ANNEXURE I

DPIA Screening Questionnaire

Data Protection Impact Assessment of [Insert your organisation’s name]

Project Title

Department Name

Mandatory grounds to conduct a DPIA - SECTION A

5
6

10

If you’ve answered YES to any of the questions above, it is advisable to carry out a DPIA to
proceed to Step 1.

Advisory grounds to conduct a DPIA – SECTION B

11

12
 13

If you answered YES to any of questions 11 – 13, it is strongly recommended that you conduct a DPIA—move to Step
DPIA even though you answered Yes in section B, then reach out to your Privacy O ce/Data Protection O ce with
DPIA.

If you answered ‘No’ to ALL the above questions, conducting a DPIA might not be required. Nonetheless, confirming
ce is advisable.

Is a full DPIA required? (Data Protection Office/Privacy Office use

only)
 ANNEXURE I
DPIA Screening Questionnaire
ct Assessment of [Insert your organisation’s name]

Date

Name of person(s) undertaking the DPIA

ounds to conduct a DPIA - SECTION A Yes No

Will the project be using systematic and extensive
profiling to make significant decisions about people?
Examples include knowledge transfer partnerships using
assistive technology.

Will the project process special category (sensitive) or

criminal offence data on a large scale? Examples include
health clinics and financial records.

Will the project systematically monitor publicly

accessible
places on a large scale (e.g., CCTV)?

Are you using new technologies, e.g., biometrics,

genetics,
facial recognition or a major new piece of software?
Examples include the use of learner analytics and new
student records systems.

Will the project use profiling of special category

(sensitive) data or criminal offence data to decide on
access to services, opportunities or benefits? Examples
include asking all applicants to declare criminal
convictions.
 Will the project combine, compare or match data from
multiple sources? Examples include wealth screening of
alumni as potential donors.

Will the project process personal data without providing

a privacy notice directly to the individual (‘invisible
processing’)? Examples include scraping or mining
personal data from external sources for research.

Will the project process personal data in a way that

involves tracking individuals’ online or offline location or
behaviour and meets one or more of the other criteria in
Section A?
Examples include using cookies for targeted advertising
and CCTV.

Will the project process children’s personal data for

profiling, automated decision-making marketing
purposes, or offer online services directly to them?
Examples include offering an online chat service to
minors.

Will the project process data that might endanger the

individual’s health or safety in the event of a security
breach? Examples include well-being records.

ny of the questions above, it is advisable to carry out a DPIA to ensure thorough due diligence –
proceed to Step 1.

unds to conduct a DPIA – SECTION B Yes No

Will the project involve large-scale processing of personal
data?

Will the project involve profiling, monitoring or

automatic
decision making?
 Does the project involve a special category (sensitive
data), criminal offence data or the use of the personal data
of vulnerable individuals (including children)?

s 11 – 13, it is strongly recommended that you conduct a DPIA—move to Step 1. If you decide not to complete a
n section B, then reach out to your Privacy O ce/Data Protection O ce with a rationale for not performing a
DPIA.

questions, conducting a DPIA might not be required. Nonetheless, confirming with your Data Protection O ce/Privacy O
ce is advisable.

on Office/Privacy Office use

ue diligence –
on O ce/Privacy O
 Annexure II
Data Protection Impact Assessment
<Insert name of project/processing activity>
DPIA process:
1. The DPIA screening process must be considered and documented for any
activity involving the processing of personal data.
2. If applicable (i.e., the screening questions identify the necessity for a mandatory
DPIA), this template must be completed:
2.1. Complete Steps 1 – 6.
2.2. Email the draft to your Data Protection Office/Privacy Office for advice on
step 7.
2.3. Complete step 7, sign and send a copy to your DPO. Keep the original for reference. The DPO
maintain a copy centrally. Please note that the DPO
may need to submit this document as evidence to the regulator.

Step 1: Identify the need for a DPIA

1 Summarize why you identified the need for a DPIA. (This can
draw on your answers to the screening questions.)

2 Explain broadly what the project/processing activity aims to

achieve and what type of processing it involves.

You may find it helpful to link to other relevant documents

related to the project, such as a project proposal. (Identify other
3 documents here).
ure II
pact Assessment

nsidered and documented for any

ntify the necessity for a mandatory

Office/Privacy Office for advice on

o your DPO. Keep the original for reference. The DPO will
e DPO
e to the regulator.

ed for a DPIA
 Step 2: Describe the Processing

2.1 About the processing activity in scope:

Provide a brief description of what the data processing is

intended to accomplish (i.e., the primary purposes for which
the data are collected and used). Generally, this can be a
high-level description of the services. This can briefly describe
the service, the data subjects whose personal data is processed,
1 and the purpose/value derived from the processing system. Put
simply, why does this exist?

Is there a joint controllership? If so, explain how

responsibilities are sought to be captured and divided.
2

Explain and provide a detailed narrative of the processing of

personal data and highlight any steps that are high risk.
This needs to contain sufficient detail to understand what and
how the personal data will be processed and by whom. The
narrative should allow a reader, such as a regulator, to
3 understand how the data flows.

4 List personal data being processed.

Provide an approximate number of individual data subjects

whose personal data is envisaged to be processed.
5

What categories of data subjects are impacted and exist by the

data processing/whose personal data is being processed, and
what
6 is the nature of your relationship with the individuals?

2.2 Describe the nature of the processing:

 How will you collect, use, store, and delete data?
1

2 What is the source of the data?

3 Will you be sharing data with anyone? You might find it
helpful to refer to a flow diagram or other way of describing
data flows.

What types of processing identified as likely

4 high-risk are involved?

2.3 Describe the scope of the processing:

1 What is the nature of the data, and does it include special
category or criminal offence data?

How much data will you be collecting and using? How often?
2

3 How long are the data retention periods?

4 How many individuals are affected?
5 What geographical area does it cover?

2.4 Describe the context of the processing:

What is the nature of your relationship with the Data
1 Principals?

How much control will the Data Principals have over their
2 data?

Would the Data Principals expect you to use

3 their data in this way?

Do Data Principals include minors or other vulnerable groups?

4

Are there prior concerns over this type of

5 processing or security flaws?

6 Is the processing novel in any way?

What is the current state of technology in this area?
7
 Are there any current issues of public concern that you should
8 factor in?

9 Have you signed up for any approved code of conduct or

certification scheme (once any have been approved)?

2.5 Describe the purposes of the processing:

What do you want to achieve through processing?
1

What is the intended effect of processing on

2 individuals?

What are the benefits of the processing – for

3 your organisation and more broadly?
Processing

ctivity in scope:

the processing:
the processing:

the processing:
f the processing:
 Step 3: Lawfulness, Fairness, and Transparency
1 What is the lawful basis for this processing?
Are there other less privacy-impacting methods to achieve the
2 same outcome?

3 What information or privacy-impacting notices are provided to

data subjects in relation to the processing?

If processing is based on consent, how is

4 consent obtained/withdrawn?

Step 4: Purpose Limitation

What controls are in place to prevent personal data from being
used for another purpose incompatible with the primary
purpose of collection or those falling under the lawful basis for
1 collection and processing?

Step 5: Data Accuracy and Data Minimization

What controls are in place to ensure data
1 quality and data minimization?

Step 6: Accountability
What measures do you have in place to demonstrate
compliance with applicable data protection regulations and
1 privacy principles?

What organisational measures (such as training) have you

2 implemented?

Step 7: Data Subject Rights

How will the rights of data subjects impacted by this activity
1 be supported?

Step 8: Data Security

What controls are in place to ensure the security of personal
1 data?

Step 9: Data Processors and International Transfers

 Specify the jurisdiction(s) where the processing activity(s) will
take place (will the processing take place in data centres and/
or cloud services hosted from particular locations? For
example, data capture in Europe, data review in India, data
1 storage in the USA, and data backup in Australia.

Could personal data be shared/transferred outside of the

country in subject? If so, explain where and how the data is
2 transferred and by whom.

Will a contract be put in place with third parties containing the

customer’s Data Protection Laws clauses?
If a contract is already in place, provide details of the person
(Privacy Office or solicitor or procurement) who has verified
3 that it contains the customer’s Data Protection Laws’ clauses.
Attach a copy of the contract if possible.

4 State how you will monitor the data processor’s compliance

with Data Protection requirements, e.g., third party audits.

Is there any approved code of conduct or

5 certification scheme?

Step 10: Stakeholder Engagement

Customer stakeholders involved in completing this DPIA:
Please include all key stakeholders involved,
e.g.,
• DPO/Privacy Office
• Risk and Compliance
• Legal
• Product/Project Manager
• Internal Data Protection Subject Matter
1 Experts (SME)
In addition to those who have supported the completion of this
DPIA, are there any other internal stakeholders who need to be
made aware?
 Document any Customer Data Protection SME consulted
during the completion of the DPIA or external stakeholders
with whom you need to liaise about this, e.g., works councils.
Describe when and how you will seek the views of those
2 whose personal data will be processed as a result of this
activity – or justify why it is not appropriate to do so.

3 Is there a need to ask data processors or any other third parties

to assist in stakeholder engagement?
 and Transparency

mitation

Data Minimization

ability

ct Rights

curity

ternational Transfers
Engagement
 Annexure III
Data Protection Risk Identification, Assessment and Miti

Step 11: Sign off and record outcomes

Item Name / Date

Measures approved by:
Residual risks approved by:
DPO advice provided:

Summary of DPO advice:

DPO advice accepted or
overruled by:
ure III
ion, Assessment and Mitigation

omes

Notes
Integrate actions back into the project
plan,
If with theany
accepting date and responsibility
residual high risk,
for
DPO completion.
consult the relevant
should regulatory/
advise on compliance, step
supervisory authority before going can
6 measures and whether processing
ahead.
proceed.
DPO advice:
If overruled, you must explain your
reasons.