DPIA List of Requirements

Before submitting your completed DPIA to the DP & FOI Office, please ensure that you have completed and addressed all relevant points below. Please be advised that the DP & FOI Office will not review your DPIA unless you can demonstrate engagement with or reference to the checklist and its attending documents and requirements.

  • If you are claiming that your data is anonymous, are there any potential data linkages that would allow someone to identify your data subjects? Note that simply removing a name does not constitute anonymisation. Have you considered the impact of other potential identifiers e.g. you are studying individuals with an uncommon medical condition and also working with gender, age, and location data or other factors that narrow your population and potentially lead to identification?
  • Have you determined if your data truly anonymous or is it pseudonymous? If you hold an identifier key(s) that would allow you or another party to identify your masked data then it is pseudonymous and therefore must be treated as personal data. 
  • Have you determined whether you/the University is a data controller or a data processor for this project?
  • Have you included specific details regarding your data flow – where is the data coming from, who are you sharing access with, where is it going upon project completion?
  • How will you gather, store and access the data? Will you require third parties to assist you? Have you detailed this within the DPIA?
  • If you are sharing your personal data outwith the University, is a data sharing agreement in place or do you need one?
  • Have you completed a privacy notice to inform data subjects on the intended use of their personal data? 
  • Have you completed the University's online Data Protection and Information Security training modules? (These are mandatory for staff.) 
  • Have you completed a research data management plan? See the workflow diagram for more information on requirements in advance of Ethics submission.
  • Have you considered ways to reduce potential risk and have you demonstrated practical compliance, including: 
    • pseudonymisation
    • data minimisation
    • storage limitation 
    • access restrictions 
    • technical solutions (e.g. encryption)
    • organisational measures (e.g. policies, procedures and workflows to comply with GDPR requirements)


Nov 2022 v2.0