Data Protection Impact Assessment Policy

15.1 The Information Commissioners Office gives the following examples of where a DPIA is required:

15.2 If Wiltshire Council plans to:

use innovative technology (in combination with any of the criteria from the European guidelines);

use profiling or special category data to decide on access to services;

profile individuals on a large scale;

 process biometric data (in combination with any of the criteria from the European guidelines);

process genetic data (in combination with any of the criteria from the European guidelines);

match data or combine datasets from different sources;

collect personal data from a source other than the individual without providing them with a privacy notice ('invisible processing') (in combination with any of the criteria from the European guidelines);

track individuals' location or behaviour (in combination with any of the criteria from the European guidelines);

profile children or target marketing or online services at them; or

process data that might endanger the individual's physical health or safety in the event of a security breach.

15.3 You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

15.4 Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data. You can use or adapt the checklists to help you carry out this screening exercise.