Creating a common Digital Data Protection Impact Assessment to Ensure Organisational Compliance
Building on some of the successes of our previous Alpha phase project we plan to further develop our prototype Digital Data Protection Impact Assessment tool using the evidence base provided by conducting more in depth user research to ensure we are able to capture and articulate the benefits we know this tool will bring.
The user testing will focus on a range of organisations and settings across public service delivery and a number of different roles. We will conduct user testing again across various roles at different points in development, to ensure that the prototype tool demonstrates the benefit that we would want a fully developed tool to deliver to organisations. Through user stories and user feedback we aim to test the findings in the first phase as to whether the ‘coaching/learning’ functionality of the tool is as important as our findings in the first phase suggest.
We will test that the risk generation element of the tool will provide a user with the information they require to put effective mitigations in place.
We will be engaging with different user types throughout the Alpha phase to test the prototype we have developed and to continue this process on an agile and iterative basis as we build out the tool.
The Greater Manchester Combined Authority, partnering with the GM Health and Social Care Partnership we will be able to access users who represent the 10 Local Authorities across the city region to conduct testing. Along with a number of health organisations including GP practice/s, Hospital Trusts and the charity and voluntary social enterprise sector. Through working out in the open in the first phase other Councils across the UK, such as Cornwall, Birmingham and North Devon are keen to engage with the project and have volunteered to test our prototype. In addition to this the Information Commissioners Office will be providing subject matter expertise along with NHS Digital who as organisations with national reach see the immense value in the scalability of the tool.
We will provide all of our testers with access to the prototype tool and aa testing framework will be in place to ensure consistency of testing across councils and partners.
The development will be split into sprints to develop the tool in stages. As we reach the end of each sprint, we will engage our stakeholders to conduct user testing and then based on the feedback, iterate the development of that stage. This will allow us to take incorporate any recommendations or requirements form the in depth user research also.
Throughout the first part of this Alpha phase we will conduct in depth user research and are exploring options with regards who to work with/commission to deliver this. Manchester University is one option or commissioning a research company, to gain deeper insights into the need for this tool and the benefits organisations will gain from its adoption. This will test out our assumptions and will take our largely anecdotal user research and produce quantifiable outputs to enable us to better evidence the requirement for this tool. This user research will focus not just on the benefits of using the tool, but on the wider benefits to the organisation a tool like this can bring. It will also inform development so that design is truly relevant to users, that is it easy to use (given the often complex topic) and to drill into the detail of understanding the return on investment (ROI) of our user experience (UX) design.
Data Protection Impact Assessments (DPIA) are a requirement of data protection legislation but are seen as an intensive and onerous process. We know a range of word document templates are currently used resulting in a complicated and fragmented approach particularly across partnerships.
Challenges include that undertaking a DPIA is largely reliant on a small number of specialist staff to complete causing capacity issues, usually down to a language use causing a barrier. The process of completing a DPIA is not user friendly enough to enable general staff to complete them and there is a lack of confidence / understanding to answer key questions appropriately. Often long guidance documents are produced that people simply to not have the time to read. There are issues around document control including tracked changes and responses to Data Protection Officer recommendations which are difficult to manage across a range of partners.
A more coherent approach to access and storage is also needed, DPIAs are meant to be living documents; A central digital repository will allow ease of access across delivery teams and the sharing of best practice. The opportunities are vast in being able to reduce duplication for other business processes by using information collated through undertaking DPIAs is used to support wider business focussed activities e.g. corporate risk registers, audit, management information and adding to the overall risk profile of an organisation.
A key learning point we took from our first Alpha was the importance of the tool coaching the user through the completion of the assessment. This feedback was gleaned through user engagement. One example of this type of feedback was received during our session at the MHCLG Roadshow event, where potential users talked to their lack of understanding of what a DPIA actually requires them to do. This was an important piece of feedback as replicating the DPIA templates into a digital tool was simply going to proliferate some of the barriers to users undertaking DPIAs. This focussed our thinking more on being able to demonstrate how the tool can guide people through the assessment and make the user experience an easier and less daunting task. In this phase we want to do more research to gain further user feedback on these elements to ensure that the direction we want to take the tool in, is in fact the correct one.
There is a wider problem that because organisations do not often have effective processes place around data protection impact assessments, they are not maximising the organisational benefits that a DPIA tool can deliver. By creating an accurate picture of risk, the DPIA tool can influence corporate strategy and allow for better use of resources. Through this project we want to conduct research into this area and as we are able to gain a deeper insight into these wider benefits, we can then use them to shape the development of the tool both in this phase if appropriate but certainly moving into the next phase and beyond.
There are other types of assessment which organisations conduct such as Equality Impact Assessments or Ethical assessments. There is an opportunity within the user research undertaken in the next Alpha phase of the project to look at broader opportunities to align this process with others. This would certainly be a roadmap item, not a priority even for the development of an MVP, but would demonstrate the vision and longer term potential of this type of tool.
The end of project report from the first Alpha phase of the project included a benefits assessment. This can be found on the Local Digital Fund website here.
The ‘Detailed working’ tab in this document shows the cost benefit analysis based on the completion of one data protection impact assessment at the GMCA. Based on the 28 DPIA’s completed in the GMCA between June ’18 – May ’19 this would result in savings of £31,015.
However we know that this is conservative. The example we based these figures on was fairly straight forwards. Therefore in this next Alpha phase of the project we would look to extrapolate out further these figures and through further user research, gain a deeper understanding of what is happening at other councils to further develop these figures.
The project infrastructure and administration will be managed in the following ways:
Project Plan
We will utilise Trello in order to manage project tasks and to work out in the open with our partners, and other interested parties. The project team will engage with the Trello board and use this as one of the mechanisms for raising issues with the project manager. Key project information will be made available on the Trello board to allow MHCLG to engage with the project team as well.
Project Documentation
Project documentation will be held within Huddle and project team members will be able to share and comment on documents using this solution.
Project Team Meetings
There will be fortnightly project team meetings. These will be physically held at the GMCA and there will also be the option for the project team to dial in to the meeting remotely. As part of the funding received, we will look to procure suitable conference call software to enable the project team to work in a geographically dispersed way, whilst maintaining effective communication.
Governance
The project manager will work with the Senior Responsible Officer to ensure risks and issues are effectively managed and escalated when necessary. There will be regular update meetings to ensure the project is working to the agreed scope and delivering on the user research requirements.
The project team will take responsibility for the decisions on the scope of each sprint and if changes are required to the scope during a sprint, these will go through a change management process whereby the project manager and SRO will approve the change. The project manager will assume the role of the Scrum Master throughout the agile development and the SRO will fulfil the role of the Product Owner.
In order to ensure that the project is delivering to time and to cost, the project will be accountable to the Greater Manchester Information Board and the GMCA Senior Management Team. The output of the project will form a key part of the Greater Manchester Information Framework. This board will be a key driver for the adoption of the tool and will be a channel for the project to be promoted across Greater Manchester.
The GMCA Senior Management Team ultimately decide which projects to run and which funding options to pursue. Their support of the project is vital to the implementation of the tool once ultimately completed as they will champion the project on a senior level.
In the first Alpha phase we valued the collaborative approach with the Local Digital Collaboration Unit. In this next phase we would look to take advantage of any training offers. This would include the agile for teams training for any members of the team who had not undertaken this in the first phase and to undertake the leadership training.
In addition to a training offering, we would look to attend Local Digital Collaboration Unit events, such as the roadshow to promote our project, gain feedback and to positively engage with other funded projects.