Sample DPIA

Sample Data Protection Impact Assessment (DPIA) for GP Practices Using Improval

 

1. Project Overview

Name of processing activity: Use of Improval app for video recording of GP consultations for educational purposes.
Purpose: To support the training and supervision of GP Registrars by enabling them to record patient consultations, review with supervisors, and gain feedback including from AI tools.

2. Description of Processing

  • GP Registrar records a consultation via the Improval app with patient consent.
  • Video is stored briefly on the device in private app storage (not backed up to iCloud or Photos).
  • Video is uploaded to Improval’s secure server in London and deleted from the device after upload.
  • Videos are accessed by the registrar and their supervisor via secure login with 2-factor authentication.
  • AI feedback is optionally applied using AI within the UK, with no model training on patient data.
  • Videos are retained only while educationally relevant.

3. Categories of Personal Data

  • Video and audio of patient consultation (may include sensitive health information).
  • Metadata: recording date/time, registrar identity, supervisor identity.

4. Lawful Basis

  • UK GDPR Article 6(1)(a): Consent of the data subject.
  • UK GDPR Article 9(2)(a): Explicit consent for processing special category data.

5. Data Subjects

  • Patients recorded during consultations.
  • GP Registrars.
  • Supervisors providing feedback.

6. Risks Identified

  • Temporary unencrypted local storage of video on device.
  • Misuse or unauthorised access to videos.
  • Patient not fully informed about consent.

7. Risk Mitigation Measures

  • Videos stored in private app-only storage, not accessible to Photos or iCloud.
  • Device-level security (passcode, Face/Touch ID) recommended.
  • Secure upload to UK-based cloud storage (ISO 27001 certified, encrypted in transit and at rest).
  • Videos deleted from device after upload.
  • Access restricted via login and 2FA.
  • Consent form required and stored.
  • Patient may withdraw consent at any time via the practice.

8. Retention

  • Videos retained only as long as educationally needed.
  • Deletion automatic after 3 months but can be extended if required.

9. Data Processors and Locations

  • Improval (data controller and processor).

10. DPIA Owner / Contact

Practice Data Protection Officer (DPO): __________________
Date completed: __________________
Review date: __________________