The use of Data Protection Impact Assessments and Data Sharing Agreements in schools and Multi-Academy Trusts

What is a Data Protection Impact Assessment? 

A Data Protection Impact Assessment (DPIA) is a type of risk assessment that considers the data protection implications of a particular project that you are planning to undertake or software solution that you are planning to sign up to.  

The DPIA will consider the following factors: 

• what personal data will be processed as part of the project, 
• how will that data be collected,  
• where will the data be stored,  
• what special category data (if any) will be included, 
• how will that data be shared, 
• what is the lawful basis for processing the personal information, 
• Other information regarding the project 

These factors will be assessed to identify the potential risks involved with the project. The DPIA will set out what measures could be implemented in order to address these risks.

When is a Data Protection Impact Assessment required? 

The general rule is that a DPIA should be carried out whenever the type of processing involved in the project/software is likely to result in a ‘high risk’ to the individuals’ rights and freedoms.  

This means that the risk of harm being caused by the project is more likely or the type of harm that could be caused (based on the personal information involved) is more severe.  

When deciding if a DPIA might be necessary, you will not be required to identify exactly what type and level of harm may be caused by the project, this will be done by the DPIA itself.

Instead, you should carry out an initial screening to assess whether the full DPIA is required. 

UK GDPR Article 35 sets out when a DPIA is legally required.  

You may consider it good practice to complete a DPIA before you undertake any project involving the processing of personal information.  

What is a Data Sharing Agreement? 

A Data Sharing Agreement (DSA), also referred to as a Data Processing Agreement (DPA), is a contract that specifically sets out terms regarding data sharing between a data controller and data processor or joint data controllers.  

It will usually set out: 

• What data will be shared
• How the data will be shared 
• What the data will be used for when shared 
• How the data will be stored 
• The lawful basis for the data sharing 
• What measures will be implemented to protect the data 
• The obligations on each party in respect of the data including what happens if either party receives a subject access request or suffered from a data breach, and
• Details regarding the retention and destruction of the data.

A DSA/DPA may form part of the terms and conditions or service level agreement for the organisation that you are sharing data with.  

When is a Data Sharing Agreement required? 

A DSA/DPA is not a legal requirement, but it demonstrates good data protection practice to have an agreement in place with any organisation who you regularly share personal data with.  

In some cases, a DSA/DPA may be provided as standard by the organisation or it may not be necessary to have a separate DSA/DPA if all the relevant information is contained within the organisations existing terms and conditions and/or privacy notice.  

A DSA/DPA does not replace the need to carry out a DPIA at the start of a project but may be identified as a required measure within a DPIA.  

Do we need a DSA/DPA with all the organisations that we share data with? 

No. You must ensure that you have checked the compliance measures in place with any organisation before you share any personal data with them, but it is not necessary to have a formal DSA/DPA with each organisation.  

It is recommended that you have specific data sharing terms in place with any organisation that you will regularly share lots of, and/or, sensitive personal data with. As mentioned, it may be that the terms for data sharing are covered within the terms and conditions and/or privacy notice without the need for a separate additional agreement.  

Register now for DPOCOMS++ and DPOCOMS+ which contains a database of trusted third parties who have been reviewed for compliance, and where necessary, has the relevant DSA documentation ready for you to download.