DPIA Policy & Procedures

What are Data Protection Impact Assessments?

Data Protection Impact Assessments (DPIAs) are structured assessments of the potential impact on privacy for high risk processes, and help us to identify the most effective way to comply with data protection obligations. The DPIA should form part of the overall risk assessment of the process or project.

A DPIA helps us to:

• Anticipate and address the likely impacts
• Identify privacy risks to individuals
• Foresee problems and negotiate solutions
• Avoid unnecessary costs
• Protect the organisation’s reputation
• Offer assurance to stakeholders
• Meet legal requirements

The DPIA process is not only a legal requirement, but is also an important tool to help you identify and minimise the data protection risks of a project that involves processing personal data.

The DPIA process is relevant to initiatives involving the use of personal data and is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal data.

The DPIA enables privacy and data protection considerations to be made in the early stages of a project, where any identified problems can be easier to resolve, rather than late or retrospective considerations where solutions can be costlier or delay implementation. A DPIA can also identify whether the project should be continued, when balanced with the rights and interests of persons affected.

The DPIA process will consider privacy in the way individual’s personal data is used. This can involve privacy about: the integrity of the individual, the person, their personal information, their personal behaviour and their personal communications.

What is high risk?

A high risk is considered to exist when particularly sensitive personal data is processed, a large volume is held, CCTV is in place, or any factor exists where personal data may be breached. High risk can result from a high probability of some harm, or a lower probability of serious harm.

Particularly sensitive data or ‘special category data’ includes:

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life; or
• sexual orientation

Data Protection Policy

The Data Protection Policy ensures that the trust complies with data protection laws, particularly the UK GDPR and Data Protection Act 2018. It outlines how the MAT collects, processes, stores, and protects personal data of pupils, staff, parents, and other stakeholders. The policy aims to maintain confidentiality, integrity, and security of data while ensuring transparency in data handling. It also defines responsibilities, data subject rights, and procedures for reporting breaches.

Data Retention Policy

The Data Retention Policy outlines how long different types of data (e.g., student records, staff files, financial documents) should be stored before being securely deleted or archived. Its main purposes are to:

1. Ensure Compliance – Adhere to legal and regulatory requirements, such as GDPR and the Data Protection Act.
2. Protect Privacy – Prevent unnecessary retention of personal data, reducing risks of breaches.
3. Support Operations – Ensure necessary data is available for audits, safeguarding, and educational needs.
4. Improve Efficiency – Streamline data management by reducing clutter and ensuring secure disposal.

ICT Security & Email Policy

The ICT Security & Email Policy ensures the safe, responsible, and effective use of technology within the schools. It protects sensitive data, prevents cyber threats, and ensures compliance with legal and regulatory requirements. The policy outlines secure email use, password protection, internet safety, and staff responsibilities in safeguarding digital information. It also promotes best practices for communication, reducing risks such as phishing, data breaches, and unauthorised access. Ultimately, it supports a safe digital learning environment for staff and students.

Freedom of Information Publication Scheme Policy

The Freedom of Information (FOI) Publication Scheme Policy is designed to ensure transparency and accountability by outlining the types of information the MAT routinely makes available to the public. It helps stakeholders, including parents and the wider community, understand how to access information about the MAT’s operations, governance, policies, and finances. The policy aligns with the Freedom of Information Act 2000 and promotes openness while protecting sensitive or confidential data.

Subject Access Request Policy

The Subject Access Request (SAR) Policy outlines the procedures for individuals (such as parents, staff, or students) to request access to their personal data held by the trust. It ensures compliance with UK GDPR and Data Protection Act 2018, setting clear guidelines on how requests are received, processed, and responded to within legal timeframes. The policy also defines responsibilities, exemptions, and security measures to protect sensitive information while ensuring transparency and accountability. 

Online Safety Policy

The purpose of the Online Safety Policy is to ensure the safe and responsible use of technology by pupils, staff, and the wider school community. It aims to protect children from online risks such as cyberbullying, inappropriate content, and digital threats while promoting responsible internet use. The policy sets out guidelines on acceptable online behaviour, monitoring, and safeguarding measures to create a secure digital environment for learning. It also supports compliance with legal and regulatory requirements, ensuring that schools within the MAT uphold high standards of online safety and digital wellbeing.