Data Protection Impact Assessments (DPIAs): Making Sense of the Process

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 16th of November, with our Data Protection Consultant Patrick Ballentine.

This session was centred around: what are DPIAs and when do we need one; key points all staff should know about DPIAs; and top tips for managing the DPIA process.

What is a DPIA?

Article 35 of the UK GDPR explains that DPIAs are a requirement for any high-risk personal data operations. But what are they and what is a high-risk personal data operation? 

In short, a DPIA is a process which enables your school to identify and address data protection concerns and risks before engaging a new provider, system or technology.

Most staff are already familiar with risk assessments.  They are embedded into your day-to-day school life; whether that’s in the office, in the classroom or on trips out with pupils.

DPIAs are exactly that – but the risk area is data!

It is useful for your data protection lead and your Data Protection Officer (DPO) to carry out the DPIAs together. DPOs must be heavily involved in this process as DPIAs won’t be valid without a DPO’s signature.

Live Session Polls

         

When Should You Conduct a DPIA?

The primary reasons that require a DPIA include:

• a new technology will be used
• sensitive personal data will be shared
• data subjects are vulnerable
• large amounts (or large scope) of personal data will be used
• research may be involved
• CCTV or other surveillance will be undertaken

Developing a good working culture surrounding DPIAs and risk management will benefit your school/Trust. 

Raising awareness with staff that they need to consider data protection before utilising a new provider and ensuring that there is a centralised body to report this to will help the school/Trust remain fully aware of all its data sharing and processing arrangements.

What does high risk mean?

It is about the potential for any significant physical, material or non-material harm to individuals. In a school setting an example of this might be sharing data regarding a looked-after child with a new individual or organisation.

It is important to conduct DPIAs as best practice. Regardless of whether you already know if a technology will be high risk or not, a DPIA will allow you to look at more than just the legal compliance aspect and arguably boost your relationship with the key stakeholders should a data protection query arise. NB: We have seen this repeatedly and have had enquiries from parents asking to see DPIAs.

How do we know if an activity is high risk? 

You may have spotted the paradox in doing a DPIA, as they should only be done for high-risk processing, yet we can only say there is a high risk once we have conducted our DPIA.

 It would be far too time consuming to do a full assessment for every single arrangement. We recommend organisations ensure they have a system in place to screen these arrangements so lower risk activities are logged and higher risk activities are identified and a DPIA is carried out.

There are often key signifiers of high risk, however each arrangement should be reviewed on a case-by-case basis as fundamentally very similar data processing arrangements can hold very different levels of risk. NB: This is an activity which should be led by your DPO, as they are your expert in analysing data protection risks.

Some examples of high-risk activities include:

1. Introducing a new software to log safeguarding concerns. This is high risk because of the data being inserted into the technology and therefore requires a high risk DPIA submitted to the ICO.
2. Utilising a third party to provide tuition, enabling extra support for students at your school. Potentially less high risk but the amount of data might be high.
3. Adopting a fun App for pupils to utilise to complete their homework which may seem to be a smaller risk, but what if the App has a feature to upload videos or images? This would pose a higher risk.

What are the benefits of conducting DPIAs?

The clearest benefit of DPIAs, is the obvious - compliance with the law.

DPIAs also allow data protection to be factored into decision-making.

They allow schools to take into account any measures to mitigate risk or adverse effects, or something that may lead to a data breach.

Reviewing your DPIAs allows you to check whether the goalpost has shifted, such as a change in the provider’s privacy notice or even a change in the law.

Your DPO should identify any upcoming legal changes that could affect your school in advance.

DPIAs as part of a culture of compliance and provide schools with the earliest opportunity to log their processing activities, ensuring all arrangements are accounted for.

DPIAs in Practice 

When do we complete DPIAs?

BEFORE implementing a new system, technology, or provider.

 You also complete them or review DPIAs on a regular basis to ensure the original processing has not changed.

What do we include?

There is no set rule and what is necessary varies depending on the technology and use of the data.

Your DPO can help walk you through what is required for the particular DPIA.

The ICO do provide guidance on essentials such as an assessment of necessity to use the provider and the proportionality of it.

Who should you consult?

Again, this depends on the project you are going to undertake, but some key individuals to remember are:

• Your Data Protection Officer!
• Your internal data protection contact/lead/champion
• In some instances, you may need to consult the data subjects (the people whose data will be used – whether that is parents, pupils or staff).
• Your IT provider to ensure data can be shared securely.
• Depending on the activity, e.g., CCTV, you may need to consult your neighbouring parties.

Potential for ICO Involvement 

In cases where there is a high risk which cannot be resolved, but there is an argument for processing, DPIAs should be submitted to the ICO for consultation. CCTV in high-risk areas and certain uses of facial recognition software are two good examples of this. NB: This process is best managed by your DPO.

An increasingly popular example is a need to put up CCTV cameras around your site.  A comprehensive DPIA would allow  you  to  consider  what  areas  are appropriate for CCTV monitoring and what areas are considered too sensitive or require a greater expectation of privacy.

The ICO and your DPO consider whether there is a less intrusive way of achieving the same purpose.  Your school may think something is necessary, but the regulator might not.  A good DPO  will help  you through key negotiations with the ICO.

Additionally, ICO have enforcement powers including an information notice, enforcement notice, inspection and the most dreaded of all - a penalty notice.

The ICO website draws attention to the various organisations who have failed in their  data  protection  obligations. It has been known for schools to published on their website, which can lead to a breakdown of trust between the school and the key stakeholders.

Key Points to Take Away:

1. DPIAs are the foundation of good data protection compliance and should be done in some shape or form for all arrangements, whether as a screening assessment or as a more formal DPIA.
2. Not every activity will require a DPIA, but every activity will need to be logged and assessed. Consult your DPO if you are unsure whether a DPIA should be conducted.
3. Make sure your DPIA includes some key information such as:
   • A description of processing
   • The steps taken to mitigate risks
   • The impact on data subjects
   • An assessment of risks
4. Ensure your DPIA is reviewed by your DPO so risk can be accepted or rejected

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.