DPIA Starter (Template)
School-ready starter document for Data Protection Impact Assessment drafting.
Outleap DPIA Starter (School Template)
Status: Approved baseline template for school completion. This starter document does not replace legal or DPO advice.
1. Project Summary
- Project: Outleap rollout for first-school destinations workflow
- School:
[School name] - School owner:
[Name + role] - Outleap supplier entity: Outleap Limited (Company No. 14277395)
- Supplier contact: Jesse Merrigan (Director and named data protection contact, supported by Outleap's documented governance and review process), hello@outleap.io
- Start date:
[YYYY-MM-DD] - Review date:
[YYYY-MM-DD]
2. Processing Description
2.1 What is being processed
- Student profile and school account data (name, email, role, school linkage)
- Evidence entries and UCAS three-question statement drafts/submissions
- Staff-released feedback, status history, and reference workflow records where references are enabled for the school
- Cohort visibility, at-risk flags, and progress/workflow metadata (milestones, submission state)
- Administrative audit events and school setup metadata
(If non-university application workspaces are enabled in a future scope, their records would be added to this processing description by agreement; they are not processed today.)
2.2 Why this is processed
- Provide a structured drafting and review process for the school's active Outleap workflows
- Enable staff oversight for progress and intervention
- Support consistent feedback workflows, managed release, and quality controls
2.3 Who can access data
- Student role: own records
- Teacher and school admin roles: scoped records according to assignment and school scope
- Outleap admins: platform operations under contractual controls
3. Lawful Basis (School to complete)
- Primary lawful basis:
[Public task / Legitimate interests / Contract] - Special category condition (if applicable):
[Article 9 condition] - Notes/justification:
[School-specific rationale]
4. Necessity and Proportionality
Document why this processing is required and proportionate.
- Why these data fields are required for stated outcomes:
[text] - Why less intrusive alternatives are insufficient:
[text] - How role scoping/minimisation is enforced in school practice:
[text]
5. Data Flow Snapshot
| Stage | Data in | Processor/system | Data out |
|---|---|---|---|
| Authentication | Email + auth token | Firebase Auth | Role-scoped session |
| Evidence capture | Evidence entry text + metadata | Outleap API + Firestore | Saved evidence records |
| Draft workflow | Statement text + metadata | Outleap API + Firestore | Saved draft/submission state |
| Feedback generation | Submission snapshot + context | Vertex AI workflow | Structured feedback payload |
| Managed release | Draft feedback + workflow decision | Outleap admin workflows | Published feedback to student |
| References (where enabled) | Evidence + reference context | Outleap API + Firestore + AI services | Reference drafting and finalisation outputs |
| Reporting | Progress + status data | Admin insights endpoints | School admin views |
6. Risk Assessment
Rate likelihood and impact for your school context.
| Risk | Likelihood | Impact | Controls | Residual risk |
|---|---|---|---|---|
| Unauthorised access to student records | [L/M/H] |
[L/M/H] |
RBAC, school scoping, auth controls | [L/M/H] |
| Cross-school data visibility | [L/M/H] |
[L/M/H] |
SchoolId scoping checks, role middleware | [L/M/H] |
| Inappropriate handling of sensitive statement content | [L/M/H] |
[L/M/H] |
Staff review controls, safeguarding process | [L/M/H] |
| Retention beyond educational need | [L/M/H] |
[L/M/H] |
Retention schedule + deletion workflow | [L/M/H] |
| Overreliance on AI feedback | [L/M/H] |
[L/M/H] |
Human oversight policy + publication controls | [L/M/H] |
7. Mitigation Actions
- Confirm school role model and access governance.
- Agree retention windows by dataset and cycle.
- Confirm safeguarding escalation route for concerning content.
- Document DSAR and breach communication contacts.
- Complete contract pack (DPA + policy references).
8. Data Residency and Transfers
- School confirms acceptance of documented residency statement in the supplier trust pack.
- School confirms transfer safeguards are documented where any non-UK processing occurs.
- School records any local policy constraints here:
[text].
9. Decision and Sign-Off
- Residual risk level:
[Low / Medium / High] - DPO consultation required:
[Yes / No] - Approved by:
[Name + role] - Date:
[YYYY-MM-DD]
10. Review Cycle
- Reassess at least annually, or sooner if processing scope materially changes.
- Reassess after significant incidents, safeguarding events, or supplier architecture changes.