# Data Protection Impact Assessment (DPIA)

**Product:** NeuroKids (Linked2Link Ltd)
**Document version:** 1.0
**Date:** 11 July 2026
**Status:** Template for school DPO completion

---

## 1. Identify the need for a DPIA

NeuroKids is a Special Educational Needs (SEN/SEND) communication, learning,
and behavioural-tracking platform used by neurodivergent children (typically
aged 3–14) under parent or staff supervision. Because it processes:

- Children's personal data (name, age, learning progress)
- Special-category data (medical/SEN diagnoses, behaviour patterns)
- Communication content created by the child (AAC sentences, journal entries)

…it meets the ICO threshold requiring a DPIA under UK GDPR Article 35(3)(b)
("large-scale processing of special-category data") and (c) ("systematic
monitoring").

## 2. Describe the processing

| Field | Detail |
|---|---|
| **Nature** | Cloud SaaS web/PWA. Pupil device → HTTPS → UK/EU API → encrypted MongoDB Atlas. |
| **Scope** | Pupil profile (first name, age, optional SEN focus), learning logs, AAC sentences, mood check-ins. NO photos, NO location, NO biometric data, NO surnames required. |
| **Context** | School deploys via MDM to school-owned iPads/Chromebooks. Each pupil logs in via PIN provisioned by the SENCO. |
| **Purpose** | Augmentative & Alternative Communication (AAC); structured SEN learning; progress reporting to therapists & EHCP reviews. |

## 3. Consultation process

Schools must complete this section. Consult: SENCO, headteacher, DPO,
parents (Article 35(9) — meaningful consultation). Document outcome below.

> _Consultation evidence:_ ……………………………………………………

## 4. Necessity and proportionality

| UK GDPR principle | How NeuroKids meets it |
|---|---|
| **Lawful basis (Art. 6)** | Public task (Art. 6(1)(e)) for state schools; Legitimate interest (6(1)(f)) for academies; explicit parental consent for special-category data (Art. 9(2)(a)). |
| **Data minimisation** | First name + age only. No surname, address, photo, or behavioural-video capture required. |
| **Purpose limitation** | Data used only for SEN communication / learning / reporting. No advertising. No profiling for commercial purposes. |
| **Storage limitation** | Pupil records auto-deleted 30 days after school removes the pupil; 7 years for anonymised aggregate (DfE statutory retention guidance). |
| **Accuracy** | Parents/SENCOs can edit pupil data in-app at any time. |
| **International transfers** | Data stays in EU (Ireland). LLM sub-processors anonymise before send and are DPF-certified. |

## 5. Risk-mitigation matrix

| # | Risk | Likelihood (1-5) | Severity (1-5) | Overall | Mitigation | Residual |
|---|---|---|---|---|---|---|
| R1 | Pupil PIN guessable / shared between pupils | 3 | 3 | 9 | 4-digit PIN with rate-limit (5 attempts then lock); SENCO can rotate; staff training in onboarding pack. | 3 |
| R2 | AAC content reveals safeguarding concern (e.g. "dad hurt me") | 2 | 5 | 10 | Optional staff alert on flagged-keyword detection; AAC content visible to SENCO; ProTeach safeguarding signposting in-app. | 4 |
| R3 | Data breach in transit / at rest | 2 | 5 | 10 | TLS 1.3, bcrypt passwords, MongoDB Atlas encryption-at-rest, audit log retained 12 months. | 2 |
| R4 | Third-party sub-processor failure | 2 | 4 | 8 | DPA in place with every processor; transfers limited to UK/EU and DPF-certified processors. Quarterly review. | 3 |
| R5 | Parent withdraws consent mid-term | 4 | 2 | 8 | One-click "delete child profile" in app and via DPO@neuro-kids-space.co.uk; auto-purge in 30d. | 2 |
| R6 | Pupil over 13 self-registers without parental control | 2 | 3 | 6 | School deployment requires SENCO-issued PINs; self-signup disabled in MDM-managed install. | 2 |
| R7 | AI feature leaks identifying pupil data to LLM | 3 | 4 | 12 | Anonymisation layer strips names/IDs before send; LLM providers contractually bound (DPA), no training on pupil data. | 3 |
| R8 | Subject Access Request not fulfilled in 30 days | 2 | 3 | 6 | DPO inbox monitored daily; data-export feature in-app for parents (immediate); audit log of every SAR. | 2 |
| R9 | Loss of device with cached session | 3 | 3 | 9 | Sessions expire after 14 days idle; MDM remote-wipe supported; no biometric/photo cache on device. | 3 |
| R10 | Records retained beyond statutory period | 2 | 3 | 6 | Automated retention job purges per policy; SENCO can trigger immediate erase. | 2 |

(Likelihood × Severity ≥ 10 = High; ≥ 16 = Critical. No critical residual risks identified.)

## 6. Sign-off

| Role | Name | Date | Signature |
|---|---|---|---|
| School DPO | | | |
| Headteacher | | | |
| SENCO | | | |
| Linked2Link DPO | _Pending appointment — placeholder_ | | |

## 7. Review

This DPIA is reviewed annually, and immediately following any material
change to the processing (e.g. new sub-processor, new data category, new
AI feature).

**Next review due:** 11 July 2027

---

*This template is provided by Linked2Link Ltd as part of the NeuroKids
school-deployment pack. It is based on the UK ICO's official sample DPIA
(ico.org.uk/media/for-organisations/documents/2553993/dpia-template.docx)
and adapted for SEN/SEND classroom deployment.*
