Deep Impact Assessment

DPIA – Active Photographic Ltd

Name of School
Version Number
Date of Creation
Approved by DPO
Date of DPO Approval
Approved by Governors
Governor Minute Number

Introduction

Active Photographic has been commissioned to take individual and group professional pictures of the children and staff for purchase by parents/carers, for display within the school.

Screening questions

Will the project involve the collection of new information about individuals? If yes, please detail the information to be collected.

New pictures will be taken of individuals. For pupils this will only be done where parental permission is given.

Will the project compel individuals to provide information about themselves? If yes, please detail the information to be provided.

New images will be held.

What is the legal basis for this processing?

Photographs taken for solely either within the school MIS or for security passes / ID badges rely on Public Task Article 6(1)(d) with Substantial Public Interest Article 9 (2)(g ) as the legal basis.

Photographs to be taken for purchase rely on consent as the legal basis. Consent is collected [annually/upon entry to the school] via a consent form. Consent is opt-in, not opt-out. Before photographs are taken, the consents are checked.

For staff, they can choose whether to be photographed on each occasion the photographer visits. If they have an objection to being photographed, they can inform the relevant member of staff in school and stand out of shot.

Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? If yes, please detail which organisations will be provided with access.

Yes. Active Photographic will have access to information; the images of pupils and staff.

The forename, surname of the subject, class, year and UPN or ADNO number for pupils. This allows the portrait data to be used for assigning images to pupils for use with the MIS. It is also used for accurate pupil tracking for orders

Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? If yes, please describe the new purpose below.

No, photographs of pupils for purchase by families or display are not a new use of data. Photographs of pupils are part of a long-standing tradition in schools.

Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. If yes, please detail the new technology, below.

Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? If yes, please describe the impact, below.

No.

Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private. If yes, please describe the information to be collected, below.

No, for most individuals, taking individual and group photographs by a commercial photographer holds no privacy concerns.

For a few children, inclusion in a group photo particularly (as this may be purchased by other parents in the class) poses a risk to their privacy, for example, their location is kept secret from adults to keep them safe. For these pupils, the parent/carer will have not given consent to be photographed. It is important that consents are checked before pupils have photographs taken for this reason.

Will the project require you to contact individuals in ways that they may find intrusive? If yes, please describe how the individuals will be contacted, below.

Step one: Identify the need for a DPIA

What does the project aim to achieve?

Capture up to date professional images of pupils for purchase by parents/carers.

To create images to be retained as part of a school archive

To produce professional images for the school website and brochures (consent will be obtained from parents/carers separately for this use)

What will the benefits be to the organisation, to individuals and to other parties?

See above.

Why was the need for a DPIA identified

An external company will have photos and other data relating to almost all of the pupils at the school.

The ICO issued a formal reprimand letter to a school for failing to manage the annual professional photograph session adequately, this reminds all schools of the importance of ensuring privacy is protected.

How many individuals are likely to be affected?

All children and staff in the school.

How will data be collected, used, amended and deleted?

See Active Photographic privacy notice and Terms and Conditions in Annexe A and B.

If sensitive personal data is involved, have you established how this will be handled, accessed, retained and disposed of?

Not applicable

What practical steps have been taken to ensure that risks to privacy have been identified and addressed?

Consent forms will be checked before photographs are taken.

Is information quality good enough, how will data be verified & recorded accurately?

Not applicable.

What security and/or information risks have you identified?

See above regarding concerns about the safety of individual pupils where wider display or distribution of a photo with them in it could pose a risk to their personal safety.

Have training and instructions been given to appropriate staff to ensure compliance with policy and procedure?

Active Photographic will be accompanied at all times whilst on site.

What process is in place to answer Subject Access Requests in relation to the data held under the new project?

Any photographs requested as part of a SAR will be provided as part of the SAR process.

Step two: Describe the information flows

The photographer is provider with a class lists with admission numbers / UPNs.
Children’s photographs are taken in the order of the list and each is assigned a unique identifier.
Images are either printed immediately and provided in only paper proof card for review
and/or
A barcode / individual access credentials are provided for online access to review.
Parents/carers place orders directly with the photographic company.

For the purposes of ordering and payments the photographic company becomes the data controller and the parent/carer has entered into a contract directly with the company.

Additional details such as payment information is not under the control of Active Photographic and is not the responsibility of the school.

Proof cards / print outs are securely shredded if not required.
Photographs are kept in line with Active Photography data retention policy which states that images are reviewed twice yearly and deleted from Active Photography systems.
Discs and digital media used to upload photographs to the MIS are matched by the pupil UPN / ADNO. Random data checks take place to verify successful and accurate upload.
Digital media containing pupil photographs will be securely stored or securely disposed of when once transferred to the school MIS.

Step three: Identify the privacy and related risks

Privacy Issue

Risk Rating

Risk to Individuals

Compliance risk*

Inappropriate Disclosure of Data

By Provider or school – through negligence, cyber attack, medium (disk) loss.

Unlikely

Images may enter the public domain; however all images were captured in public areas and with children appropriately dressed.

Data Protection Principle at Risk- secure storage of data

Photograph taken of a pupil where parental consent has not been given

Unlikely

Every care is taken to capture only children where parental permission had been obtained.

Data Protection Principle at risk- lawful processing

Step four: Identify privacy solutions and sign off and record the PIA outcomes

Risk	Solution(s)	Result: is the risk eliminated, reduced or accepted
Inappropriate Disclosure of Data By Provider – through negligence or cyber attack	The provider has detailed arrangements for secure storage of images in the Terms and Conditions/Privacy Notice	Reduced and accepted
Inappropriate Disclosure of Data By school – through negligence or cyber attack	Images will be stored securely along with all school data. Access to school data is restricted to authorised staff and by secure password controls.	Reduced and accepted
Photo taken with no parental consent	Carefully check image consents before photography session.	Reduced and accepted

Step five: Integrate the DPIA outcomes back into the project plan

Action To be Taken	Date of completion	Completed by
Adapt and amend this Template DPIA to fit the requirements of the individual school/project
Consult with DPO and Governors
Check privacy notice and security arrangements for secure storage of pupil images in place before allowing photographer to take photos.
Only allow images of data subjects where we hold the appropriate parental permission to be used in line with the permission granted
Ensure images securely stored in school
Ensure data subjects in the images are correctly identified and records maintained (or stored in a way that allows staff to easily access relevant images in the event of a SAR)
Refer to any retention guidance and securely delete as required

Appendix A: Evidence of due diligence of supplier

Active Photographic Ltd

Unit 28

Sherwood Network Centre

Ollerton

Notts

NG22 0JZ

Email: admin@activephotographic.co.uk

Call: 01636 370550

ICO Registration Number: ZA352681

Data Protection Policy: GDPR – Active Photographic

All website servers are based in the UK and the website uses SSL certificates with username/password and 2FA.

Images can only be accessed with a unique ID, which is a randomly assigned number.

Appendix B: Supplier Terms of Use: Terms of service – Active Photographic

Appendix C: Linking the DPIA to the Data Protection Principles

Answering these questions during the DPIA process will help you to identify where there is a risk that the project will fail to comply with the GDPR or other relevant legislation, for example the Human Rights Act.

Principle 1

Lawfulness, fairness and transparency of data processing

There must be lawful basis for processing the personal data as follows;

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.

Have you identified the purpose of the project and which lawful basis applies?	A
Is the processing of the data necessary in terms of GDPR?	N
How will you tell individuals about the use of their personal data?	P.N.
Do you need to amend your privacy notices?	Y
If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?	GDPR consent form
If special categories of personal data have been identified have the requirements of GDPR been met?	n/a
As the School is subject to the Human Rights Act, you also will, where privacy risk are especially high, need to consider:
Will your actions interfere with the right to privacy under Article 8	N
Have you identified the social need and aims of the project?	n/a
Are your actions a proportionate response to the social need?	n/a

Principle 2

Personal data shall be obtained only for one or more specified explicit and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

Does your project plan cover all of the purposes for processing personal data?	Y
Have you identified potential new purposes as the scope of the project expands?	n/a
Does your Privacy Notice cover all potential uses?	Y

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Is the quality of the information good enough for the purposes it is used?	Y
Which personal data could you not use, without compromising the needs of the project?	n/a

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

If you are procuring new software does it allow you to amend data when necessary?	n/a
How are you ensuring that personal data obtained from individuals or other organisations is accurate?	n/a

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary.

What retention periods are suitable for the personal data you will be processing?	As per school policy
Are you procuring software that will allow you to delete information in line with your retention periods?	n/a

Principle 6

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Do any new systems provide protection against the security risks you have identified?	Y
What training and instructions are necessary to ensure that staff know how to operate a new system securely?	n/a

Rights of Data Subjects and Privacy by Design

Will the systems you are putting in place allow you to respond to subject access requests more easily?	n/a
Will the system allow compliance with individual rights under GDPR, in particular the right to be informed, the right to rectification and the right to ensure (right to be forgotten).	Y
If the project involves marketing, have you got a procedure for individuals to opt in to their information being used for that purpose?	n/a

Transferring data outside European Economic Area

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Will the project require you to transfer data outside of the EEA?	N
If you will be making transfers, how will you ensure that the data is adequately protected?	n/a