This article explores the use of DPIAs in schools, when they must be used and tips on undertaking a meaningful assessment of data protection risks.

Data Protection Impact Assessments ("DPIAs") are a crucial part of any school's data protection toolbox.

DPIAs help to identify risks to personal data at the outset of a project so that the protection of personal data is a key consideration throughout delivery. DPIAs also act as a good opportunity to pause and consider the measures currently in place within a school for data protection compliance and to develop these processes on an ongoing basis.

Obligation to undertake a DPIA

A DPIA must be undertaken where there is likely to be a high risk to the rights and freedoms of a data subject resulting from a processing activity. A processing activity is a broad term to describe something the school is planning to do involving personal data.

What constitutes a high risk to the data subject's rights and freedoms will depend on the individual project, but a group of European Data Protection Authorities (including the Information Commissioner's Office from the UK) have provided guidelines on what might constitute such a risk.

Factors to be taken into account include where there is a combining of datasets (e.g. as a result of an academy joining an existing academy trust) and where there will be processing of sensitive information of a personal nature (such as health information, or trade union membership details for staff). This will be particularly relevant where a school will be gathering health information as part of its covid-19 response and school re-opening.

DPIAs are more likely to be required where personal data of children or other vulnerable beneficiaries is affected, as they may be less likely to be able to exercise their rights under data protection law.

Even where a DPIA is not strictly required, undertaking a DPIA is often a good process to undertake, as it demonstrates compliance with data protection obligations and helps to identify and minimise data protection risks in any project.

Undertaking a DPIA

The school's data protection officer should play a crucial role when a DPIA is undertaken (and they are legally required to provide advice on the DPIA), but all those involved in the project should contribute to the discussions surrounding the DPIA.

The preparation of the DPIA also acts as a good opportunity to thoroughly review and challenge the mechanics of the project to ensure that it produces a safe, secure, and effective outcome. External advice may also be required to ensure that the DPIA effectively addresses and mitigates the risks to data subjects' rights posed by the project.

The DPIA should be documented (a template DPIA has been produced by the ICO) and steps to mitigate the risks to personal data built in to the project plan, whether through the project's design or as part of the wider data protection compliance measures taken by the school. The DPIA should continue to be referred to on a regular basis to ensure that the risks continue to be appropriately managed as the project comes to fruition.

Originally published July 8, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.