Data Protection Impact Assessment (DPIA)

A data protection impact assessment (DPIA) is conducted in order to safeguard the privacy of the data subject in a technical solution in connection with processing/a work process or project. This is necessary in cases where there is a high risk to the “rights and freedoms” of a natural person. This includes freedom of expression, freedom of religion, the right to equality, the right to privacy, freedom of thought, freedom of movement, the right not to be discriminated against and privacy.

It is important to consider conducting a DPIA in connection with ALL processing. The Data Protection Officer can be consulted on the matter of conducting a DPIA and must ALWAYS be consulted in connection with implementation when deemed necessary.

The Data Protection Services for Research (Sikt) will assist with both the assessment and the implementation in its capacity as OsloMet’s data protection adviser for research. The Data Protection Officer at OsloMet must also be consulted in connection with implementation in research. DPIAs must be archived in Sikt’s message archive.

Use this template for assessing whether to conduct a DPIA or not.

You can also find assistance with assessments and implementation from

• The Norwegian Data Protection Authority's Guidance (datatilsynet.no) (in Norwegian)
• The Article 29 Guidelines (ec.europa.eu)
• E-learning in research “Taking into account and carrying out a DPIA" (sikresiden.no). The e-learning is mostly aimed at research projects but may also be relevant in other situations.

Still unsure whether you need to carry out a DPIA? The Norwegian Data Protection Authority has published a list of activities that ALWAYS require a data protection impact assessment prior to processing (datatilsynet.no). Conduct a DPIA if you are in doubt and believe that your situation falls into a grey area.

You can contact the privacy contact at your unit for assistance with assessment and implementation.

The assessment of whether or not to conduct a DPIA must be archived in P360 (not applicable to research). The fact that a DPIA has been assessed must be recorded (Ardoq) by the Personal Data Manager and the P360 reference number must be listed.

Use this template when conducting DPIAs (not in research projects) (.doc).

When conducting a DPIA, you should bring together the people you believe to possess the expertise and insight into how the system/process/work process functions and how it may affect the data protection of data subjects (employees, students, patients, research subjects, etc.).

Remember to involve the Data Protection Officer when conducting a DPIA, preferably by submitting a draft for review. The Data Protection Officer can also be invited to attend meetings if required.

The completed DPIA must be archived in P360 (not applicable to research). The fact that a DPIA has been completed must be recorded (Ardoq) by the privacy contact and the P360 reference number must be listed.