A Privacy Impact Assessment (PIA) should be completed before you engage in any project which might have implications for people’s privacy. This will include a major reorganisation and transfer of patient and staff information.

For NHS organisations in transition and CCGs preparing for authorisation, you really should be bang up to date with the application of PIAs, and make sure that you have completed them as appropriate. If you have not yet read the ICO’s handbook on PIAs, you can view it here.

These things are not mandatory yet, but you can expect a hard time from the ICO if an organisation ‘messes up’ and has not completed a PIA. And watch out, as the European Commission's proposed Data Protection Regulation is set to make “data protection impact assessments” (same thing really) mandatory in some circumstances.