DATA PROTECTION IMPACT ASSESSMENT REPORT

Description of the processing operations

A DPIA is a way to systematically and comprehensively analyze processes and projects, which involve
the processing of personal data and help you to identify and minimize data protection risks.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals,
including the potential for any significant social or economic disadvantage. The focus is on the potential
for harm – to individuals or to society, whether it is physical, material or non-material.

To assess the level of risk, a DPIA must consider both the likelihood of harm and the severity of any
impact on individuals.

A DPIA does not have to indicate that all risks have been eradicated. But it should help in
documenting and assessing whether or not any remaining risks are justified

When should a DPIA be conducted?

This DPIA report should be completed prior to the commencement of a process or project that
involves the use of personal data.

1
Table of Contents
DATA PROTECTION IMPACT ASSESSMENT REPORT........................................................................ 1
Description of the processing operations ........................................................................................... 1
When should a DPIA be conducted? ................................................................................................. 1
1. Description of the processing operations ..................................................................................... 3
2. DESCRIBE THE PROCESSING .................................................................................................. 5
A. Data Map ................................................................................................................................. 6
B. The purpose of the processing ................................................................................................ 7
C. Nature of the processing .......................................................................................................... 7
D. Scope of the processing .......................................................................................................... 8
E. Context of the processing ........................................................................................................ 9
F. Consultation Process ............................................................................................................. 10
G. Necessity & Proportionality .................................................................................................... 11
H. Security .................................................................................................................................. 13
3. IDENTIFY & ASSESS RISKS .................................................................................................... 15
4. RISK MITIGATION ..................................................................................................................... 20
5. APPROVAL & SIGN OFF .......................................................................................................... 21
APPENDIX A – PRINCIPLES OF DATA PROTECTION ........................................................................ 22
APPENDIX B –PRIVACY RISKS ............................................................................................................ 24
APPENDIX C – ASSESSING RISK ........................................................................................................ 26
APPENDIX D – RAR RETURN SPREADSHEET ................................................................................... 27

2
1. Description of the processing operations
Name of Data Controller/ Data Processors:
Data controller: Committee of Student with Disabilities Fund (CSDF)
Data processor: Higher education Institutions (HEIs)
Postal Address: 10190-00200, NAIROBI KENYA
Email Address: studentempowerment.co.ke
Telephone Number: +254711034678

Under the KENYAN DATA PROTECTION ACT, 2019, DPIAs are mandatory for any new high-risk
processing projects. The DPIA process allows organizations to make informed decisions about the
acceptability of data protection and communicate effectively with the individuals affected.

Project Background, Name and Objective

With the objective of giving back to society, Prime Bank Limited, in collaboration with the Higher
Education Board (HEB) through the Kenya Bankers Association, was appointed to develop a project
compatible with all Kenyan banks. The project aims to elevate the lives of students with disabilities
within Kenyan public universities. The committee of student with disabilities fund (CSDF) was
created to undertake this project.
The primary objective of the data processing is to assist with the modelling of the ‘Fund for Students
with Disabilities’ (FSD) allocations for Kenyan Banks participating in the Fund.

The primary objective of the data processing is to

assist with the modelling of the ‘Fund for
Students with Disabilities’ (FSD) allocations for
Kenyan Banks participating in the Fund.

Project or process:
Aggregated data is used for statistical and policy
purposes.

3
 Required personal and special category data for
the purposes of determining FSD allocations is
requested and gathered on data subjects from
the Higher Education Institutions (HEIs). The
CSDF issues a excel template file to HEIs i.e.,
‘Resource Allocation Return’ (RAR). HEIs use
this template to gather the data during the
Summary of processing: academic year. HEIs forward their completed
return to the CSDF at the end of the academic
year. CSDF solely uses the data collected to
model FSD allocations for HEIs for the next
calendar year. The collated file is then
anonymised and saved on the drive and may be
used for non-personalised reporting of data on
FSD.

Need for a DPIA? Refer to risk The CSDF is responsible for processing sensitive
assessment findings. personal student data, including Special
Category Data.
- Data Sharing Agreements with
participating HEIs
Documentation which is relevant to - Annual FSD guidelines to Kenyan HEIs
this DPIA. - Internal standard operational procedures
pertaining to administration of FSD
(Allocations Modelling, RAR Verifications)

4
2. DESCRIPTION OF THE PROCESSING
Description of how and why the CSDF plan to use the personal data. Description includes
the purpose, scope and context of the processing.

The purpose of the processing is to enable modelling of FSD allocations to HEIs.

The allocation model was put in place based on recommendations of a review of the
fund, starting from 2020 after Covid negatively affected lives of students with
disabilities, and is based on categories and extent of support provided to students.
Therefore personal and special category data are necessary for the purposes of
modelling allocations. The FSD fund helps to support the equality of access for
students with disabilities in Higher education.

Systems funding staff members who prepare FSD allocations process the personal
data collected.

The CSDF issues a ‘Resource Allocation Return’ template to HEIs at the beginning
ofthe academic year requesting HEIs to complete during the academic year. Data
collected include student reference number, information about student’s disability/s,
details of supports that were provided and costs incurred by the HEIs during the
academic year. Information such as level of the course attended, mode of study full
time/part time is required for statistical and policy purposes.

The spreadsheets are structured and specific tools such as drop-down lists and
formulae are implemented to ensure that the information is complete and consistent,
meeting the applicable standards. Once completed, HEIs password protect their
completed file and submits the return to the CSDF. The CSDF checks and verifies
the data for completeness and consistency, following an internal standard
operational procedure. The individual RARs are then collated into one file and
allocations are modelled.

5
A. Data Map
The data map outlines the flow of data between the participants, relevant
parties, processors and systems.

The CSDF issues the RAR template

file to HEIs.

Data (both personal and non-

personal) is returned to the
CSDF in a password-protected
file.

The CSDF processes the data

andchecks for completeness and
consistency.

The CSDF collates individual

HEIs returns into one RAR file
and models FSD allocations.

Upon completion of FSD

modelling the CSDF
anonymises the collated RAR
file and sharesinternally with the
Access Policysection.

6
B. The purpose of the processing

What CSDF want to achieve

To allocate FSD funding in line with the
applicable funding model.

The processing is necessary for allocating

Benefits of the processingfor you, and funding according to the funding model. It would
more broadly? not be possible to allocate funding without the
data.

Comments: There should be no effect on

Expected/intended effect on □ Yes individual students.
individuals? □ No

C. Nature of the processing

□ Personal
Categories of personal data is being used
□ Special Category
□ Criminal

Types of data will be used in the

process. e.g. contact details,
Student reference number, Course, Disability,
demographics, location. Supports provided to the student

The data is collected through password protected

How CSDF will collect and use the data
spreadsheet file.

The data is stored on the CSDF Access drive

How CSDF will store and delete the data
andis subject to the CSDF’s data retention
policy.
The HEIs are the source of the data.
Source(s) of the data

7
D. Scope of the processing

The number of students supported by FSD varies

across each HEI depending on their size. In total
Number of data subjects will be
involved in the processing
15,000 students are supported annually underthe
fund. As the student, population increases the
number of students expected to benefit from the
fund also increases.
Information is only sought from data subjects
studying at Kenya HEIs participating in the
programme; they will be located throughout the
country.
The geographical extent of the
processing? (e.g. town, county, province)

The data subject’s reference number, course

The volume of data and/or range of information, disability information, supports
different data items being processed received and cost associated. In general, one
row in the return corresponds to one data
subject. See Appendix D below.
The expected duration of the
processing activity
Approximately 6 months (October to March)
annually.

For no longer than necessary, for the duration of

the processing.
How long CSDF will retain the data
FSD data retained is subject to the CSDF’s
dataretention policy.

8
E. Context of the processing

Question Answer

□ Patients Students with disabilities are

Do the processing include children or □ Elderly
included in the processing.
other vulnerable groups of data subjects?
□ Children
□ Other

What is the nature of your relationship

Currently the CSDF do not have any
with the individuals? direct relationship with the data subjects.

9
 Yes. If a student does not provide their personal
Could refusing participation impact the details, the institution cannot receive funding
individuals use of a service or application
of their rights? under the FSD in respect of such student’s
needs. However, institutions can provide
supports outside of the scope of FSD.
Are there any current issues of public Not that we are aware of.
concern that you should factor in? e.g.
monitoring of publicly accessible areas

Are you signed up to any approved code Not that we are aware of
of conduct or certification scheme (once
any have been approved)?

F. Consultation Process
The consultation process aim to incorporate the views of data subjects (where appropriate),internal
stakeholders (including DPO within participation organizations), external stakeholders and
independent experts.

Question Answer

FSD has been established years ago, together

with the relevant processes. The CSDF
Describe when and how you will seek
administers the fund on behalf of Kenyan Banks
individuals’ views – or justify why it’s not and Higher education institutions. The CSDF
appropriate to do so. engages with HEIs as the fund in being
administered.

Who else do you need to involve within

your organisation? The participating institutions DPO’s and Access
Policy section
Comments:
Do you plan to consult information □ Yes
IT security experts
security experts, or any other experts? □ No

Comments:
Are there any other data controllers □ Controllers
involved in this processing relationship? □ Joint Controllers

Comments:
Do you need to engage with these □ Yes
controllers? □ No

Comments:
Are there any data processors involved in □ Yes
this processing relationship? □ No

Comments:
Do you need to engage with these □ Yes N/A
processors? □ No

10
 Data Processing Agreement Vendor Assurance Assessment
□ Yes □ Yes
□ No □ No
What measures do you take to ensure
processors comply?

G. Necessity & Proportionality

Question Answer

□ Consent
□ Contract
□ Legal obligation
What is your lawful basis for processing?
□ Vital interests
□ Public task
□ Legitimate interests

□ Consent
□ Employment
□ Vital interests
□ Legitimate interests by foundation, association of non-profit
If applicable, what is your lawful basis for □ Publicly available information
processing special categories of data? □ Legal claims
□ Public interest
□ CSDFlthcare
□ Public interest regarding public CSDFlth
□ Archiving, research, or statistical purposes in public interest

Comments:
Is there any other legislation which
Data Protection Act 2019
supports this processing? e.g. Data □ Yes
Protection Act 2019, Statutory □ No
instruments, or other regulations.

11
Does the processing achieve your
Yes.
purpose?

Is there another way to achieve the same

No.
outcome?

Files with FSD data are stored on the CSDF’S

shared drive and only those staff members who
are involved in administration of the Fund have
access to them. The collated RAR file used to
model allocations is password protected and only
the Senior manager and staff members involved
in FSD personal data processing are aware of
the password.

How will you prevent data being used for The senior manager responsible for overseeing
a different purpose than for which it was the RAR collection process is aware of the
collected? i.e. function creep
sensitivity of the data and data protection
requirements. The relevant staff members are
also aware of these requirements and cognizant
that it is not permissible to use data for other
purposes.

New committee members receive CSDF

induction, which includesthe area of data
protection. The relevant standard operational
procedure includes a dataprotection related
section.
HEIs are advised to use an FSD specific student
identifier, which will not allow to identify data
subjects outside of the institution i.e. by the
CSDF or in case of a data breach by any other
party.
How will you prevent data linkages or HEIs are also specifically advised not to use PPS
unintended matching of data sets? number for the purposes of FSD related returns.

The relevant staff members who process this

data are aware that this is not permissible.

FSD data as access is restricted to the relevant

staff only.

The CSDF receives the data from HEIs which

How will you ensure data quality and
areresponsible for data quality and accuracy.
accuracy? Guidelines for completing the return are provided
to HEIs to ensure consistency in approach to
return within the sector.

12
 The CSDF carry out checks of returns received
and liaises with institutions where issues are
identified. A standard operational procedure is in
place for processing of RAR returns.

A review of the structure of the RAR return was

undertaken as a part of implementation of the
revised FSD allocation model in 2020. Several
categories of data previously included in the
template were identified in consultation with
Are measures in place to ensure the CSDF Access Policy section as unnecessary for
collection of unnecessary data is the specified purpose, removed from the
minimised?
template and their collection was discontinued.
The template is reviewed on annual basis at the
time when FSD Guidelines for the new academic
year are being prepared. The modalities of the
Fund and relevant reporting requirements are
considered to ensure that only necessary data is
collected.
□ Erasure
□ Portability
Which of the rights are you able to □ Access
support? □ Restriction
□ Objection
□ Rectification

Erasure and Objection cannot be supported

because funding cannot be allocated to
If you cannot support any rights, outline institutions without the relevant data.
why. Anonymized returns are retained for statistical
and policy purposes. Aggregated data is used to
inform recurrent grant allocation to institutions.
Country:
Will you be transferring personal data □ Yes
internationally? □ No

□ Adequacy agreement
□ Standard contractual clauses
□ Binding corporate rules
If applicable, how will you safeguard the
□ Approved code of conduct
international transfer of personal data?
□ Approved certification mechanism
□ Approved ad-hoc contracts
□ Derogation

H. Security
Question Answer

13
 Previously FSD related returns with
personal data were sent to the CSDF by
Are there prior concerns over this type of email. To reduce the risk to security of the
processing or security flaws? data, HEIs are now requested to submit
returns using the CSDFnet FileSend
facility
and use passwords agreed individually
between each institution and the CSDF.
The CSDF will explore the possibility
What is the current state of technology in this of implementing a portal to support
area? FSD operation, within its new CRM or
grantmanagement solution.
Is there new technology being used or new
No.
processing being conducted as part of the
project? e.g. new software to analyse data or new
methods of data collection etc.

Yes, technical and organisational

Are safeguards in place to limit access to measures are in place: Files are stored on
personal data? Provide summary of safeguards. CSDF’s shared drive and only authorised
staff has access to the relevant folders.
CSDF staff receives data protection training.
Yes, technical and organisational
Are safeguards in place to limit unauthorised measures are in place: Once the personal
processing of personal data? Provide summary of data has been processed for FSD
safeguards.
modelling of allocations, the collated RAR
file is anonymised. CSDF staff receives
dataprotection training.
Files are stored on CSDF’s shared drive
Are security measures in place to protect the andonly authorised staff has access to the
data? Provide summary of safeguards. relevant folders. A system of regular
backups supported by CSDF IT staff in
place.

14
 3. IDENTIFICATION & ASSESSMENT OF RISKS
To effectively assess risks, the information provided in the previous sections should be reviewed and assessed against the principles of data protection (see
Appendix A) and universal privacy risks (Appendix B). Appendix C provides guidance on assessing risks.

If any of the risks outlined cannot be managed and the residual risk remains high, the Data Protection Commissioner must be contacted before moving
forward with the project, this is a requirement under Kenyan Data protection 2019 ACT.

Likelihood

Risk Level

Residual
1. Lawful, Fair & Transparent: Personal data is processed

Severity
Risk No. Mitigating Action
lawfully, fairly and in a transparent manner.

Risk
CSDF legislation is being updated.

Reasona

Minimal
CSDF legislation is not updated (CSDF Act 2020), the legal
1.1

Low

Low
ble
basis is not considered sufficient.

CSDF reviews the relevant documentation on annual

Reasonable
basis as FSD Guidelines are updated for the new

Medium
Information about data processing is not sufficiently

Some
1.2 academic year. Feedback received from the HEIs and

Low
transparent from the data subject’s point of view.
other stakeholders is considered.

Likelihood

Risk Level
2. Purpose limitation: Personal data is only collected for pre-

Residual
Severity
Risk No. specified, explicit and legitimate purposes and not for further Mitigating Action
processed if this is incompatible with those purposes.

Risk
That the student’s data will be further processed by the CSDF. The CSDF do not use the data except for the purpose Low
Remote

2.1 forwhich it is collected by the HEIs and returned to the

Some

CSDF. Internal technical and operational measures are

Low in

15
 place to prevent further processing incompatible with the
purposes for which the data is being collected.

The specific mitigating measures in place are:

 Anonymising the FSD modelling file when the

process of modelling FSD allocations is
completed, deleting individual returns received
from institutions
 Access to data on the shared drive granted to
authorised CSDF staff members only
 Adherence to the CSDF’s data retention policy
 Adherence to Internal IT security policy

3. Data minimisation: Personal data is adequate, relevant

Likelihood

Risk Level

Residual
Severity
Risk No. and limited to what is necessary in relation to the purposes for Mitigating Action
which they are processed.

Risk
A review of the template is undertaken on annual basis Low
to ensure that only necessary data is collected.
That student data that is not required for FSD modelling
3.1
purposes will be forwarded to the CSDF for processing. RAR returns are checked upon receipt and if additional

Reasonable Likelihood Remote

data is identified, the relevant HEI will be notified and the

Some
additional data deleted.

Risk Level Low

4. Accuracy: Personal data shall be accurate and, where

Residual
Severity
Risk No. Mitigating Action
necessary, kept up to date.

Risk
Thorough checks are undertaken by the CSDF staff to Low
That inaccurate or incorrect data on the data subject will be ensure that the data provided is complete and consistent
4.1
collected and stored by the CSDF. in order to mitigate this risk. Where issues are identified,
clarifications / corrections are requested from the HEIs.
Low

Low

16
 5. Storage Limitation: Personal data shall be kept in a form

Likelihood

Risk Level
which permits identification of data subjects for no longer than

Residual
Severity
Risk No. Mitigating Action
is necessary for the purposes for which the personal data are
processed.

Risk
Low

CSDF encourages HEIs to use an FSD specific

identifier, so that students cannot be identified within the
CSDF. HEIs are advised not to use PPS numbers and
institutional student IDs in FSD returns.

That the student’s personal data will be kept for longer than
required
5.1
Identifying data are being removed by the CSDF
oncemodelling of allocations is completed.

Mitigating actions

Remote
Adherence to the CSDF’s data retention policy

Some

Low
6. Security, Integrity and Confidentiality: Personal data

Likelihood

Risk Level

Residual
Risk No. shall be processed in a manner that ensures appropriate Mitigating Action

Severity
security of the personal data.

Risk
Controls are implemented to safeguard against any Low
improper sharing or processing of data within the
CSDF. Only authorised CSDF staff members have
That the data subject’s information might be shared or
access to thedata and they are aware of the data
6.1 processed by persons who do not have the correct authority
protection implications, in line with the standard
Reasonable

to do so either within the CSDF or the HEI who collect it.

operational procedures in places.
Medium
Some

When liaising with the relevant HEIs where data need to

be exchanged, files with the data will be password

17
 protected using a password agreed separately with each
individual HEI.

Internal IT security policy is also in place as a mitigating

measure against this risk.

Reasonable Likelihood

Risk Level
7. Accountability: It should be demonstrable that personal

Residual
Severity
Risk No. Mitigating Action
data is processed in line with data protection principles.

Risk
FSD Guidelines are circulated on annual basis, CSDF Low
That information available to external stakeholders about FSD engages with the sector via the DAWN group. The DPIA
7.1

Medium
and the relevant data processing is not sufficient. report and a data collection notice will be made available

Some
on the CSDF website.

8. Rights of Individuals: Data subjects have the right to

Likelihood

Risk Level

Residual
Risk No. request for access, rectification, portability, or erasure of their Mitigating Action

Severity
personal data or to object to the processing method.

Risk
The CSDF might not be able to support the right to Low
erasure and the right to object. Other data subjects’
That data subjects will not be able to exercise their rights over rights will be supported.
8.1
their data.

Remote
The CSDF will be transparent about the above

Some
limitationsto data subjects’ rights.

Low
9. Transfers to Third Countries: Personal data shall only be Likelihood

Risk Level
passed on to within Kenya as an adequate level of privacy

Residual
Severity
Risk No. Mitigating Action
protection.

Risk
Low
The data is not intended to be provided to subjects outside All staff who has access to FSD data is aware of the
9.1
Kenya. applicable restrictions in place.
Remote

Some

Low

18
 Access to data is restricted to authorised CSDF staff
members only. Password protection is applied on files
that are being sent between the CSDF and the HEIs.

Likelihood

Risk Level

Residual
Severity
Risk No. 10. Other risks. Mitigating Action

Risk
10.1 No FSD specific other risks have been identified.

19
 4. RISK MITIGATION

As outlined in the table above.

20
5. APPROVAL & SIGN OFF

Approval considerations (e.g. DPO or external consultant advice)

Comments:

Data Protection Officer

Signed: ……Michael Mwangi…………………. Date: ………15 Nov 2023………….

Business Owner

Signed: …Andrea Sagar……………………….. Date: …16 November 2023…………………

21
 APPENDIX A – PRINCIPLES OF DATA PROTECTION
The starting point of a DPIA is to identify the relevant privacy principles. Based on research from
different sources, several privacy principles are identified, which are relevant to an assessment of the
design of a new system or change in existing processing of personal data or another use of existing
systems and related data processing.

1. Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in
a transparent manner.

 Has a lawful basis for the processing activity been identified?

 Is the processing listed in the Record of Processing Activities?
 Does the processing seem fair, i.e. not excessive?
 Are we being transparent about the processing? Has the type of processing been identified in
the privacy notice or has the data subject been otherwise informed?

2. Purpose limitation: Personal data shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to
be incompatible with the initial purposes.

 Will this new project/processing activity involve data being processed in a manner for which it
was not collected?
 Have we been transparent about any extra processes? Is the processing still lawful?

3. Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed.

 Are we excessively collecting or processing data?

 Is the system processing data for purposes other than the purpose for which it was
established?
 Is the data being processed relevant to the purpose?

4. Accuracy: Personal data shall be accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that personal data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without delay?

 Are there measures which guarantee the accuracy and correctness of the personal data
processed within the information system?
 Can data be updated, where required?
 How often is data updated? Is this frequently enough?

5. Storage Limitation: Personal data shall be kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes for which the personal data are
processed; personal data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the
appropriate technical and organisational measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject.

 Does the system allow data to be deleted when it is no longer required?

 What retention periods are being implemented? Has a clear justification for these retention
periods been established?
 If data is anonymised/pseudo-anonymised, are we sure that a person cannot be identified
using the retained data?

22
6. Integrity and Confidentiality: Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or
organisational measures.

 Have appropriate security controls been implemented to protect the data?

 Has the IT team been consulted on the effectiveness of the controls in place? Are they in line
with ISO27001 or another information security standard?
 Are the controls which have been implemented proportionate to the nature of the data?

7. Accountability: The responsible entities also known as “controllers” take measures to implement
programs to eliminate or mitigate privacy risks on strategic, tactical and operational level.
Assurance of these measures includes the proof of monitoring of these risks, internal and/or
external audit and potentially reporting to external stakeholders like privacy authorities or data
protection regulators.

 Are any risks identified being monitored effectively?

 Can any decisions made be justified and are documented should an audit take place?

8. Rights of Individuals: Citizens and consumers have the right request for access, rectification,
portability, or erasure of their personal data or to oppose the processing method. The individual
may ask which authorities have been provided with personal data and which authorities have
received their personal data.

 Does the system impose restrictions on the ability to comply with valid subject right requests?

23
 APPENDIX B –PRIVACY RISKS
There are a range of different ways that an individual’s data privacy can be compromised or put at risk
by a new project. The types of risk range from the risk of causing distress, upset or inconvenience to
risks of financial loss or physical harm. There are equally as many kinds of data privacy-related risks
to organisations, related to compliance issues and commercial factors.

Look at whether the processing could possibly contribute to:

 inability to exercise rights (including but not limited to privacy rights);

 inability to access services or opportunities;
 loss of control over the use of personal data;
 discrimination;
 identity theft or fraud;
 financial loss;
 reputational damage;
 physical harm;
 loss of confidentiality;
 reidentification of pseudonymised data;
 or any other significant economic or social disadvantage.

You should include an assessment of the security risks, including sources of risk and the potential
impact of each type of breach (including illegitimate access to, modification of or loss of personal
data).

Example of Risks to Individuals

 Inadequate disclosure controls increase the likelihood of information being shared

inappropriately.
 The context in which information is used or disclosed can change over time, leading to it
being used for different purposes without people’s knowledge.
 New surveillance methods may be an unjustified intrusion on their privacy.
 Measures taken against individuals as a result of collecting information about them might be
seen as intrusive.
 The sharing and merging of datasets can allow organisations to collect a much wider set of
information than individuals might expect.
 Identifiers might be collected and linked which prevent people from using a service
anonymously.
 Vulnerable people may be particularly concerned about the risks of identification or the
disclosure of information.
 Collecting information and linking identifiers might mean that an organisation is no longer
using information which is safely anonymised.
 Information which is collected and stored unnecessarily or is not properly managed so that
duplicate records are created, presents a greater security risk.
 If a retention period is not established information might be used for longer than necessary.

Examples of Corporate Risks

 Non-compliance with legislation can lead to sanctions, fines and reputational damage.
 Problems which are only identified after the project has launched are more likely to require
expensive fixes.
 The use of biometric information or potentially intrusive tracking technologies may cause
increased concern and cause people to avoid engaging with the organisation.
 Information which is collected and stored unnecessarily or is not properly managed so that
duplicate records are created, is less useful to the business.
 Data losses which damage individuals could lead to claims for compensation.
 Public distrust about how information is used can damage an organisation’s reputation and
lead to loss of business.

24
Examples of Compliance Risks

 Non-compliance with the common law duty of confidentiality

 Non-compliance with the Data Protection Acts 2019/ General Data Protection
Regulation (GDPR).
 Non-compliance with the Privacy and Electronic Communications Regulations (PECR)/e-
Privacy Regulation.
 Non-compliance with human rights legislation United Nations Declaration on human Rights
(UNDHR).

25
 APPENDIX C – ASSESSING RISK
Consider the potential impact on individuals and any harm or damage your processing may cause –
whether physical, emotional or material. In particular, look at whether the processing could contribute
to:

 inability to exercise rights (including but not limited to privacy rights);

 inability to access services or opportunities;
 loss of control over the use of personal data;
 discrimination;
 identity theft or fraud;
 financial loss;
 reputational damage;
 physical harm;
 loss of confidentiality;
 re-identification of pseudonymised data; or
 any other significant economic or social disadvantage

You should include an assessment of the security risks, including sources of risk and the potential
impact of each type of breach (including illegitimate access to, modification of or loss of personal
data).

To assess whether the risk is a high risk, you need to consider both the likelihood and severity of the
possible harm. Harm does not have to be inevitable to qualify as a risk or a high risk. It must be more
than remote, but any significant possibility of very serious harm may still be enough to qualify as a
high risk. Equally, a high probability of widespread but more minor harm may still count as high risk.

You must make an objective assessment of the risks. It is helpful to use a structured matrix to think
about likelihood and severity of risks:

26
 APPENDIX D – RAR RETURN SPREADSHEET

Blank RAR
Return.xlsx

27