Under current legislation as well as GDPR, there is an expectation that privacy is designed into any processing of personal data. GDPR sets out a risk-based approach to compliance arrangements. Controllers should therefore assess the level of risk associated with proposed processing of personal data taking account of the broader framework for compliance already in place, and factors such as the volume of data or the novelty of the proposals eg use of new technology for processing the data.
Health research already takes place within a context of established arrangements for sponsor oversight and for use of personal data, which should include documented risk assessments through the IRAS application. As part of the sponsor oversight, consideration should be given to the above risks. This means that it is not necessary for the sponsor to undertake a separate privacy impact assessment process for every research project. Furthermore, due to the arrangements for study-wide review across the NHS (through HRA Approval and equivalent coordinated approaches), NHS sites should not undertake separate privacy impact assessments for each project. The study-wide review will highlight any considerations to be included in the local decisions about capacity and capability. HRA will be amending the information collected about use of personal data as part of the IRAS application to support this.
There are a limited number of situations where a Data Privacy Impact Assessment is legally required under GDPR. See the ICO website for details.