With all of this in mind, many of you may have taken on new subscriptions, used online platforms that you didn’t previously, or taken advantage of the ‘free’ resources that have made available to you by a number of providers. If this is the case, we need to remind you of the need to keep everyone’s personal information safe whilst doing so. Therefore, we felt it wise to remind you of the need to undertake Data Protection Impact Assessments (DPIAs) where necessary.
What is a DPIA?
A DPIA is a process to help you identify and minimise the data protection risks of a new project. It is, in essence, a risk assessment for your data processing activities.
Conducting a DPIA is a legal requirement for certain projects, as set out in the ICO’s guidance. Even when a DPIA is not mandatory, it’s often prudent to consider the privacy impacts of any new processing. Looking at a project through the ‘privacy lens’ at an early stage can act as a ‘warning light’, highlighting potential privacy risks before they materialise, and whilst measures can be put in place to reduce the risks.
Conducting a DPIA and documenting the outcomes is an important method of demonstrating that privacy is being taken seriously – it is evidence of an organisation’s commitment to accountability – a core principle and requirement under GDPR and the Data Protection Act 2018.
Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures you are taking to mitigate those risks.
- To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
You should always consult with us and, where appropriate, processors may also need to assist you.
To support you with this process, we have the Data Decisions area within the SchoolPro portal which covers all of these areas and also enables us to double check compliance agreements and privacy policies where necessary. A “data decision” is used to record decision-making around processing activities where the risk is low or for one-off activities such as one-off data sharing. It maybe that a processing activity only requires a data decision to be completed due to its nature but it may also be that it becomes the starting point for a more in depth DPIA if it becomes apparent that the activity requires it.
If you are unsure as to whether you need to be completing a Data Decision or a DPIA, speak to us as your DPO and we can advise appropriately.
Working Together to Overcome Challenges
It’s important that all areas of the school or multi-academy trust to collaborate in ensuring projects can proceed at pace, without unnecessary delays. Therefore, it is vital for schools to work with us at an early stage, to get to grips with the likely scope of processing and start to identify potential privacy risks, whilst there is still time to influence decision making.
Here are 2 common examples:
- Many organisations want to integrate a new software package to impact on the quality of learning. This often means that children’s information e.g. name, class and in some cases date of birth need to be processed. It is therefore imperative to assess any privacy impact this new processing could give rise to. Consequently, it’s important to conduct an initial assessment at the start before implementing said package.
- Projects sometimes deliver significant new management information which includes the ability to view and/or interrogate personal data including special category data for example implementing CPOMs. So, it is important to review plans for access controls to ensure that access is restricted only to those who really need access.
This isn’t always easy. Privacy questions often cannot be answered upfront, so there’s a need to agree what types of information are required and when it will be available for review.
To support you, we have also written a number of common DPIAs, e.g. trips and visits, child protection data transfers, and Management Information System changes to name just a few, that can be found within Global Documents on our portal. As we work with individual schools to produce DPIAs for them, we will make anonymised versions available as templates for all of you in this way, which will provide a useful starting point when approaching similar projects.
As many organisations have found, embedding privacy awareness into the culture is a big challenge and ensuring this is a key consideration for all staff at the outset is an on-going task. Therefore, as always, SchoolPro TLC will be close at hand to guide and support you through any of these processes.
Please contact us if you do have further questions at GDPR@schoolpro.uk.
SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites