General DPIA Checklist
Version: 1.0 | Last Updated: 11 November 2025
Purpose: This checklist guides AHEEN staff in conducting DPIAs for high-risk data processing (e.g., biometric enrollment, cloud sharing in emergencies). Required under Kenya DPA Section 31 and ICRC Handbook (Ch. 3). Complete before starting; submit to DPO for review.
Project/Processing Activity: [Insert Name/Description]
Assessor: [Name/Role]
Date: [DD/MM/YYYY]
Use this checklist to systematically assess risks. Mark Yes/No/N/A and add notes. If risks remain high, escalate to UoN DPO (dataprotection@uonbi.ac.ke).
1. Describe the Processing (DPA Section 31(1)(a))
| Item | Assessment | Notes/Evidence |
|---|---|---|
| □ What personal data is processed (e.g., names, health, biometrics of refugees)? | [Yes | No | N/A] | |
| □ What categories of data subjects (e.g., IDPs, students in camps)? | [Yes | No | N/A] | |
| □ Purpose and legal basis (e.g., consent, vital interests)? | [Yes | No | N/A] | |
| □ Volume/scale (e.g., 100+ beneficiaries)? | [Yes | No | N/A] | |
| □ Duration (e.g., 3-5 years retention)? | [Yes | No | N/A] |
2. Assess Necessity & Proportionality (ICRC Principle: Data Minimization)
| Item | Assessment | Notes/Evidence |
|---|---|---|
| □ Is processing essential for AHEEN goals (e.g., degree delivery)? | [Yes | No | N/A] | |
| □ Alternatives considered (e.g., anonymized data instead)? | [Yes | No | N/A] | |
| □ Data minimized (only essentials collected)? | [Yes | No | N/A] | |
| □ Proportional to risks in emergencies (e.g., no excess biometrics)? | [Yes | No | N/A] |
3. Identify & Evaluate Risks (DPA Section 31(1)(b); Focus on Vulnerable Groups)
Rate risks: Low/Medium/High (consider "do no harm" in humanitarian contexts).
| Risk Type | Description/Example | Likelihood (L/M/H) | Impact (L/M/H) | Overall Risk (L/M/H) | Notes |
|---|---|---|---|---|---|
| □ Security Breach (e.g., lost device in camp exposing IDs) | |||||
| □ Unauthorized Access (e.g., cloud hack affecting refugees) | |||||
| □ Discrimination/Harm (e.g., data misuse leading to targeting) | |||||
| □ Rights Infringement (e.g., denial of education access) | |||||
| □ Other (e.g., cross-border transfer risks) |
4. Mitigation Measures (DPA Section 31(1)(c); UoN Security Standards)
| Item | Measure | Implemented? (Yes/No) | Residual Risk (L/M/H) |
|---|---|---|---|
| □ Encryption (AES-256) & MFA for storage/sharing. | |||
| □ DPIA for third parties (e.g., DPA agreements). | |||
| □ Training & awareness for field staff. | |||
| □ Backup/disaster recovery in emergencies. | |||
| □ Monitoring/audits (quarterly reviews). | |||
| □ Other (e.g., pseudonymization). |
5. Consultation & Approval
| Item | Assessment | Notes |
|---|---|---|
| □ Consulted data subjects/partners (e.g., beneficiary feedback)? | [Yes | No | N/A] | |
| □ Consulted ODPC if high-risk? | [Yes | No | N/A] | |
| □ DPO/UoN approval obtained? | [Yes | No | N/A] | |
| □ Review plan (e.g., annually or post-incident)? | [Yes | No | N/A] |
Overall Risk After Mitigation: [Low/Medium/High]
Recommendation: [Proceed/Modify/Stop]
Signature: ____________________ Date: __________
Tips: Use for activities like new apps or data sharing. Reference full Handbook at https://knowledgebase.aheen.net/books/aheen-data-protection. If high residual risk, halt processing. Inspired by ICRC Handbook (2022) & Kenya DPA.
No comments to display
No comments to display