



3.3 Data Impact

3.2.5 Stakeholders - Who is affected by the change?

Please list stakeholders, including internal, Information Asset Owner (IAO) or Information Asset Lead (IAL)external,

organisations (public/private/third) and cohorts that may be affected by this system/change (i.e. Customer

contact, front line support, etc)

Answer

Customers may be impacted by the use of Social Media if the content of their accounts is

inconsistent with other information provided as part of their Student Finance Application.

Further evidence may be required to support their application which may delay payments

being made.

3.3.1 Does the change capture new Personal Information or Sensitive Personal Information

See Appendices for guidance on data field applicability

Answer: Please provide details for ‘yes’ answers

Yes Specifics cannot be captured here however information may be provided by a customer via

Social media that has not been submitted via the application form or while in the Repayment

stage of their journey.

3.3.2 Does your change combine any existing SLC data sets?


No

3.3.3 Will the change involve any analysis of data that would be deemed a profiling activity?

i.e. analysis of the data to facilitate targeted emails, contacts etc.. (as defined in Articles 21 & 22 Automated individual

decision-making, including profiling) (including in post implementation)

i.e. using SLC’s existing data in for a purpose that it was not initially captured for


No Although information will be identified through Social Media no profiling will take place.

Investigators will however use personal information for the purpose it was not originally

captured for, i.e. fraud prevention.

No automated decision making will take place.



3.4 Business Process Impact

3.5 Technology Impact

3.3.4 Will the change deliver any new automated decision making?

(as defined in 22 Automated individual decision-making, including profiling )


No

3.4.1 Is there a change in the use of existing SLC data as a result of this change?

I.E. Will the data be used for a new purpose? What is the justification for this? (e.g. Government Policy)


No

3.5.2 Will the change affect where the personal Information is hosted by SLC? (on SLC infrastructure or on 3rd

party infrastructure on SLC’s behalf?)


No

3.5.1 Will the change introduce new technology into SLC?

(note: changing a version of a product is not a new technology, however moving platform or jumping many increments of a

version could be)


No



3.6 3rd Party Impact

3.7 Screening Questions Assessment

If you have answered “Yes” to any of the questions in the sections listed below you will need to proceed and

complete a Full DPIA (Section 3):

3.3 Data Impact

3.4 Business Process Impact

3.5 Technology Impact

3.6 3rd Party Impact

3.5.3 Does the change include the use and/or processing of CCTV or audio recording in a public area? (as

defined in Article 35 - Section 4 - Item C )


No

3.6.1 Will this project interact with any new 3rd parties?

Please see Appendix C


No

3.6.2 Will there be any changes to how the personal data is used/collected/stored as a result of changes to

existing arrangements with existing 3rd party(s)?

Please see Appendix C


No



3.8 Screening Question Statement

DPIA screening as at 17/12/2018 for CFS Accessing Social Media has been conducted by Fiona Innes.

As a result a full DPIA is required.

Complete Screening statement and update ‘Current Status’ on page 3.

Completed DPIA should be emailed to the Data Protection Office ([email protected])

A DPIA must be reviewed and signed off by the Information Asset Owner. (Email trail / History)

mailto:[email protected]



4. Data Protection Impact Assessment Data Protection Impact Assessment (DPIA) Questions

4.1 New Data Details

If you are capturing any new personal data attribute then please either complete the table below or link to your

Data Dictionary.

Note – if linking to a Data Dictionary please ensure you add the columns from the table (if your Data Dictionary

doesn’t already include these details). This information is required as part of the assessment.

If you are not introducing any new data attributes (i.e. only using existing data) then please move straight to

question 1 in section 4.2

4.1.1 Are you collecting a new attribute about a data subject?

(An attribute is a specific piece of information about a person from eye colour to National Insurance Number)

when completing DPIA is important to SLC that we clearly track all the information we gather from our

customers to ensure that we have the legal right to gather this data and understand why we are gathering it

and how long we will retain it)

Attribute Sensitive or Personal

Data?

Description of Attribute Reason Why We are

Gathering this Data?

i.e. Eye Colour <Delete as appropriate>

Sensitive / Personal



4.2 Re-Use of Existing Data

4.2.1 Personal & Sensitive Information:

Are you changing how existing Personal and/or Sensitive Information is being used within SLC? No

Please list any change in use of an existing data attribute and the reason(s) for the change.

Attribute Sensitive or Personal

Data?

Description of Attribute Reason why we are changing

the use of this Data?

i.e. Eye Colour <Delete as appropriate>

Sensitive / Personal

No Change

4.3 DPIA - Assessment Questions

Question Response

Bu

sin

ess

Pro

cess

ing

Nee

d

Lega

l co

mp

lian

ce –

is it

fai

r an

d la

wfu

l?

1. What is the legal basis for processing the information?

See Appendix A on lawful processing

Under GDPR Article 6(3) we are able to perform

this exercise as a public task.

2. Does the purpose for processing the data fall under any of the categories noted in SLC’s Privacy Notice? See Appendix A If not, please provide information of new categories to be included. (seek guidance from Information Asset Owner (IAO) or Information Asset Lead (IAL)if required)

SLC Privacy Notice states:

We may use also your personal information for

the following purposes:

to detect, investigate and prevent crime including fraud;

3. If you are relying on consent to process personal data, how will consent be obtained and recorded, what information will be provided to support the consent process and what will you do if permission is withheld or given but later withdrawn?

N/A



Acc

ura

te a

nd

up

to

dat

e

4. How are you ensuring that personal data obtained from individuals or other organisations is accurate and kept up to date?

Open Source data is used for information only to

inform a line of questioning. Data captured is

viewed only and not used to change any fields on

any of SLC’s systems. CFS will not update or

amend information held on customers Social

Media accounts.

Sto

rage

& R

ete

nti

on

Sto

rage

& R

ete

nti

on

R

ete

nti

on

5. What are the retention periods for the personal information and how will this be implemented? (Please link / embed a retention schedule if appropriate)

In line with SLC’s Information & Retention Policy.

6. Are there any exceptional circumstances for retaining certain data for longer than the normal period?

Where fraud is identified, data on these specific

customers may be kept for longer than non-

fraudulent cases.

7. How will information be anonymised For use in non- production environments

The data will not be anonymised.

8. Will data be deleted after it is no longer required & how will this be Delivered / monitored

Yes, as per company policy.

Rig

hts

of

the

ind

ivid

ual

9. If not covered by the Corporate DSAR Process, how will you action requests from individuals (or someone acting on their behalf) for access to their personal information once held?

Covered - Notes will be applied to the customer’s

account and any action taken will be added to the

CFS database where details can be extracted from

if necessary. Full Audit trail captured.

Ap

pro

pri

ate

tec

hn

ical

an

d

org

anis

atio

nal

mea

sure

s 10. If not covered by a corporate approach, have you identified a requirement for additional Data Handling? If so what is the anticipated nature of the training or awareness?

N/A

11. Is there a documented Risk Assessment (Security Review) this has identified and residual Security Risks?

Data not being transferred

Acc

ess

& E

xch

ange

Tran

sfer

s b

oth

inte

rnal

and

ext

ern

al i

ncl

ud

ing

ou

tsid

e o

f th

e EE

A

12. For any personal data transferred out with SLC boundaries , has the Corporate Data Transfer Process and Form been used and logged in the Data Transfer Tracker (held by the Information Governance & Compliance Team)




13. Will personal data be transferred to a country outside of the European Economic Area? If yes has the transfer been logged on the SLC Cloud / Offshore Tracker?


3rd

Par

ties

14. Where a new 3rd party is being introduced or there is a change to existing 3rd party arrangements, has commercial governance and due diligence been conducted?

N/A

Bu

sin

ess

Pro

cess

ing

Nee

d

Co

nsu

ltat

ion

15. If there is an identified High Risk that it appears cannot be mitigated, SLC must consult the Information Commission Office (ICO) prior to commencement of the activity. Please provide a summary of the outcome of that consultation if applicable.

N/A

Dat

a C

lass

ific

atio

n

Tech

no

logy

16. If not comprehensively answered in 3.5.1, provide details of any new information technology systems being introduced.

No new IT system being introduced.

4.4 DPIA – Remaining unknowns

4.4.1 Are there any remaining unknowns?


No



4.5 Privacy issues identified and risk analysis

4.5.1 Guidance on SLC Risk Management Framework

Guidance on SLC’s Governance & Information Risk Management framework can be found on SLC Document

Control System (see ‘Related Documents’ section 4.7):

Notes:

You can use your answers from section 4.1 to identify privacy risks

The attached spreadsheet may be helpful when calculating and documenting Risk

Risk Assessmentr matrix DPIA 1.0.xlsx

4.5.2 Document the Privacy and related risks and mitigations

Complete the following table to document the risks, their Rating and Mitigations:

4.5.2.1 RISK tracker

Ref Risk

rating

RISK Description

Mitigation

1 Low Customer Concern - Selection Process for

undertaking Social Media Checks

Sample Checking - Methodology ensures customers are selected

at random and clear reasons are given for undertaking the

activity.

Fraud Referral – Social Media checks may be conducted where

concerns around suspected fraud are raised from either internal

or external sources.

Privacy Notices to be updated to reflect checks which may be

undertaken.

For Projects:

Privacy risks should be documented in the Project ARIAD and the ARIAD should be embedded here clearly

calling out the Privacy Risk lines.

Mitigations for Privacy risks should be documented in the Project ARIAD and replicated here.

Mitigations must be Integrated into the DPIA outcomes into the project plan

Information privacy and risks documented in project level ARIAD log. Signposts to the most recent version of

DPIA must be recorded.

Any actions as a result of this DPIA must be managed by the project manager as part of project.



4.6 RESULTS / CONCLUSION/ OUTCOME

As a result of this DPIA the risk summary is:

LOW - to be treated by existing CFS processes around investigation techniques and customer selection.

Complete DPIA statement and update ‘Current Status’ on page 3.

Completed DPIA should me emailed to the Data Protection Office ([email protected])

A DPIA must be and reviewed and signed off by the Information Asset Owner.

At Project Close Down any residual privacy risks in the ARIAD must be transferred to the Data Governance

Risk Register (Held by the Information Governance & Compliance Team)

If a high risk is identified that cannot be mitigated then the Information Commission Office (ICO) must be consulted before commencing with delivery. (The Information Commission Office (ICO) will give SLC written advice within eight weeks, or 14 weeks in complex cases. They may also issue a formal warning not to process the data, or ban the processing altogether.)

4.7 Related Documents

Document Description

Link

Governance & Information Risk Management

Framework POL-15-051 IA Governance & Information Risk

Management Framework

5. Appendices

5.1 Appendix A – Lawful Processing

What are the lawful bases for processing?

The SLC privacy notice sets out SLC’s legal basis for processing personal information.

You can find the Privacy Notice on the following URL: https://www.slc.co.uk/about-us/privacy-notice.aspx

Any processing outside of this basis MUST be escalated to Information Asset Owner (IAO) & Data Protection

Office (DPO) & legal team for further guidance before proceeding further

GDPR: legislation article

Article 6

(a) Consent: the individual has given clear consent for you to process their personal data for a specific

purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have

asked you to take specific steps before entering into a contract.

mailto:[email protected]

http://washington.slc.co.uk/intranet/dcs2/InformationSecurity_/1policies_/pol15051iagovernanceinformationriskmanagementframework/smrtsite.htm

http://washington.slc.co.uk/intranet/dcs2/InformationSecurity_/1policies_/pol15051iagovernanceinformationriskmanagementframework/smrtsite.htm



(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual

obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your

official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate

interests of a third party unless there is a good reason to protect the individual’s personal data which

overrides those legitimate interests. (This cannot apply if you are a public authority processing data to

perform your official tasks.)

5.2 Appendix B – Personal Information Definition

GDPR definition of personal information and Sensitive personal information:

GDPR Personal Data definition Examples

Name

Address

Date of Birth

National Identification Number

Location data (electronic or otherwise)

Online identifier i.e. email address and IP address

Mobile device ID

Physical data

Physiological data

Genetic data

Mental data

Economic data

Cultural data

Social identity data

Passport Number

Driving License Number

Employee ID

Customer Reference Number

GDPR Sensitive Personal Data definition Examples

Racial Origin

Ethnic Origin

Political Opinions

Religious Beliefs

Philosophical Beliefs

Trade Union membership

Genetic data



Biometric data

Health data

Sex Life

Sexual Orientation

Criminal convictions/offences

5.3 Appendix C – 3rd party considerations

Any change to an existing 3rd party agreement, or engagement with a new 3rd party, where SLC shares Personal

Information SLC is required to complete commercial governance and due diligence before implementing or amending a

contractual agreement

For example

Roles and responsibilities i.e. who is the Data controller, data processor, sub-processors etc

For what purpose is the data sharing taking place - not sufficient to say it is under a contract. A high level

statement is needed, detailing what the contract would be for and why the data sharing is necessary to facilitate

delivery of the contracted service

What data is moving about e.g. Name, N.I.? No, D.O.B etc. I.e. Specifically attributed labels are required. It’s

sufficient to specify headings such as; "personal identifiers" or "government identifiers"

The category of data subject this sharing relates to i.e. is it SLC Customers, SLC employees etc

Data retention - how long does it need to be held for and what happens at contract end i.e. There is a need to

understand the intended exit strategy.

Document Reference: CFS/ASM/01-19

Documents

Transcript of Document Reference: CFS/ASM/01-19