Data Protection Impact Assessment (DPIA) Screening Record

Field	Details
Document Title	DPIA Screening Record
Project/System Name	Aryash Health Patient Education Platform
Organisation	Aryash Health
Data Controller	Dr Krishnan Pasupathi
Date of Screening	4 January 2026
Review Date	4 January 2027
Document Version	1.0

1. Project Description

1.1 What is the project?

A suite of patient education websites providing health information in plain English. The platform consists of:

Domain	Purpose
tools.aryash.health	Blood test education (35+ tests), audio guides (40+), downloadable infographics (15)
heart.aryash.health	Cardiovascular health education (conditions, medications, investigations, recovery)
mens.aryash.health	Men's health education (prostate, testosterone, testicular health, mental health)
aryash.health	Landing page linking to all resources

1.2 What is the purpose?

To help patients understand their health conditions and blood test results through accessible, plain-English educational content. The tools empower patients to have better conversations with their healthcare providers.

1.3 Who will use it?

Members of the public seeking to understand:

Blood test results they have received
Health conditions affecting them or their families
Questions to ask their GP

2. DPIA Screening Questions

2.1 Does the project involve processing personal data?

Question	Answer	Notes
Does the system collect patient names?	NO	No data entry fields for identification
Does the system collect NHS numbers?	NO	No data entry fields
Does the system collect dates of birth?	NO	No data entry fields
Does the system collect addresses?	NO	No data entry fields
Does the system collect any contact details?	NO	No data entry fields
Does the system store any data?	NO	No database, no localStorage, no cookies
Does the system transmit any data?	NO	Static sites; no API calls
Does the system use analytics or tracking?	NO	No third-party scripts, no cookies

2.2 Special Category Data (Article 9 UK GDPR)

Question	Answer	Notes
Does the system process health data?	NO	Users read information; no input of personal health data
Does the system create patient records?	NO	No records created or stored
Is any data retained after session ends?	NO	Static pages; nothing persists

2.3 Data Processing Activities

Activity	Present?	Details
Collection	NO	No personal data collected
Storage	NO	No database or file storage
Transmission	NO	No external API calls
Sharing	NO	No data sharing with third parties
Profiling	NO	No automated decision-making about individuals
International transfer	NO	All processing local in browser

3. Screening Outcome

Is a full DPIA required?

NO - A full DPIA is not required.

3.2 Rationale

Under UK GDPR Article 35, a DPIA is required when processing is "likely to result in a high risk to the rights and freedoms of natural persons."

This platform:

Collects no personal data - No input fields for patient identifiable information
Stores no data - Static websites with no database, cookies, or local storage
Transmits no data - No API calls, no external services
Makes no automated decisions - Educational content only; no health decisions made
Provides information, not diagnosis - Users read general health education

The ICO's screening checklist criteria for mandatory DPIA are not met:

Systematic and extensive profiling - NO
Large scale processing of special category data - NO
Systematic monitoring of public areas - NO
New technologies with high risk - NO
Denial of service or contract - NO
Large scale profiling - NO
Biometric/genetic data - NO
Data matching/combining - NO
Invisible processing - NO
Tracking location/behaviour - NO

4. Residual Considerations

4.1 Web Hosting Logs

The sites are hosted on Vercel. Standard web server logs may record IP addresses, access timestamps, and browser information.

Mitigation: These are standard infrastructure logs managed by Vercel, not health-related personal data. Vercel's privacy policy applies to infrastructure logging.

4.2 Printed/Saved Content

Users may print or save content from the sites.

Mitigation: Educational content only; no patient-specific information to print. "Questions for GP" printouts contain generic questions, not personal data.

5. Sign-Off

Screening completed by:

Role	Name	Signature	Date
Data Controller	Dr Krishnan Pasupathi

Decision:

Full DPIA NOT REQUIRED - Screening confirms no personal data processing
Full DPIA REQUIRED - Proceed to full assessment

6. Review Schedule

This screening should be reviewed:

Annually (next review: January 2027)
If data collection features are added
If user accounts or authentication are introduced
If analytics or tracking are added

7. Sites Covered by This Screening

Site	URL	Data Collection
Aryash Health (Landing)	aryash.health	None
Health Tools Hub	tools.aryash.health	None
Heart Health Hub	heart.aryash.health	None
Men's Health Hub	mens.aryash.health	None

Document ends