Privacy Scan
Introduction
The Privacy Scan (formerly known as Privacy Review) is a tool developed at the Geosciences Faculty designed to facilitate the process of evaluating and documenting a project’s GDPR compliance.
- GDPR Art. 24: Responsibility of the controller. The privacy scan allows controllers to demonstrate the technical and organisational measures that ensure that the processing is performed in accordance with the GDPR, providing documentation of this compliance.
- GDPR Art. 30: Records of processing activities. Since all projects processing personal data at the faculty must have a privacy scan completed, the collection of all privacy scans act as the faculty record of processing activities, where the information provided by steps 1 to 4, 8 and 9 of the privacy scan respond to all the requirements listed in Art. 30(1).
- GDPR Art. 25: Data protection by design and by default. The privacy scan allows controllers to demonstrate that the design of their project design is implementing effective Data Protection by Design and by Default (DPbDD). Since all projects processing personal data at the faculty must have a privacy scan completed, compliance with DPbDD is thus ensured and documented.
- GDPR Art. 35: Data protection impact assessment. The privacy scan allows controllers to assess and document if a DPIA is necessary, or documents the reasons that support controller’s decision that a DPIA is not necessary. The privacy scan identifies when a project, due to the scope and nature of collected data, can potentially carry a “high risk to the rights and freedoms of individuals”. When that is the case, the privacy scan becomes a Data Protection Impact Assessment (DPIA), which in turns ensures sufficient support is provided (by the faculty privacy officer and any other relevant stakeholders, like information security officers, as necessary) with the goal of ensuring any and all potential high risk are properly addressed and resolved.
All projects that process personal data need to undergo a Privacy Scan. Remember that personal data is any information relating to an identified or identifiable natural person – what is considered personal data, and what is considered anonymous data according to the GDPR is explained in more detail here.
The privacy scan of a project needs to be started at the same time the project is being designed. Projects do not always implement Data Protection by Design and by Default (DPbDD) from the start. That is why it is important to start working on the privacy scan at the same time the project is being developed – when the project’s goals and data collection methods are still being developed. Once you know you will be working with personal data, you should familiarize yourself with the privacy scan protocol and its requirements. Having an understanding of what needs to be done to ensure your project complies with data protection requirements can have a positive impact in your research.
The privacy scan is a ‘living document’. It is meant to be continuously edited and updated alongside the project life cycle, to always provide up-to-date documentation of the project’s compliance.
- When the project starts being designed, the privacy scan is started by filling in what is known about the project – things like the overall project purpose, potential research partners are likely to be known from the start of the project design.
- As the project proposal is being developed, more and more detailed descriptions are added to the privacy scan, and any issues are identified and addressed early on. By the time the project design is completed, the privacy scan will also be likely completed.
- As the project starts collecting and processing personal data, the privacy scan will also document where and how data is being processed, and who has access to what – all important aspects that will demonstrate the project’s continued control on the personal data it is handling, and will also facilitate complying with data subject access requests.
- For as long as personal data is processed (and storage is a type of processing), there should be a privacy scan that documents where data is being stored/processed, who is responsible for the project (and how can they be contacted), and when data will be completely deleted/anonymized – all details that demonstrate why this personal data processing is compliant with the GDPR.
The responsibility to start and maintain a privacy scan rests with the individual(s) in charge of the project. In the privacy scan, such individual(s) are referred to as the projects’ controllers – the individual(s) who have authority to make decisions about the project and who will be responsible for the project throughout its entire duration (as part of their responsibilities as UU employees or students, as the UU is legally the overall controller of all personal data processed by the UU community). The concept of controller is further explained in step 8.
Use the privacy scan template and follow the guidance below. Click on each one of the steps for more detailed guidance.
- Administrative Information – Details like the name of the project, contact information of the individuals responsible for the project, etc.
- Description of the Project’s Purpose – The privacy scan starts with a brief description of the project’s purpose, and a description of the activities that involve the use of personal data. With this explanation, it will be clear that the activities are necessary to reach the purpose.
- Description of Data Subjects – This step asks for a detailed description of the people behind the data (the data subjects) – How they are selected, how many people are involved, is there a relationship between data subjects and the people responsible for the project.
- Description of the Categories and Purposes of Personal Data – This step asks for a detailed description of the types of data collected from data subjects – and for each data type, a justification is provided. It should be clear how each type of data processed by the project is clearly necessary to reach the purpose.
- Description of the Processing of Personal Data – This step asks for a detailed description of how data is processed: where it is coming from, how and where it is being stored and analyzed, who has data access and for what reasons, and for how long data is retained. Privacy enhancing technologies and data minimization measures are described in this step. It should be clear that the principles of data protection by design and by default have been applied appropriately.
- Description of Information Provided to Data Subjects – This step asks for a detailed description of how and what information is provided to data subjects – information must be provided in a timely, accessible, clear and understandable manner, using different channels and at different layers if necessary.
- Description of How Data Subjects Can Exercise Their Data Subject Rights – This step asks how people can exercise their rights – it should be clear that they are able to exert appropriate control on how their data is processed.
- Description of Lawful Basis for Processing – This step asks for a detailed description of the legal basis behind the processing – the legal reason why this process is lawful under the GDPR. It should be clear that the requirements of the chosen lawful basis – consent, legitimate interest, etc. – have been properly met
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers – If the project involves working with others outside the UU – other researchers, or service providers – this step asks for a description of how they will comply with the GPDR. For example, by using data processing agreements (DPA) or joint controllers agreements.
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU – If personal data is transferred outside the EU, this step asks for a detailed description of how these transfers are allowed under the GDPR.
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing – Consulting data subjects to obtain their views on the processing empowers them to exert control on the process during the design stage, and how their feedback is incorporated into the project’s design. Consulting data subjects is intended to be an instrument of transparency, and an assessment of whether the necessity and proportionality of the processing is justified in the eyes of data subjects.
- Preliminary Risk Assessment – This step aims to identify possible adverse effects – damages – that processing might have on data subjects, and to describe the (legal, technical and organizational) safeguards that will manage (reduce, eliminate or accept) these potential risks.
Next: Administrative Information