1. Summary
A Data Protection Impact Assessment (DPIA) is a useful tool to help NHS England demonstrate how we comply with data protection law.
DPIAs are also a legal requirement where the processing of personal data is “likely to result in a high risk to the rights and freedoms of individuals”. If you are unsure whether a DPIA is necessary, you should complete a DPIA screening questionnaire to assess whether the processing you are carrying out is regarded as high risk.
By completing a DPIA you can systematically analyse your processing to demonstrate how you will comply with data protection law and in doing so identify and minimise data protection risks.
This document should be read in conjunction with the DPIA Guidance and DPIA Screening Questionnaire.
2. Document Information and Downloads
- Document Contents
- Download Link
- File Details
- Purpose of this document
- Consultation with Stakeholders
- Data Flow Diagram
- Purpose of the processing
- Description of the Processing
- Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
- Demonstrate the fairness of the processing
- What steps have you taken to ensure individuals are informed about the ways in which their personal data is being used?
- Is it necessary to collect and process all data items?
- Describe if personal datasets are to be matched, combined or linked with other datasets? (internally or for external customers)
- Describe if the personal data is to be shared with other organisations and the arrangements you have in place
- How long will the personal data be retained?
- Where you are collecting personal data from the individual, describe how you will ensure it is accurate and if necessary, kept up to date.
- How are individuals made aware of their rights and what processes do you have in place to manage such requests?
- What technical and organisational controls for “information security” have been put in place?
- In which country/territory will personal data be stored or processed?
- Does the National Data Opt Out apply to the processing?
- Identify and assess risks
- Measures to mitigate (treat) risks
- Further Actions
- Signatories
NHS.net Connect Microsoft 365 Copilot DPIA| File type | Adobe Acrobat Portable Document Format (.pdf) |
| File size | 456.7 KB |
| Last Reviewed Date | 05/08/2025 |
