Part 9: Data Protection Impact Assessment and Data Protection Officer
The GDPR expects an effective approach to risk management, and key elements of this are the Data Protection Impact Assessment and the Data Protection Officer role.
Important GDPR Definitions
The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:
- Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
- Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
- A Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
- A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.
Data Protection Impact Assessment
Following Part 8 of this guidance, schools will need to give consideration to the risks to Data Subjects of different Processing activities they undertake (or plan to undertake).
A Data Protection Impact Assessment (DPIA) is performed for this purpose, and the GDPR (Article 35) expects a DPIA where Processing:
- will use new technologies;
- is systematic and extensive and involves automated Processing;
- is on a large scale and of Special Category Personal Data; or
- is systematic monitoring of a publicly accessible area on a large scale.
A DPIA shall contain at least:
- a description of the Processing operations and the purposes of the Processing, including the legitimate interests pursued by the Data Controller (if applicable);
- a review of the necessity of the Processing in relation to the purposes;
- an assessment of the risks to the rights and freedoms of the affected Data Subjects; and
- the measures the Data Controller will take to address the risks, including safeguards, security measures and mechanisms to ensure the protection of the Personal Data.
The GDPR goes on to state (Article 36) that, where a DPIA indicates that Processing represents a high risk to Data Subjects in the absence of the measures to be taken to address the risks, the Data Controller shall consult with the ICO prior to Processing (through a process referred to as ‘prior consultation’).
Schools will probably need to undertake a DPIA for some of their Processing activities (including where Special Category Personal Data is Processed).
Data Protection Officer
In undertaking a DPIA, and indeed in establishing and overseeing many of the processes required to comply with the GDPR, a school will require a source of expertise.
The Data Protection Officer (DPO) role is set out in the GDPR (Article 37) as being required where:
- Processing is carried out by a public authority or body;
- Processing entails regular and systematic monitoring of data subjects on a large scale as part of the main activities of the Data Controller or Data Processor; or
- Processing Special Category Personal Data (or Personal Data relating to criminal convictions and offences) on a large scale as part of the main activities of the Data Controller or Data Processor.
Given that schools are considered public authorities for the purposes of the GDPR (as public authorities are defined as those subject to the Freedom of Information Act 2000 (FOIA) or the Freedom of Information Act (Scotland) 2002 in Scotland), it is the case that schools will need a DPO.
To be more specific, as per the ICO guidance here, the governing body of a maintained school, further education institution or university is considered a public authority under FOIA.
The GDPR states that the primary function of the DPO is to assist the Data Controller or Data Processor with compliance with the GDPR, and that:
- the DPO must have expert knowledge of data protection law and practices;
- the DPO may be employed by or alternatively contracted by the Data Controller or Data Processor;
- the Data Controller or Data Processor shall publish the contact details of the DPO; and
- the DPO should be able to perform their duties independently (Recital 97).
Schools will need to appoint a DPO, and:
The Position of the DPO
The GDPR (Article 38) requires that the Data Controller or Data Processor shall:
- involve the DPO in a timely manner in all issues relating to the protection of Personal Data;
- provide the necessary resources, access to Personal Data and Processing operations, and support in maintaining expert knowledge, for the DPO to carry out their duties; and
- not issue instructions to the DPO regarding the manner in which their duties are carried out, not dismiss the DPO for carrying them out, and permit the DPO to report to the highest management level of the organisation.
The GDPR continues to state that:
- Data Subjects should be able to contact the DPO with regard to all issues related to Processing of their Personal Data and their rights;
- the DPO will be obligated to secrecy or confidentiality concerning their duties; and
- though the DPO may perform other duties beyond those of the DPO, the Data Controller or Data Processor must ensure they do not conflict (and, as per Recital 97, the DPO must remain independent).
In respect of independence, in practice this generally means that, while a DPO may undertake other tasks, those tasks should not be related to any decisions made by the organisation around the Processing undertaken.
In schools, this may give rise to challenges in appointing an internal DPO that also performs other tasks (i.e. an existing member of staff): the level of expertise required, complexity of duties (as set out below) and seniority of reporting lines mean an experienced professional is required, but the requirement for independence means that professional should not be making decisions around the purposes or means of Processing.
The Duties of the DPO
The duties of the DPO (Article 39) shall include:
- considering the risks associated with Processing operations, and advising the Data Controller or Data Processor accordingly;
- informing and advising the Data Controller or Data Processor (and the employees who carry out Processing) of their GDPR obligations;
- monitoring compliance with the GDPR, other relevant data protection provisions, and the local Data Controller or Data Processor data protection policies (including assigning responsibilities, raising awareness of the policies, training staff, and conducting audits);
- providing advice where requested for DPIAs; and
- being the contact point for and cooperating with the ICO.
This means that the DPO in a school will be required to:
- Assess and analyse risk:
- Consider risks associated with certain Processing as part of DPIA; and
- Assist the school in maintaining records of risk assessment and analysis.
- Provide expert advice:
- Provide information and advice to the school about its obligations; and
- Provide advice to the school as part of DPIA.
- Equip the school and school staff for compliance:
- Advise the school of risks associated with Processing activities;
- Assign responsibilities to staff;
- Provide information and advice to school staff about their obligations; and
- Provide data protection training to staff.
- Monitor compliance:
- Establish mechanisms to check compliance with the GDPR and with its policies;
- Conduct audits to demonstrate compliance; and
- Assist the school in maintaining records of compliance.
- Receive and undertake communications:
- Report to SLT and to governors/trustees;
- Raise awareness of policies (particularly with staff);
- Act as the point of contact between the school and the ICO; and
- Act as the point of contact between the school and Data Subjects.
The DPO will:
Appointing a DPO
As a DPO may be employed or alternatively contracted by the Data Controller or Data Processor, schools will need to give thought to the best approach.
This will vary from school to school (and MAT to MAT), as each will have different levels of resource, skills and expertise, and budget. However as a guide, the table below provides an indication of how appointing a DPO in a number of different ways might work.
The first group of existing roles are internal, where the role of the DPO is added to the existing duties of the post holder. The second group are external, and perform the DPO role specifically, either on a dedicated or shared (i.e. for multiple organisations) basis.
In each case, the relative suitability of that approach to perform the DPO role is summarised using either a ‘✔’ (for suitable), ‘✘’ (for unsuitable) or ‘Ο’ (for partially or potentially suitable, depending on certain factors) against different criteria:
- Objectivity: the ability of the DPO to look at the Processing, and the risks of and purposes for the Processing, without a conflict of interests. Some existing internal roles will be too close to decisions made around Processing to do this.
- Data Protection Expertise: the extent to which the DPO is sufficiently expert in data protection law and practices. It seems unlikely that the majority of existing internal roles could also be experts in such areas, but it is possible.
- School-specific Expertise: whilst the DPO must be expert in data protection law and practices, the DPO must also be involved in school data protection issues, and in practical terms it is important the DPO is aware of and understands the specific Processing taking place (including the staff, processes etc.). This may be easier for existing internal staff than newly appointed or external staff.
- Technical Expertise: similarly, whilst data protection and school-specific expertise is important, so too is an understanding of the systems in use. A DPO would struggle to provide advice (e.g. in relation to breaches) without a working knowledge of the technology used.
- Ongoing Development: the opportunities afforded to the DPO to continue to develop his or her skills and expertise. Most existing internal roles will offer limited scope for this, due to the post holder sharing their time and not focussing specifically on data protection. It may equally be the case that a DPO appointed specifically by a school has limited exposure to new issues and information, particularly when compared to a DPO working across multiple establishments (or even sectors, as the case may be with an external DPO).
- Time Available: the ability of the DPO to provide the required time, when that time is required. There will likely be times when the DPO will have numerous issues to manage (e.g. queries from Data Subjects, training for staff, monitoring compliance), and should a serious incident (e.g. data breach) occur, the DPO would need to be able to dedicate all of their time to it. This may be difficult to accommodate in many existing internal roles.
- Cost: the actual cost to the school of the DPO. Whilst appointing an existing internal resource to the role of DPO alongside their current duties has numerous disadvantages, it is likely to be less costly than appointing a specific DPO (at either individual school or MAT level) or contracting the services of an external DPO.
|Objectivity||Data Protection Expertise||School-specific Expertise||Technical Expertise||Ongoing Development||Time Available||Cost|
|Designated Safeguarding Lead||✘||Ο||✔||✔||✘||Ο||✔|
|External||DPO appointed for school||✔||✔||✔||✔||Ο||✔||✘|
|DPO appointed for MAT||✔||✔||✔||✔||✔||✔||✘|
|External dedicated DPO||✔||✔||Ο||✔||Ο||✔||✘|
|External shared DPO||✔||✔||Ο||✔||✔||✔||✘|
Schools, MATs and colleges should consider how their requirement for a DPO would be best met: internal or external.