Governance, Risk and Data Protection

Plain-Language DPIA and AI Risk Template

Data ProtectionTemplateGovernance · IT · Data Protection

Help housing teams decide whether an AI use case needs a Data Protection Impact Assessment and record the main risks in plain English.

Important note

This template is not legal advice. It is a practical starting point. Use your organisation's formal DPIA process where required. The Data (Use and Access) Act 2025 has changed UK rules on automated decision-making — teams should check current ICO advice before using AI in decisions that may have legal or significant effects for residents.

When to use this template

Use it when an AI use case may involve:

Quick screening

QuestionYes / No / Notes
Does the AI use personal data?
Does it use special category data or sensitive housing records?
Does it involve automated or AI-supported decisions affecting residents?
Does it involve profiling, scoring or predicting behaviour?
Does it use data at large scale or in new ways?
Is a full DPIA needed? (yes if any answer above raises concern)

Section 1: Describe the AI use case

What is the AI use case?
What housing problem does it address?
What type of AI is it? (assistant, supplier feature, bespoke model)
What data does it use?
Who will use it, and who will check outputs?
What decisions or actions might result from the AI output?

Section 2: Data protection assessment

Section 3: Risk record

Risk areaRisk descriptionMitigationResidual risk (R/A/G)Owner
Data protection
Tenant fairness and bias
Tenant transparency
Human oversight
Accuracy and reliability
Cyber and supplier risk
Staff capability

Section 4: Decision and sign-off

Overall risk rating
Decision: approve, approve with conditions, pause or reject
Conditions or actions before proceeding
Review date
DPO or governance sign-off required?
ICO consultation required? (where high residual risk remains)