Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

thepartners@wrigleys.co.uk

Leeds: 0113 244 6100

Sheffield: 0114 267 5588

FOLLOW WRIGLEYS:

Send us an enquiry
Close

Data Protection Impact Assessments – a quick guide for schools

08 July 2020

This article explores the use of DPIAs in schools, when they must be used and tips on undertaking a meaningful assessment of data protection risks.

Data Protection Impact Assessments (“DPIAs”) are a crucial part of any school’s data protection toolbox.

DPIAs help to identify risks to personal data at the outset of a project so that the protection of personal data is a key consideration throughout delivery. DPIAs also act as a good opportunity to pause and consider the measures currently in place within a school for data protection compliance and to develop these processes on an ongoing basis.

Obligation to undertake a DPIA

A DPIA must be undertaken where there is likely to be a high risk to the rights and freedoms of a data subject resulting from a processing activity. A processing activity is a broad term to describe something the school is planning to do involving personal data.

What constitutes a high risk to the data subject’s rights and freedoms will depend on the individual project, but a group of European Data Protection Authorities (including the Information Commissioner’s Office from the UK) have provided guidelines on what might constitute such a risk.

Factors to be taken into account include where there is a combining of datasets (e.g. as a result of an academy joining an existing academy trust) and where there will be processing of sensitive information of a personal nature (such as health information, or trade union membership details for staff). This will be particularly relevant where a school will be gathering health information as part of its covid-19 response and school re-opening.

DPIAs are more likely to be required where personal data of children or other vulnerable beneficiaries is affected, as they may be less likely to be able to exercise their rights under data protection law.

Even where a DPIA is not strictly required, undertaking a DPIA is often a good process to undertake, as it demonstrates compliance with data protection obligations and helps to identify and minimise data protection risks in any project.

Undertaking a DPIA

The school’s data protection officer should play a crucial role when a DPIA is undertaken (and they are legally required to provide advice on the DPIA), but all those involved in the project should contribute to the discussions surrounding the DPIA.

The preparation of the DPIA also acts as a good opportunity to thoroughly review and challenge the mechanics of the project to ensure that it produces a safe, secure, and effective outcome. External advice may also be required to ensure that the DPIA effectively addresses and mitigates the risks to data subjects’ rights posed by the project.

The DPIA should be documented (a template DPIA has been produced by the ICO) and steps to mitigate the risks to personal data built in to the project plan, whether through the project’s design or as part of the wider data protection compliance measures taken by the school. The DPIA should continue to be referred to on a regular basis to ensure that the risks continue to be appropriately managed as the project comes to fruition.

Wrigleys can support you with your own DPIA and with your data protection obligations.  If you have any questions or we can assist please contact Nick Dunn or any other member of Wrigleys data protection team on 0113 244 6100. 

Nick Dunn View Biography

Nick Dunn

Solicitor
Leeds

23 Oct 2020

Changes to the Job Support Scheme announced by the Treasury

Employers’ contribution to the wages of workers on the scheme significantly reduced.

22 Oct 2020

Does the Acas Code of Practice on Disciplinary and Grievance Procedures apply where an employee has blown the whistle?

EAT confirms the Acas Code of Practice applied where a protected disclosure led to dismissal.

19 Oct 2020

Happy 10th Birthday National Community Land Trust Network

At Wrigleys Solicitors, we have been at the forefront of the community-led housing movement for over thirty years.