The risk score will determine the level of authorisation needed for any DPIA completed that requires a full DPIA.
Any risk score that is verified by the IG team to be in the upper range of a medium risk score (9 to 12) or in the range of high risk will require referral to the relevant Data Protection Officer for review and comment.
DPIA risks that score as high risk will only have the processing of the data approved by the relevant SIRO and Caldicott Guardian once the risk has either mitigated to reduce the risk to medium as a minimum. Where this is not possible, a high-risk score will also require escalation to and a response from NHSE&I and the Information Commissioner’s Office before any processing can commence.
The escalation process also includes a review to enable the risk to be lowered to within tolerance, if possible. The table below identifies the ranges for the scores and the risk level associated with each range of scores.
