Data Protection and DPIAs

The Digital Learning Team and the Council’s Data Protection Officer would like to remind schools that any online platforms, digital tools or software that require staff or learners to create an account or provide personal data to use (e.g. name, email, DOB etc.) should have gone through a DPIA (Data Protection Impact Assessment) review and be listed on the green section of the Moray Council RAG List before any personal data is entered.  All local authorities are required to conduct their own reviews before new products or services are used, as each authority is it’s own data owner.  Any data held on electronics systems are still subject to the same retention requirements as paper-based data.  Details of agreed retention periods can be found on the Moray Council website- here.

Data Protection – Do I need to complete a DPIA form?

Before purchasing or using a software programme, app or website Data Protection should be considered.  If the product requires you to create an account, enter information about yourself or other people then a Data Protection Impact Assessment (DPIA) is required to comply with Data Protection legislation. The DPIA is reviewed by the organisation’s Data Protection Officer, who will decide whether to approve the product.  On some occasions specific guidance is placed on the use of the product, for example additional parental consent requirements, data purging schedules or limits on information to be provided.

A link to download a blank DPIA and view full list of all the products that are authorised for use, products which schools are completing DPIA’s for and DPIA’s currently being reviewed can be found at the top of the Education Weekly Bulletin issues to all schools and support teams.

Do you always need to complete a DPIA?

The short answer is yes, but if you are creating an account for a product or website using generic information not linked to a specific person then the DPIA should only require the screening questions to be completed.  For example creating an account using the school name rather than a person’s name, using a generic admin email account not a personal email and entering the school address instead of a home address.  A list of common scenarios for different types of digital tools and the DPIA requirements can be found along with the RAG list, a link to which is in the weekly bulletin and in the MDLT SharePoint site (you must be logged into Glow to access this)

It is worth considering when creating accounts to access resources whether generic information could be used without breaching the terms and conditions of the account you are creating.

If you have to enter personal details to create an account or to use a programme when should you complete a DPIA?

The DPIA should be completed prior to purchasing any new product or subscription.  This will ensure that you are able to use the product straight away after purchase.  It is also worth checking if you are renewing an existing subscription that was originally taken out prior to the updated Data Protection legislation coming into law that it has been reviewed and authorised.

Where can I find out more information?

You can find full guidance on completing the Moray Council DPIA form in the Data Protection Guidance – HERE

For general information about Data Protection legislation visit the Information Commissioner’s Officer by clicking – HERE

Don’t forget you can complete the Moray Data Protection training module on CLIVE

Any specific questions about completing the DPIA, products approved/rejected or currently under review can be directed to learntech@moray.gov.uk.  The Learning Technologists will liaise with the DPO on your behalf.

 

Report a Glow concern
Cookie policy  Privacy policy