DPIA
Submitting controller details
| Name of controller | |
| Subject/title of DPIA | Just2easy Tool Suite |
| Name of controller contact /DPO (delete as appropriate) |
Step 1: Identify the need for a DPIA
| Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer to, or link, to other documents such as a project proposal. Summarise why you identified the need for a DPIA. |
| Just2easy is an education platform and digital Tool Suite that combines creation tools and games-based learning, designed for children in early years, Key Stage 1 and Key Stage 2. The Tool Suite allows students to engage in interactive learning across a number of subjects, with teachers able to access students work and set homework, and parents able to access a portal to see their child’s completed work, homework activities and more. The need for a DPIA has been identified as Just2easy processes a large amount of children’s data that warrants particular care and protection. |
Step 2: Describe the processing
| Describe the nature of the processing: You might find it useful to refer to a flow diagram or other way of describing data flows. |
| The Just2easy primary digital Tool Suite collects certain data from users and from the data controllers, such as the schools using the Just2easy Tool Suite. The data collected, including details of the personal data and sources are detailed in the flow chart below. The processing has been identified as high risk as it involves the offering of online services to children. No personal data is shared with third parties by Just2easy, with the exception of sharing data with Data Controllers such as schools. |
| Describe the scope of the processing: |
What is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
The personal data collected includes the following:
No special category data or other sensitive data such as criminal data is collected. The controllers retain control of how many and which students to sign up to the Just2easy Tool Suite. Personal data will be deleted at the controllers request, being soft deleted immediately and fully deleted within 12 months. Otherwise personal data will be deleted using the same method at the end of the contract.
J2e stores all data in servers within the UK and EU. |
| Describe the context of the processing: |
What is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)
The data controllers will have control over the personal data uploaded to or shared with the J2e Suite. The personal data stored within the J2e Suite will include the personal data of children. The use of external education technology providers to provide schools with creative and engaging tools to assist with and enhance education is very common in the industry and the J2e Suite uses no novel technologies in it’s implementation, such as AI. All processes and activities in Just2easy, including the J2e Tool Suite, is designed with the ICO Childrens Code in mind. |
| Describe the purposes of the processing: |
What do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?
The Just2easy primary digital Tool Suite is designed to enhance the education of children from early years up to Key Stage 2. |
Step 3: Consultation process
| Consider how to consult with relevant stakeholders: |
Describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
The J2e Suite has been designed in consultation with various experts, including experts in education, experts in data protection and has been audited by the Information Commissioners Office. |
Step 4: Assess necessity and proportionality
| Describe compliance and proportionality measures, in particular: |
What is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
The lawful basis for the J2e Suite is Public Task, as we provide an education service to schools. The J2e Suite is an efficient, effective way to provide these services or to supplement an education. While occasionally new features may be added to the J2e Suite, these will be in the form of new learning games or experiences and will not affect the existing collection or use of personal data. Regardless, they will be done so in consultation with experts and ensuring that they adhere strictly to the same codes and regulations as existing practices.
Each instance of the J2e Suite is segregated into specific schools, or school groups, and no users in any school or school group can access the personal data in any other school or school group without a specific authorised request to do so. Each Data Controller has full control over their school/school group, including being able to ensure data is accurate and up to date. The J2e Suite collects the minimal amount of data to be able to operate and will not collect or store more information.
Where an individual wishes to exercise any of their rights under the UK GDPR and Data Protection Act 2018, the J2e Suite allows for the Data Controller to access information directly and easily, in order to share it with the individual. Where requests may come through to Just2easy directly, we have processes in place to ensure it is directed to the appropriate controller immediately.
The Just2easy Tool Suite stores information on servers contained within the EU and UK, and does not transfer any data internationally. |
Step 5: Identify and assess risks
| Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. | Likelihood of harm Remote, possible or probable | Severity of harm Minimal, significant or severe | Overall risk Low, medium or high |
| Improper access to personal data, including children’s data. | Possible | Significant | Medium |
| Unauthorised access to personal data, including children’s data (e.g. Hacking). | Possible | Significant | Medium |
| Data breaches | Remote | Significant | Low |
Step 6: Identify measures to reduce risk
| Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 | ||||
| Risk | Options to reduce or eliminate risk | Effect on risk Eliminated, reduced, accepted
| Residual risk Low, medium, high
| Measure approved Yes/no
|
| Improper access | Personal data is segregated into distinct schools and school groups. Controllers have control over setting access rights within their own environment. | Reduced | Low | |
| Unauthorised access/Hacking | Just2easy has a set of technical and organizational security measures, including but not limited to regular cyber security audits, regular penetration testing, access control and encryption. | Reduced | Low | |
| Data Breaches | Just2easy has a robust set of security controls and data protection training is provided to all employees. | Reduced | Low | |
Step 7: Sign off and record outcomes
| Item | Name/position/date | Notes |
| Measures approved by: | Integrate actions back into project plan, with date and responsibility for completion | |
| Residual risks approved by: | If accepting any residual high risk, consult the ICO before going ahead | |
| DPO advice provided: | DPO should advise on compliance, step 6 measures and whether processing can proceed | |
| Summary of DPO advice: | ||
| DPO advice accepted or overruled by: | If overruled, you must explain your reasons | |
Comments:
| ||
| Consultation responses reviewed by: | If your decision departs from individuals’ views, you must explain your reasons | |
Comments:
| ||
| This DPIA will kept under review by: | The DPO should also review ongoing compliance with DPIA | |
