Data Protection Impact Assessment (DPIA)
Template pre-filled for research use of OpenBook Clinical Pty Ltd (ABN 38 698 494 656) — OpenBook Clinical. Complete the blank fields for your specific research project.
Important: This template is provided as a starting point. Your institution's Data Protection Officer (DPO) or privacy officer should review and customise it to reflect your specific research context, institutional requirements, and applicable legislation before submission.
Save as PDF: Print this page (Ctrl+P / Cmd+P) and select “Save as PDF” to generate a document you can submit to your institution.
1. Project Overview
Complete this sectionComplete the fields below for your specific research project. Fields marked with a dashed border require your institution's input.
Project title
Complete this field for your institution
Principal Investigator (name and title)
Complete this field for your institution
Department / School / Faculty
Complete this field for your institution
Institution
Complete this field for your institution
Proposed project dates (start – end)
Complete this field for your institution
Ethics application reference number (if applicable)
Complete this field for your institution
Brief project description (2–4 sentences)
Complete this field for your institution
How will OpenBook Clinical be used in this project?
Complete this field for your institution
2. Nature, Scope, and Context of Processing
Pre-filledDescription of processing activities
Categories of data subjects
Categories of personal data processed by OpenBook Clinical
Data location
Data controller
Any additional processing activities specific to this project
Complete this field for your institution
3. Necessity and Proportionality
Pre-filled (review)Purpose and legal basis for processing
Is the processing necessary for the research purpose?
Proportionality — is the data collected the minimum necessary?
Alternatives considered
Any project-specific necessity or proportionality considerations
Complete this field for your institution
4. Risk Assessment
Pre-filled (review)The following risks have been identified and assessed for standard research use of OpenBook Clinical. Review and supplement with any project-specific risks.
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Accidental input of patient-identifiable data by a researcher | Low | High | Platform displays a real-time warning when Australian PII patterns are detected in a search query (e.g. Medicare number format, name + DOB combinations). There is no "patient record" field or clinical note field in the user interface. Platform terms prohibit patient data input. |
| Cross-border data transfer (AI query processing in the US) | Medium | Medium | Anthropic zero-data-retention agreement: query text is processed and immediately discarded; it is not stored on Anthropic systems, not used for training, and not accessible to Anthropic staff. Transfer is secured via TLS 1.3. No patient data is transmitted (see above). |
| Unauthorised access to researcher credentials | Low | Medium | Multi-factor authentication (MFA) is available to all users and strongly recommended for institutional accounts. Supabase Row-Level Security ensures that a compromised account can only access that account's own data. Unusual authentication events are logged and reviewed. |
| Data breach affecting researcher account information | Low | Medium | AES-256 encryption at rest; TLS 1.3 in transit; RLS at database layer. NDB scheme notifications within 30 days. Incident response plan is documented. No patient data is held, limiting the clinical impact of any breach. |
| Researcher reliance on AI output without critical appraisal | Medium | Medium | Platform surfaces citations and evidence grades with every AI response. Limitations notice is displayed prominently. CPD module includes critical appraisal training. AI Governance Framework (published at /governance/ai-framework) documents known limitations and human oversight requirements. |
Additional project-specific risks (add rows as needed)
Complete this field for your institution
5. DPO / Privacy Officer Recommendation
Pre-filled (review)OpenBook Clinical vendor assessment
Recommended conditions for approval
Residual risk rating
Institutional DPO / Privacy Officer recommendation (complete for your institution)
Complete this field for your institution
6. Signatures
Complete this sectionComplete the signature blocks below. For printed copies, handwritten signatures are acceptable. For digital submission, electronic signatures or email confirmation from institutional email addresses are accepted by most institutions.
Principal Investigator
Full name
Complete this field for your institution
Signature
Complete this field for your institution
Date
Complete this field for your institution
Research Supervisor (if applicable)
Full name
Complete this field for your institution
Signature
Complete this field for your institution
Date
Complete this field for your institution
DPO / Privacy Officer
Full name
Complete this field for your institution
Signature
Complete this field for your institution
Date
Complete this field for your institution
Head of Department / Ethics Delegate
Full name
Complete this field for your institution
Signature
Complete this field for your institution
Date
Complete this field for your institution
OpenBook Clinical Pty Ltd · ABN 38 698 494 656 · Sydney, NSW, Australia