Before purchasing or using a software programme, app or website Data Protection should be considered. If the product requires you to create an account, enter information about yourself or other people then a Data Protection Impact Assessment (DPIA) is required to comply with Data Protection legislation. The DPIA is reviewed by the organisation’s Data Protection Officer, who will decide whether to approve the product. On some occasions specific guidance is placed on the use of the product, for example additional parental consent requirements, data purging schedules or limits on information to be provided.
A link to download a blank DPIA and view full list of all the products that are authorised for use, products which schools are completing DPIA’s for and DPIA’s currently being reviewed can be found at the top of the Education Weekly Bulletin issues to all schools and support teams.
Do you always need to complete a DPIA?
The short answer is yes, but if you are creating an account for a product or website using generic information not linked to a specific person then the DPIA should only require the screening questions to be completed. For example creating an account using the school name rather than a person’s name, using a generic admin email account not a personal email and entering the school address instead of a home address.
It is worth considering when creating accounts to access resources whether generic information could be used without breaching the terms and conditions of the account you are creating.
If you have to enter personal details to create an account or to use a programme when should you complete a DPIA?
The DPIA should be completed prior to purchasing any new product or subscription. This will ensure that you are able to use the product straight away after purchase. It is also worth checking if you are renewing an existing subscription that was originally taken out prior to the updated Data Protection legislation coming into law that it has been reviewed and authorised.
Where can I find out more information?
You can find full guidance on completing the Moray Council DPIA form in the Data Protection Guidance – HERE
For general information about Data Protection legislation visit the Information Commissioner’s Officer by clicking – HERE
Don’t forget you can complete the Moray Data Protection training module on CLIVE
Any specific questions about completing the DPIA, products approved/rejected or currently under review can be directed to learntech@moray.gov.uk. The Learning Technologists will liaise with the DPO on your behalf.