Article 35 of the UK GDPR requires a Data Protection Impact Assessment (DPIA) for any processing likely to result in a high risk to individuals. School Atlas maintains DPIAs for three such activities: child profiles, parent reviews, and the AI advisor. This page publishes a summary. The full DPIAs are available to the Information Commissioner on request.
Structure of each DPIA
- Necessity — why we process this data at all.
- Proportionality — why the volume and manner are no more than the purpose requires.
- Risks — identified risk, likelihood, impact, and the mitigations in place.
- Residual posture — our honest assessment of the remaining risk after mitigations.
A. Child profiles held by parent accounts
Necessity
Parents told us (and competitor products confirm) that shortlisting schools without being able to anchor against a specific child — year group, phase, preferred school types — is a worse user experience. Storing child profile data is necessary to deliver the service we advertise.
Proportionality
The fields captured are: name (parents may use a first name, initials or a nickname — no surname is required); optional date of birth (solely to derive the current school year and phase); current year group; school phase; preferred school types; and optional free-text notes. There is no structured SEND flag in the schema — if a parent wishes to note SEND matters they do so in their own free-text notes. No external identifiers, no image capture. Data is parent-scoped, protected by row-level security, never visible outside the parent account. No profiling, no targeting, no marketing use.
Risks and mitigations
- Risk: Unauthorised access to another user's child profile
Likelihood: Low — Impact: High
Mitigation: Row-Level Security on the Supabase table restricts reads to the owning user ID. Penetration-test scenario covered in the RLS audit migration. - Risk: Child profile data used for marketing or profiling
Likelihood: Low — Impact: High
Mitigation: Technical: marketing system has no join on child tables; messaging segmentation uses only account-level data. Policy: privacy policy §16 and the children's access assessment both prohibit such use. - Risk: Parent deletes account but child data persists
Likelihood: Low — Impact: Medium
Mitigation: Cascade delete via Supabase foreign keys (child_profiles.user_id ON DELETE CASCADE) and the delete_user_account RPC. Verified in account-deletion tests.
Residual posture
Residual risk is low. Primary risk is logical; controls are technical + policy. Re-assess if profiles become socially shareable (they currently are not).
B. Parent reviews of named schools
Necessity
First-hand parent reviews are the platform's core user-generated content. Existing products (Google, Mumsnet) publish unmoderated reviews with named staff and children; a moderated, s.5-defence-backed alternative is the differentiator.
Proportionality
Reviews are text-only, 1,000 characters maximum, pre-moderated by a human, and must attest to first-hand experience. Named individuals and pupils are rejected. Reviewer display name is role-only (e.g. "Current parent"); reviewer identity is held internally only.
Risks and mitigations
- Risk: Defamatory review harms a school or individual
Likelihood: Medium — Impact: High
Mitigation: Pre-publication moderation by a human. Moderation policy §3 lists disqualifying content (named individuals, defamatory statements of fact, safeguarding disclosures). Notice-and-takedown in line with Defamation Regulations 2013 (acknowledge 48h / resolve 7 days). - Risk: Review disclosure identifies a child indirectly (class, year, school combined)
Likelihood: Medium — Impact: High
Mitigation: Moderator checks for combinations that would identify a pupil; review rejected or edited. Contributor is directed to NSPCC if safeguarding indicators are present. - Risk: Coordinated / fake reviews (commercial or competitive)
Likelihood: Medium — Impact: Medium
Mitigation: IP fingerprinting, account-age thresholds, 1/day rate limit, DMCC 2024 fake-reviews attestation required on submit. AI pre-flag for suspected duplicates; human decides. - Risk: Review of a school persists after the reviewer withdraws consent
Likelihood: Low — Impact: Medium
Mitigation: Any user can delete their own review from the account area. Deletion is cascaded to the public review view within 1 minute.
Residual posture
Residual risk is manageable but non-zero. Moderation capacity is the limiting factor; the plan is to scale to a small moderation team before review volume exceeds a safe single-moderator throughput (~30 per day).
C. AI advisor conversations
Necessity
Parents regularly ask complex, cross-nation UK-schooling questions that a scripted FAQ cannot answer. A capable, scoped AI assistant is a natural fit — but only if the privacy and accuracy risks are managed.
Proportionality
Advisor is a Pro feature, rate-limited to 30 requests per user per day. Conversations are stored for 30 days for abuse handling, then deleted. Sent to Anthropic in zero-retention mode where available; no training use. System prompt restricts to UK schooling scope. Output carries an on-screen disclaimer about verification.
Risks and mitigations
- Risk: User sends a child's personal data in a conversation, and it is retained longer than needed
Likelihood: Medium — Impact: Medium
Mitigation: Pre-send disclaimer on the input advises against sharing identifying details. 30-day retention, then automatic deletion. Anthropic processes in zero-retention mode where available. - Risk: Advisor output is inaccurate and a parent makes a harmful schooling decision
Likelihood: Medium — Impact: Medium
Mitigation: On-page disclaimer states answers may be out of date, not legal/medical/financial advice, and directs verification with the school, local authority, Ofsted, ISI, or GOV.UK. Scope-limited system prompt. Knowledge-cutoff transparency. - Risk: Advisor generates defamatory content about a named school or individual
Likelihood: Low — Impact: High
Mitigation: System prompt forbids generating judgements about named schools. Output is per-user and not published. Reported answers are logged to a moderation queue.
Residual posture
Residual risk is low-to-moderate. Primary ongoing control is clear user-facing framing: this is a helper, not an authority. Advisor use is reviewed in the annual register update.
Review cadence
Each DPIA is reviewed every 12 months and whenever the underlying feature changes materially — for example, if we ever introduced social-sharing of child profiles or removed human moderation from reviews, the relevant DPIA would be re-run from scratch before the change shipped. Last review: 21 April 2026. Next scheduled review: 21 April 2027.
Consulting the ICO
Where a DPIA identifies a risk we cannot sufficiently mitigate, Article 36 requires us to consult the ICO before processing begins. To date, all residual risks are either Low or Medium with strong controls, and no prior consultation has been triggered. If that changes, the ICO will be consulted.
Questions
Email the privacy contact at privacy@schoolatlas.co.uk.