Complete Data Protection Impact Assessment (DPIA)

mysociety / neighbourhood-warmth

A prototype built as part of mySociety’s April 2022 prototyping week exploring conditional commitment services around home energy.

https://mysociety.github.io/neighbourhood-warmth

Other

1 stars 0 forks source link

Complete Data Protection Impact Assessment (DPIA) #35

Closed struan closed 1 year ago

struan commented 1 year ago

Next steps

[x] @sequencefree to read https://wiki.mysociety.org/wiki/Data_Protection/New_Site_Checklist
[x] @sequencefree to complete Neighbourhood Warmth Alpha data protection impact assessment.
[x] @zarino to review.
[ ] @sequencefree to review changes and create new tickets based on feedback.

Background

Struan suggested may not need to a be a full one.

sequencefree commented 1 year ago

@zarino Patched together DPIA above from our Neighbourhood Warmth – Plan for Alpha stage with a few assumptions. Are you happy to review please? Ta!

zarino commented 1 year ago

Thanks for starting this, @sequencefree!

I think, on balance, we probably don’t need to have done a DPIA for this project – the only data we’re collecting out of the ordinary is some users’ home addresses, but it’s borderline as to whether you’d class that data as posing a "high risk to the right and freedoms" of individuals – it certainly doesn’t meet any of the ICO’s criteria and doesn’t feel as obviously dangerous as any of their examples of high risk data – but hey, there’s no harm in doing a DPIA when we’re not sure. It’s all good practice!

I’ve made some changes to the document. We can discuss them if you’d like to know why I changed what I did.

There are some things we’ll still need to do – like adding a privacy policy to the site, and explaining how and why we’re collecting the data at signup.

sequencefree commented 1 year ago

Thanks Zarino!

Really helpful to understand your approach to this. I found the ICO checklists that our wiki page signposts a bit baffling, but the section and page you've pointed to above seems like a much better starting place for figuring out whether to even create a DPIA.

I skipped straight to creating a DPIA as I thought that might take less time than figuring out whether we needed to do one or not so I've updated the wiki page with your links and resisted the urge to create a flowchart.

Created a ticket to Create Privacy Policy #43 and commented on #27 re: user consent but haven't closed this ticket as I think we still need to resolve who will keep this DPIA under review.

Hope that helps!

zarino commented 1 year ago

Adding a note here that we should review whether the site even needs to store the address details at all.

We currently store the three address lines, and postcode line, as part of the Team model … but I guess really all it technically needs to store is the latitude/longitude (centroid, in the model above).

Still, we want to ask people to supply their address, because we have a research question around how comfortable people will be with sharing information about themselves / their home, and asking for their address feels like a simple way to test this.

But yeah, just because we ask for it, doesn’t mean we need to store it…

emilyk383 commented 1 year ago

Is this ticket 'done' Sion?

zarino commented 1 year ago

Yes, done now!