Privacy Scan
The GDPR requires that the use of personal data is limited to what is necessary and proportional, but when is something really necessary and proportional? To facilitate this assessment, the Geo Privacy Officer has developed the Privacy Scan, a framework that evaluates and documents necessity and proportionality of personal data processing activities. It generates documentation where the assessment of a given activity is demonstrated in 11 steps, covering the purpose (why personal data is needed), the processing (how is personal data used) and the transparency of an activity. All together, these steps evaluate, demonstrate and document that the processing of personal data is indeed necessary and proportional
A Privacy Scan is completed with direct involvement and support of the Geo Privacy Officer. Project controllers are advised to start a Privacy Scan by first become properly acquainted with the contents of this guidance, and to get in contact with the Geo Privacy Officer (privacy-geo@uu.nl) to communicate the intention to start a Privacy Scan, and to schedule an introductory meeting. In this meeting the project is discussed, and a shared folder of the project is created in the Geo Privacy SharePoint site, where the Privacy Scan and related documentation is stored. Follow-up meetings are then scheduled as necessary to review ongoing progress, until the Privacy Scan is completed and marked as approved by the Privacy Officer. All Privacy Scan must be reviewed and approved by the Privacy Officer before the start of data processing. All projects at the faculty that process personal data need to complete a Privacy Scan. The Privacy Scan plays a key role in the Privacy Program of the Geo Faculty. A Privacy Scan is completed by the individual(s) with the most knowledge about the project or activity. The responsibility to start and maintain a privacy scan rests with the individual(s) in charge of the project, who are able to take decisions about the project design, and who will be responsible for the project throughout its entire duration. In the privacy scan, such individual(s) are referred to as the projects’ controllers. A controller is the entity who “determines the purposes and means of the processing of personal data”. Plainly speaking, a controller exercise overall control of the personal data being processed and are ultimately in charge of, and responsible for, the processing. Strictly speaking, the University as an organisation is the controller responsible for all data processing activities, but for practical purposes, there is an extension of this responsibility towards the UU members who are directly responsible for specific processing activities: the individual(s) who has final authority and can make decisions about the processing activity, and is able to respond to any inquiries throughout its entire duration. In the Privacy Scan, these individual(s) with direct responsibility are the ones we refer in practice as controllers in the Privacy Scan, and their contact details are the ones that need to be included at the start of the Privacy Scan document. The listed controllers are responsible for the safety and privacy of the project’s personal data, from the start of data collection until all personal data has been deleted and/or anonymized – which may take up to 10 years for some research data. It is important to ensure that even if a controller leaves the UU, there is always someone from the UU included in the list who can remain responsible for the project. For research projects, controllers often include at least the principal investigator, professor or promoter who is responsible for the research project, alongside the Postdoc, PhD candidate or Master student who will perform most of the data collection activities. It is also important to indicate any external affiliations when they are not UU students or employees, as these are expected to be discussed in step 8 of the Privacy Scan. It is important to clearly identify who the controllers are, as a Privacy Scan can only be properly conducted by individuals who have the power to decide – and to question – why and how a given processing is conducted, and whether there are alternative ways in which this data could be collected and processed. Depending on the complexity of the project, a privacy scan should be started at the same time the project is being designed. Complex projects are strongly encouraged to start the process early in the design stage by contacting the Privacy Officer, to proactively identify and address potential problems while the project design is still under development – and changes are more easily implemented. A privacy scan is a ‘living document’. The project controllers are responsible for the continuous editing and updating of the document, alongside the project life cycle, to always provide up-to-date documentation of the project’s compliance. The Privacy Scan is a document stored in its own project shared folder within the Privacy Geo SharePoint online, alongside other project documentation like data management plans, information sheets provided to data subjects, data processing agreements, etc. The privacy scan is meant to be flexible and scalable. A single document can be used to cover one or a few processing activities that have a shared goal. More complex projects can also be documented using a separate Privacy Scan, to keep documentation manageable. For example, a large research project can have a separate Privacy Scan for each work package. Scalability implies that the thoroughness of the descriptions at each step of the privacy scan must be directly proportional to the scale and potential risk of the processing activity being described. Larger processing will require more thorough justifications, while small scale, low risk, common activities will not require such thoroughness Defining the purpose of the processing activity: Step 1 of the Privacy Scan The first step of the privacy scan serves as the introduction of the processing activities that will be covered by the documentation. It starts with a brief description of the purpose(s) of the project – what is the project trying to achieve, solve or address – and the processing activities (specially the activities that involve the use of personal data, like interviews and observations) it will need to take to reach that goal. This description sets up the scope of the privacy scan, as the following steps will be focused on each one of these activities, explaining why these are indeed necessary to reach the purpose. Follow the link for more details on Step 1. Describing the processing activity: Steps 2 to 6 of the Privacy Scan Once the context of the privacy scan has been defined in step 1, the next steps describe the processing activities, starting by describing the people whose data is being processed (the data subjects) in Step 2: How and why they are targeted, how many people are involved, is there a relationship between data subjects and the people responsible for the project, which may interfere with their capacity to freely give their consent? Follow the link for more details on Step 2. In Step 3, the privacy scan describes the personal data collected and used in the processing activities. This description includes an explanation – a justification – that shows why each specific type of data is indeed necessary. Follow the link for more details on Step 3. Once the data subjects and their data has been described and justified in step 2 and 3, Step 4 describes how personal data is processed: where it is coming from, how and where it is being stored and analyzed, who has data access and for what reasons, and for how long data is retained. This description demonstrates that the processing is secure, accurate and limited to what it is necessary to reach the purpose of the activity, which demonstrates that the principles of data minimisation and data protection by design and by default are appropriately applied. Follow the link for more details on Step 4. Step 5 demonstrates that the processing described in steps 1 to 4 is transparent to data subjects, by describing the project’s information strategy – how is information provided to data subjects – and the content of this provided information – what information is actually provided to data subjects. This is related to step 6, where it is explained how controllers plan to properly manage any data subject’s requests related to their exercise of their data subject rights – where projects managing a relatively small number of individuals and their data can realistically manage these requests manually, whereas large projects must have a proper plan to demonstrate their capacity to respond in form and time to these requests. Follow the links for more details on Step 5 and Step 6. Assessing and documenting the legal compliance of the processing: Steps 7 to 11 of the Privacy Scan After describing the process, Step 7 of the Privacy Scan describe the legal basis of the processing activities. This description relies on the other steps of the privacy scan to substantiate the use of the used legal basis, so for example, ‘Consent’ relies on step 5 to demonstrate that participants are properly informed – an essential consent requirement. Follow the link for more details on Step 7. Step 8 in turn describes the measures that ensure the processed data is still properly protected while in the hands of others, like (joint) controllers and processors. In general terms, this is required when a project plans to work with third parties, like external researchers, collaborators, and other service providers. Follow the link for more details on Step 8. If personal data is transferred, exported or otherwise made accessible to others in third countries outside the EU or the EEA, step 9 describes how and why these transfers are allowed under the GDPR. Follow the link for more details on Step 9. Also related to data subjects rights, and especially when a project is expected to process data in a manner unexpected for data subjects, it is important to consult and incorporate the views of data subjects in the design of the processing. Step 10 describes these views. Consulting data subjects to obtain their views on the processing empowers them to exert control on the process during the design stage, so that their feedback is incorporated into the project’s design. Follow the link for more details on Step 10. Lastly, Step 11 describes the risk assessment that documents that the processing activities are not likely to lead to a disproportionate impact on data subjects. This assessment identifies potentially adverse effects – damages – that the processing might have on data subjects, and then documents the (legal, technical and organizational) safeguards that will ensure these risks are mitigated. Whereas the first part of this assessment demonstrates that the processing is indeed necessary to reach the goals, the last part of the assessment, and step 11 in particular, demonstrates that the processing is also proportional. Follow the link for more details on Step 11.
The Privacy Scan consists of 11 steps:
Use the privacy scan template and follow the links for more detailed guidance.