Data Protection Impact Assessment

We would suggest contacting your Local Information Governance Team to advise on data collection and storage before proceeding with any Forms on your site

Data Protection Impact Assessment (DPIA) is an essential assessment to help identify and minimise Data Protection risks. It is a key part of your accountability obligations under GDPR, and when done properly helps you assess and demonstrate how you comply with all of your Data Protection obligations.

You should complete a Data Protection Impact Assessment for every piece of content on your site that is "likely to result in a high risk to the rights and freedoms of data subjects". This is a legal requirement and under GDPR, failure to carry out a DPIA when required is considered a breach and will leave you open to fines.

Every time you create a piece of content on your site that may be considered a risk, you should update your Privacy Policy to inform the user how you intend to use and store their data safely. For further information regarding Data Protection Impact Assessments, please view the ICO webpage

Feedback Forms

Feedback forms are an easy way for you to collect user information; whether it may be to minimise paper use, patient visits or just for ease of use. However, there are risks involved that you will need to consider when using this method. Data Protection Impact Assessments should be completed before publishing any Form on your site to identify any new risks.

When setting up a Form on your site please make sure:

• The return email address is correct - you don't want users information being delivered to the wrong person. Data breaches will need to be reported to your local Information Governance team and you are then at risk of a fine.
• Test your form before setting it Live on your site - make sure all fields on your Forms are returning responses.