An Essential Guide to Data Protection Impact Assessments (DPIAs)

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 11th of October, with our Data Protection Consultant Laura Butler.

This session covered: what a DPIA is, when you need a DPIA and building in a process to spot when they’re needed, and the key inclusions in a DPIA.

What is a DPIA?

The law (Article 35 of the UK GDPR) tells us that DPIAs are a requirement for any high-risk personal data operations.

Even with the requirement for DPIAs being five years old, we still get questions about what they are and what it means by high-risk personal data operations. 

A DPIA is a process which enables your school to identify and address data protection concerns and risks before engaging a new provider or implementing a new system or technology. It is essentially a risk assessment but for use of technology.

Risk assessments are probably embedded into your day-to-day school life already, whether that’s in the office, in the classroom or on trips out with pupils.

It is useful for your data protection lead and DPO to conduct the DPIAs. In addition to your data protection lead conducting them, it is important all staff are aware of them and what to do if they engage with a new provider or implement new technology or systems which have an impact on personal data. Your DPO must be heavily involved in this process as DPIAs won’t be valid without their signature.

When Should You Conduct a DPIA?

The primary reasons that require a DPIA include:

• a new technology will be used
• sensitive personal data will be shared
• data subjects are vulnerable
• large amounts (or large scope) of personal data will be used
• research may be involved
• CCTV or other surveillance will be undertaken

Developing a good working culture surrounding DPIAs and risk management will benefit your school or Trust. 

Raising awareness with staff that they need to consider data protection before utilising a new provider and ensuring that there is a centralised body to report this to will help the school or Trust remain fully aware of all its data sharing and processing arrangements.

What does high risk mean?

It is about the potential for any significant physical, material, or non-material harm to individuals.  In a school setting this might be sharing data regarding a looked-after child with a new individual or organisation. This also includes any special category data, such as ethnicity, religion, trade union membership, etc.

It is important to conduct DPIAs as best practice regardless, even if you may not consider it high-risk. It will allow you to look at more than just the legal compliance aspect and arguably boost your relationship with the key stakeholders should a data protection query arise. We often see this with our clients, particularly with parents enquiring.

How do we know if an activity is high risk? 

Some of you may have spotted the paradox in doing a DPIA, as they should only be done for high-risk processing, yet we can only say there is a high risk once we have conducted our DPIA.

Therefore, always get in contact with your DPO whenever you do share data with a new third party or change your processing.

It would be far too time consuming to do a full assessment for every single arrangement. We would recommend that organisations ensure they have a system in place to screen these arrangements so that lower risk activities are logged, and higher risk activities are identified and their DPIA is carried out. If you are one of our clients, we have a screening form available to complete in order to assess risks.

There are often key signifiers of high risk, however, each arrangement should be reviewed on a case-by-case basis as fundamentally very similar data processing arrangements can hold very different levels of risk. Some areas we may look at to assess risk are:

1. Type of data shared
2. Is any special category data shared?
3. The amount of individual data shared
4. Whether the data is transferred outside the UK/EEA
5. Is it connecting to any other systems, such as Wonde or Groupcall?
6. Are activities of individuals being monitored or tracked (physically or electronically)?
   • Does this include audio and/or visual recordings, and could this be overly intrusive?
   • Do individuals have a choice?

NB: This activity should be led by your DPO, as they should be your expert in analysing data protection risks.

Examples of when to carry out DPIAs

1. You are introducing a software to log your safeguarding concerns (for example CPOMS or MyConcern).
   • This is very important because the data being inserted into the technology has a potential of high risk. We automatically know this is high risk, therefore, a full DPIA will be required.
2. You are introducing a new online maths programme (for example Mathletics)
   • Where you may only be sharing first name and surname, you may only require a screening form.
   • If the data is going to be shared outside the EEA, you may need to carry out a full DPIA.

Building in a Process to Spot When a DPIA is Needed

Developing a good working culture surrounding DPIAs and risk management will benefit you and your school massively. 

 Therefore, we would recommend raising awareness with staff about DPIAs and the importance of going to the school’s data protection lead before considering utilising a new provider or implementing any new technology or systems that have an impact on personal data.

It should be clear who they need to talk to before sharing data with a new provider. This will help the school remain fully aware of all its data sharing and processing arrangements.

We have seen schools add this into their purchase order process, whereby there is a tick box on whether they have checked whether they require one or not. It is a good way to capture whether DPIAs are carried out or not. Although, we understand this doesn’t work for some systems as they may not require payment.

 Some schools have IT restrictions where downloads cannot happen until IT have approved it. Regular reminders in meetings or briefings are important and posters around the school about DPIAs are beneficial.

What are the Benefits of Conducting DPIAs?

The clearest benefit of DPIAs, is of course the obvious - compliance with the law!

It allows data protection to be factored into decision making if a project should go ahead. It also allows schools to consider any measures to mitigate risk or adverse effects, such as something that may lead to a data breach. Long term it can save organisations time and money, especially if it is deemed the project should not go ahead.

DPIAs as part of a culture of compliance ensure that all activities are accounted for. They provide schools with the earliest opportunity to log their processing activities to ensure all arrangements are accounted for.

It can also help assist with complying the proportionality principle. For example, ensuring that you are not sharing too much information, just because the third party has requested it. It helps assist you in deciding why certain data needs to be shared, and what benefits it will give the school if that data is shared. For example, if a company is requesting ethnicity details, why do they need that?

DPIAs in Practice 

When do we complete DPIAs?

The legislation states DPIAs should be carried out PRIOR to the implementation of a new system, technology, or provider and as early as possible. This is because it is important to explore the risks associated with sharing the data prior to sharing it.

You are also required to review DPIAs on a regular basis to ensure that the original processing has not changed. An example of how you may have changed the original processing is, a lot of schools would have implemented Zoom and MS Teams over the pandemic. In that DPIA at the time, you would have implemented it to carry out lessons remotely. However, you wouldn’t do this now. You would mainly use it for meetings.

You are also required to carry out a DPIA if you change the processing, i.e., you currently use SIMs as your MIS, but you now want to use the SIMs parent communication app. Since you are using it for a different purpose, you would need to complete one for the parent app.

What do we include?

There is no set rule as such, and this varies depending on the technology and the use of it. Your DPO can help you more with this. However, if we were to assist a school in completing a DPIA for CPOMS, we would advise that the following is included:

1. The purpose or aim for using CPOMS
2. What personal data is shared on pupils, staff and parents?
3. What special category data is shared?
4. How many individuals’ data will be shared?
5. What legal basis are you relying on for personal data?
6. Since special category data will be shared, what legal basis will you rely on to share that.
   • NB: You need a legal basis to share special category data
7. What steps do CPOMS take to protect data?
8. What steps do the school take to protect?
9. Assessment of risk, looking at likelihood of harm and severity of harm.

The ICO do provide guidance on essentials such as an assessment of necessity to use this provider and the proportionality of it.

These should be signed off by the DPO and reviewed for effectiveness annually.

Who should you consult?

It depends on the project you are going to undertake. However, some key individuals to remember are:

• Your internal data protection contact.
• Your DPO!
• In some instances, you may need to consult the data subjects (the people whose data will be used –whether that is parents, pupils or staff). You may need to also obtain consent for sharing data as your legal basis
• Your IT provider to make sure data can be shared securely and the platform can be used safely.
• Depending on the activity (perhaps CCTV), you may need to consult your neighbouring parties.

Potential for ICO Involvement 

In some cases, where there is a high risk which cannot be resolved, DPIAs should be submitted to the ICO for consultation. CCTV in high-risk areas such as bathrooms, changing rooms, etc., and some uses of facial recognition software are two good examples. Judicium has assisted schools in informing the ICO of these and the process is best managed by your DPO.

The ICO and your DPO will considers whether there is a less intrusive way of achieving the same purpose.  You might think something is necessary, but it isn’t necessary to the regulator.  This is something that a good DPO will need to help you through as they will be key in negotiations with the ICO.

There is no ‘one-size fits all’ approach and your DPO should have the expertise to conduct a high risk DPIA, which needs to be sent to the ICO for review. 

Additionally, the ICO have enforcement powers including an information notice, enforcement notice, inspection, and a penalty notice – which is the most dreaded of them all.

There is also the ICO website. It has been known for schools to be named and shamed on their website, which leads to bad publicity and possibly a breakdown of trust between you and the key stakeholders. 

Key Points to Take Away:

1. DPIAs are the foundation of good data protection compliance and should be done in some shape or form for all arrangements, whether as a screening assessment or as a more formal DPIA.
2. Not every activity will require a DPIA, but every activity will need to be logged and assessed. Consult your DPO if you are unsure whether a DPIA should be conducted.
3. Make sure your DPIA includes some key information such as:
   • A description of processing
   • The steps taken to mitigate risks
   • The impact on data subjects
   • An assessment of risks
4. Ensure your DPIA is reviewed by your DPO so risk can be accepted or rejected

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.