Name of controller
Subject/title of DPO
Corvid 19 data collection
Name of DPO
Step 1: Identify the need for a DPIA
Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.
To adhere with government guidelines in the control and monitoring of Covid -19 infection in regard to entering and using a public house.
Step 2: Describe the processing
Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?
Data will be collected in written form from customers entering the premises. The data will be limited to a name and address or contact number.
The data will be stored in a locked container within a locked room when the pub is closed, and in a locked container in a restricted area when the pub is open.
This data will be destroyed after 21 Days if no reports of infection from customers is received.
The data will be given by the customer.
The data will be shared with Health or safety authorities if requested.
Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
The data will be collected only from customers of the Alehouse entering the premises for a drink.
The data will be only name and contact details and will only be used if an infection of another customer is reported who was present on that day.
Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
The data is purely for use in an infection emergency as outlined by the government, and all customers will be informed.
Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?
The data is purely used to inform people of an infection risk. It is not for marketing, activity and/or use analysis or any form of marketing or analysis.
The data is kept purely for the benefits of customers should an infection occur.
Step 3: Consultation process
Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
It is not appropriate to seek o stakeholders or others views as the data is not of the nature that requires this.
Step 4: Assess necessity and proportionality
Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
The data will not be processed. It will be stored and destroyed. If it is used it is purely to contact individuals to alert them to a health risk. The limited extent of data collection and use supports the customers rights, and no transfer of data is required.
Step 5: Identify and assess risks
Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.
Likelihood of harm Remote
Severity of harm Minimal
Overall risk Low
Remote, possible or probable
Minimal, significant or severe
Low, medium or high
Step 6: Identify measures to reduce risk
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5
Options to reduce or eliminate risk
Effect on risk
Eliminated reduced accepted
Low medium high
Step 7: Sign off and record outcomes
Measures approved by:
Integrate actions back into project plan, with date and responsibility for completion
Residual risks approved by:
If accepting any residual high risk, consult the ICO before going ahead
DPO advice provided:
DPO should advise on compliance, step 6 measures and whether processing can proceed
Summary of DPO advice:
DPO advice accepted or overruled by:
If overruled, you must explain your reasons
Consultation responses reviewed by:
If your decision departs from individuals’ views, you must explain your reasons
This DPIA will kept under review by:
The DPO should also review ongoing compliance with DPIA