Privacy by design is a term used in data protection to acknowledge that data privacy is embedded in the design of projects. In short, protecting the personal data of individuals must be considered and assessed before any new data processing takes place.
Schools are familiar with risk assessments and complete these for things such as school premises, off-site activities and after-school clubs. A DPIA is effectively a risk assessment and should be seen in the same way – a resource to ensure your pupils, parents and staff are not put at risk because their data is being processed.
Like risk assessments, there are five key steps to a DPIA.
Risk assessments are usually made through a scoring system of low, medium and high. The DPIA may be scored in the same way.
Failure to conduct a DPIA is considered a breach of the GDPR.
A DPIA is undertaken when your school is planning a project that involves the processing of personal data. Some examples of this are below.
You can use a list of screening questions to help you decide when to do a DPIA.
If you believe that processing data is likely to result in a high risk to the rights and freedoms of individuals, or if you are unsure if there is a high risk, then you must undertake a DPIA.
By adopting a privacy by design approach, you can be satisfied that no new data processing will take place without an impact assessment being conducted.
The lead person of the new project should undertake the DPIA before it is signed off by the data protection officer (DPO). In turn the DPO should ensure that the risks identified are accurate and confirm the DPIA requirements.
The Information Commissioner’s Office (ICO) has published a template DPIA. The DPIA looks at:
Step five of the template allows the user to rate the likelihood and severity of harm which, in turn, will determine the overall risk.
Once the risk has been determined the user can identify additional measures that can be taken to reduce or eliminate those risks that came out as medium or high and record them on the template.
Alternatively, you can use your existing risk assessment template and adapt it to relate to data protection.
Once the DPIA has been completed by the lead person the DPO should review it and satisfy themselves that the steps identified to mitigate risk have been implemented.
For example, if the school has decided to use a new text messaging service provider, the DPIA would stipulate that a written contract with the provider will be entered as an additional measure to minimise risk. The DPO must check that the written contract has been received.
If the school has decided to change their management information system, the DPIA would include measures such as:
When the DPO is satisfied that the DPIA is accurate and that the additional measures to minimise the risk to individuals have been implemented, they will sign a DPIA completion statement and file it in the DPO files.
Only at that point should the lead person be given approval for the project to go ahead. Approval should be recorded on the DPO’s data asset register and reported to governors.
DPIAs are important because they help you to make sure that any new projects involving data protection do not put individuals at risk.
They should be treated in the same way as a risk assessment. Schools should adopt the privacy by design approach so that data protection is taken into consideration from the outset and risks are minimised.
