mobile menu mobile search

Screening Reports

Screening Reports

In this Section

DPIA Screening: Performance Improvement Plan 2025-26

A Data Protection Impact Assessment (DPIA) is a process to help you systematically and comprehensively analyse your personal data processing and help you identify and minimise any data protection risks of a project.

You must do a DPIA before you begin any type of personal data processing that is “likely to result in a high risk.”

This set of screening questions will help you decide whether a DPIA is necessary.

Please note, if there is a change to the nature, scope, context or purposes of your processing you will be required to complete this screening template again.

You will be accountable for the screening decisions you make.

Therefore, it is critical that you document via “Explanatory Notes” the screening decisions you have made, providing logical reasons regarding whether to do a DPIA or not.

Section A - Project Details

Title of Project, Plan or Policy
  • Performance Improvement Plan 2025/26.
Is this an existing, revised or new project?
  • A revised plan.

What is the purpose of the project, plan or policy?

e.g. intended aims or outcomes

Include any relevant background information here
  • Under the Local Government Act (Northern Ireland) 2014, councils have a duty to make arrangements to secure continuous improvement in the exercise of their functions.
  • Improvement means an activity that enhances the sustainable quality of life and environment for ratepayers and communities.
  • Councils must set Improvement Objectives each year.
Which MEABC Department owns or holds responsibility for this project, plan or policy?
  • Ownership of the Performance Improvement Plan is Council-wide.
  • Each objective comprises a number of actions.
    A responsible officer will be assigned to each action.
    The Senior Responsible Officer will be the relevant Director.
  • The Policy and Performance Team assume responsibility for progress reporting against the overall plan.

Section B

Does this project, plan or policy involve the processing of personal data?

No
  • This Data Protection Impact Assessment relates to the Performance Improvement Plan document at a strategic level.
    Any instances where personal data may be processed will come to fruition in the actions emanating from the Improvement Objectives.
    It is the responsibility of the project Senior Responsible Officers to ensure that a Data Protection Impact Assessment screening is carried out, if they have not already done so.

If the answer to this question is ‘No’, you do not need to conduct a DPIA. Please proceed straight to Section E.

If the answer to this question is ‘Yes’, please proceed to Section C.

  

Section C: Questions 1 – 13

For questions 1 to 13, a DPIA MUST be carried out if the answer is YES.

Your documentation should explain very clearly whether there are any indicators that a type of processing will likely result in high risk.

See Appendix A forInformation Commissioner’s Office (ICO) examples of processing “likely to result in high risk.”

For some of these questions, the answer will only be “yes” if the processing occurs in combination with criteria (see questions 14 to 22) in the Article 29 Data Protection Working Party’s European Guidelines.

For each screening question please answer yes or no.

If yes, please provide an explanatory note:

  Screening Questions – will the project: Yes/No Explanatory Notes
1

Use systematic and extensive profiling or automated decision-making to make significant decisions about people?

 No  
2

Process special category data or criminal offence data on a large scale?

 No  
3

Systematically monitor a publicly accessible place on a large scale?

 No  
4

Use innovative technologies or the novel application of existing technologies?

(Note: A DPIA is required where this processing is combined with any of the criteria from the European guidelines.)

 No  
5

Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a product, service, opportunity or benefit?

 No  
6

Carry out profiling on a large scale?

To decide what constitutes ‘large scale’ you should consider and include information on factors such as:
-the number of individuals concerned
-volume of data
-variety of data
-duration of processing
-geographical extent of processing.

Also see examples in ICO’s guidance of processing/projects they consider to be large scale.

 No  
7

Process biometric data?

(Note: A DPIA is required where this processing is combined with any of the criteria from the European guidelines.)

 No  
8

Process genetic data?

(Note: A DPIA is required where this processing is combined with any of the criteria from the European guidelines.)

 No  
9

Combine, compare or match personal data from multiple sources?

 No  
10

Process personal data without providing a privacy notice directly to the individual?

(Note: A DPIA is required where this processing is combined with any of the criteria from the European guidelines.)

 No  
11

Process personal data in a way which involves tracking individuals’ online or offline location or behaviour?

(Note: A DPIA is required where this processing is combined with any of the criteria from the European guidelines.)

 No  
12

Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them?

 No  
13

Process personal data which could result in a risk of physical harm in the event of a security breach?

 No  

Section D: Article 29 Data Protection Working Party’s European Guidelines

When considering if your processing is “likely to result in high risk,” you should consider the European guidelines.

These define nine criteria of processing operations likely to result in high risk.

In most cases, a combination of two factors indicates the “need” for a DPIA. Although this is not a strict rule.

Therefore, if the answer to any of questions 14 to 22 is “yes” a DPIA should be “considered.”

Your documentation should explain very clearly whether there any indicators that a type of processing will likely result in high risk.

See Appendix B for the Article 29 Data Protection Working Party’s examples of processing “likely to result in high risk.”

For each screening question please answer yes or no.

If yes, please provide an explanatory note:

 

Will the project:

 Yes/No Explanatory Notes
14

Involve evaluation or scoring?

 No  
15

Involve automated decision-making with legal or similar significant effect?

 No  
16

Involve systematic monitoring?

 No  
17

Involve sensitive data or data of a highly personal nature?

 No  
18

Involve data processing on a large scale?

 No  
19

Involve matching or combining datasets?

 No  
20

Involve processing of data concerning vulnerable data subjects*?

(Note: staff may be considered to be vulnerable data subjects due to the imbalance of power between employer and employee.)

 No  
21

Use innovative technological or organisational solutions?

 No  
22

Prevent data subjects from exercising a right or using a service or contract?

 No  

Section E: Findings

Is a DPIA required? No

Note: Data Protection legislation and Information Commissioner’s Office guidance state that you should seek your Data Protection Officer’s advice when you need to do a Data Protection Impact Assessment.

Final Comments

  • This Data Protection Impact Assessment relates to the Performance Improvement Plan document at a strategic level.
    Any instances where personal data may be processed will come to fruition in the actions emanating from the Improvement Objectives.
    It is the responsibility of the project Senior Responsible Officers to ensure that a Data Protection Impact Assessment screening is carried out, if they have not already done so.
DPIA Screening undertaken by:

Corporate and Support Services Officer (Level 7)
Date Completed:

20 May 2025

 

DPIA Screening approved by:

Policy, Performance and Partnership Manager
Date Completed:

20 May 2025