Skip to main content
Data Protection Impact Assessment: NHS Login - formerly Citizen Identity

The General Data Protection Regulation (GDPR) requires a Data Protection Impact Assessment (DPIA) to be completed by a controller where its processing of personal data is considered to be a high risk to the rights and freedoms of individuals.

A Data Protection Impact Assessment (DPIA) is a useful tool to help NHS Digital demonstrate how we comply with data protection law.

DPIAs are also a legal requirement where the processing of personal data is “likely to result in a high risk to the rights and freedoms of individuals”If you are unsure whether a DPIA is necessary, you should complete a DPIA screening questionnaire to assess whether the processing you are carrying out is regarded as high risk. 

By completing a DPIA you can systematically analyse your processing to demonstrate how you will comply with data protection law and in doing so identify and minimise data protection risks. 

This document should be read in conjunction with the DPIA Guidance and DPIA Screening Questionnaire.


Download the DPIA

Last edited: 8 October 2021 8:53 am