DPIA, Accountability and Training

Accountability and Training Resources (Staff Access Only)

These resources help us meet the UK GDPR Accountability Principle.

• Record of Processing Activities (RoPA): [Upload/Link to your Information Asset Register.]

• Data Protection Impact Assessment (DPIA) Guidance: [Upload a guide and template for when a DPIA is required.]

School's ICO Registration

All organisations processing personal data must register and pay an annual fee to the ICO.

DPIA Guidance for Staff (NEED TRAINING HERE)

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a mandatory, systematic process required by the UK GDPR to help us identify and minimise data protection risks before we start a new project or activity.

It is a legal requirement to conduct a DPIA when introducing a type of processing that is "likely to result in a high risk" to the rights and freedoms of individuals (pupils, parents, or staff).

A DPIA is essentially a documented, pre-emptive review that asks:

• What data are we using?

• Why are we using it? (The purpose and lawful basis)

• What are the risks if this data is compromised?

• How can we reduce or eliminate those risks? (Mitigation)

When is a DPIA Required?

You must complete a DPIA before starting any new project or introducing new technology that involves:

• New Large-Scale Monitoring: Such as the introduction of new CCTV, body-worn cameras, or large-scale video conferencing platforms.

• New Biometrics: Introducing fingerprint or facial recognition for school dinners, library access, or registration.

• Processing Sensitive Data: Introducing a new system for handling large amounts of special category data (like health or safeguarding information) or data about vulnerable individuals (like children).

• New Technology: Using innovative technologies that involve tracking, profiling, or automated decision-making on pupils or staff.

If in doubt, assume a DPIA is required and contact the DPO. The DPO will review your proposal and confirm the necessary steps.