Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
(3) A data protection impact assessment must include the
following—
(a) a general description of the envisaged processing
operations;
(b) an assessment of the risks to the rights and freedoms
of data subjects;
(c)
the measures envisaged to address those risks;
(d) safeguards, security measures and mechanisms to
ensure the protection of personal data and to demonstrate
compliance with this Part, taking into account the rights and
legitimate interests of the data subjects and other persons
concerned.
143.
(4) In deciding whether a type of processing is likely to result in
a high risk to the rights and freedoms of individuals, the controller
must take into account the nature, scope, context and purposes of
the processing.”
SWP prepared an impact assessment in respect of its use of AFR equipment.
We have seen Version 5.4, dated 11th October 2018. The Claimant contends
this assessment is defective: (a) because it is not written on the premise that
use of AFR Locate entails sensitive processing of personal data of members of
the public; and (b) because it does not recognise the interference with Article
8(1) rights of those members of the public. The Claimant also complains that
no data protection impact assessment was in place as at 25th May 2018, the
commencement date of section 64 of DPA 2018.
144.
This latter point is not a matter of any substance. SWP’s evidence was that
prior to May 2018 it had undertaken what it describes as a “Privacy Impact
Assessment”. We have seen Version 4 of that document, dated 12th February
2018. Among other matters, that document included consideration of the data
protection consequences of AFR Locate. SWP’s evidence is that, following
commencement of the DPA 2018, the Privacy Impact Assessment was revised
and retitled as a “Data Protection Impact Assessment”. Thus, we are satisfied
that at all material times the processing by SWP was supported by a relevant
impact assessment.
145.
The obligation of a data controller under section 64 of the DPA 2018 is to
undertake an assessment of the possible impact of the proposed processing of
personal data, and as part of that assessment: (a) to describe the processing
operations; assess the risks arising from those operations to the rights of data
subjects; (b) to identify any measures it proposes to take to address those risks;
and (c) to identify any measures it proposes to put in place as safeguards to
help ensure protection of personal data. Where the issue is whether a data
controller has complied with the section 64 obligation, the approach required
of the Court - or for that matter of the Information Commissioner should the