Greater Manchester Combined Authority

Greater Manchester Combined Authority

Project Digital Data Protection Impact Assessment

 

Briefly describe the initiative/ project/service; please include your aims and objectives

Data Protection Impact Assessments are a legal requirement under new Data Protection legislation in some circumstances and still very much best practice in others. They are an effective way of an organisation assessing risk to the rights and freedoms of individuals with regards their privacy. Project Digital DPIA was borne out of the frustration of staff undertaking and supporting DPIA creation and the inaccessible language coupled with the increased need to protect personal data.

The Digital Data Protection Impact Assessment (DPIA) project brought together partners from GM LA’s, GMHSCP, TfGM, the Information Sharing Gateway development team and the Information Commissioners Office to address the issue with inconsistent, ineffective and inefficient DPIA processes across public sector organisations. The aim is to provide a consistent and accessible digital tool which improves risk management, and embeds privacy by design.

The project was funded by MHCLG after winning a bid to the local digital fund to #fixtheplumbing and has gained national interest. The project is currently at phase one which means there is still much unlocked potential to be realised from the tool.

What are the key achievements?

The project has created a prototype Digital Data Protection Impact Assessment tool. Using the working out in the open means there is open source code that anyone could use to further innovate and develop complimentary tools.

The development focused primarily on the Legal compliance section of the tool, the most challenging section of a DPIA and demonstrates the benefits of having a tool which is user centric in its design. As the project was an alpha the onus was on understanding user need with some development. It became clear that the DPIA tool should also act as a training tool, providing useful educational information to the users as they navigated the tool. This is massively beneficial to the user and for also building a privacy culture.

Other key features of the prototype to ensure a user centric approach are:

An upfront screener Logic sequencing to the questions so that only the relevant questions are presented to the user Advice and guidance throughout the section to coach a user through the completion.

The ability to link to external resources from within the tool Through promotion of the project and collaboration with the ICO we have grown our stakeholder group to include NHS Digital and national LA’s

What are the key learning points?

A success of the project was our approach to working out in the open. We committed to making our project boards on Trello publicly available, we were active on social media, and we did project blogging and created videos on YouTube. A key learning from this success was that we should do more and go further with this. Working out in the open creates trust, excitement and transparency over your work. This is a positive way to encourage collaboration in your project.

Our project brought together partners from across the Greater Manchester public service landscape, along with the Information Commissioners Office and the development behind the successful Information Sharing Gateway. All of our partners contributed their knowledge and expertise and through collaboration, we firmly believe we can create a tool that can be used cross-sector. This is a powerful way of selling the benefits of a single approach to DPIA’s and so we would encourage others to bring a diverse range of expertise into your projects if you are looking to find a single approach solution to a problem.

There was also a lot of national interest in the project, more and more organisations expressed their interest.

Additional Comments

The MHCLG funding enabled us to take on a project for an area of work that quite frankly has a bad rep and start to unpick how it could be innovated to be seen as the digital enabler it really is. We wanted to ensure that IG and privacy did not get left behind in the world of tech and digital.

The desire to develop the tool across national partners is clear. Looking to the future we are exploring all options to keep the project funded to a final viable product including looking at co-funding options and building on the strength of collaborative design.

Our project has begun a journey to revolutionise the way Data Protection Impact Assessments are used within organisations. We have a way to go to go from a prototype to a useable product, but we are hugely excited by this journey and the collaborative approach we will bring to find a single solution to the problem.