Ref number:

Name and Job title:

Rachelle White School Admissions Manager

Date:

06/11/2025

Description - Explain broadly what you aim to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal, business case etc.

To determine admission arrangements for 2027-2028 admissions following a consultation as required by School Admissions Code 2021

Ref number:

Name and Job title:

Rachelle White School Admissions Manager

Date:

06/11/2025

Description - Explain broadly what you aim to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal.

To determine admission arrangements for 2027-2028 admissions following a consultation as required by School Admissions Code 2021 which is an annual process.

As part of the consultation, respondents can provide their response to the draft admission arrangements via an online surveymonkey which asks for the personal details (name, address, contact details, position (if applying for a school or MAT)) a response can be provided without these.

This information is collated by surveymonkey and passed to the School Admission Manager for consideration as part of the consultation process. The details of the respondent is not shared within the Admission Consultation report.

This information is kept securely within CYC folders with limited access to CYC staff only.

If a response is regarding a Multi Academy Trust then the response and details are forwarded to the relevant MAT for consideration during their determination which is clearly stated in Admission Consultation information.

Screening Questions –

Yes or No

1

Use systematic and extensive profiling or automated decision-making to make significant decisions about people.

N

2

Process special category data

N

3

Process criminal offence data

N

4

Systematically monitor a publicly accessible place

N

5

Use new technologies, innovative technological or organisational solutions.

N

6

Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity, or benefit.

N

7

Carry out profiling including evaluation or scoring

N

8

Process biometric or genetic data.

N

9

Combine, compare, or match data from multiple sources.

N

10

Process personal data without providing a privacy notice directly to the individual and/or other processing involving preventing data subjects from exercising a right or using a service or contract.

N

11

Process personal data in a way which involves tracking individuals’ online or offline location or behaviour or other systematic monitoring

N

12

Process children’s personal data for profiling or automated decision-making or for marketing purposes or offer online services directly to them.

N

13

Process personal data which could result in a risk of harm in the event of a data or information security breach.

Y

14

Any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

N

15

Processing that may result in significant/high risks that cannot be reduced after taking any/all mitigating measures

N

Reference Number (if applicable)

Lead/contact name:

Rachelle White

Directorate:

Education & Skills

Service Area:

Inclusive Mainstream

Data controller details:

Rachelle White and Business Intelligence

Data processor details:

Rachelle White

Information Asset Owner:

(All systems/assets must have an Information Asset Owner (IAO). Intranet | Information on the roles of SIRO, IAO, IAA, DPO and CG (york.gov.uk)

Rachelle White

Information Asset Administrator:

(All systems / assets usually have an Information Asset Administrator (IAA) who reports the IAO as stated above. Intranet | Information on the roles of SIRO, IAO, IAA, DPO and CG (york.gov.uk)

Rachelle White

Customers and stakeholders:

Please list all involved including both internal and external parties

Any consultations respondents

Any Multi Academy Trust (MAT) for whom a response may be received and passed directly to them for consideration – the list of MATS are

Yorkshire Learning Trust

Pathfinder Multi Academy Trust

Excel Learning Trust

Heartwood Learning Trust

Ebor Academy Trust

TEAL

Nicholas Postgate Catholic Trust

Hints and tips to complete this section:

See above DPIA screening questions

It was identified that a DPIA would be needed ***.

The purposes of the proposed, new or change in process, service, technology, or project are ****this could be copies of extracts from or links to project docs, business cases etc****

The above will realise several benefits including: *** e.g. what are the expected benefits for individuals/the council etc

See customers and stakeholders above and/or describe when and how you will seek individuals’ views – or the reasons it’s not appropriate to do so and/or refer to the equalities impact assessment Intranet | Equalities and human rights (york.gov.uk)

If you need to describe “purposes” because there are no other documents, consider the below points

·        what do you want to achieve

·        what is the intended effect and/or outcome for individuals, the council etc

·        are there any unintended effects and/or outcomes for individuals, the council etc

To determine admission arrangements for 2027-2028 admissions following a consultation as required by School Admissions Code 2021 which is an annual process.

As part of the consultation, respondents can provide their response to the draft admission arrangements via an online surveymonkey which asks for the personal details (name, address, contact details, position (if applying for a school or MAT)) a response can be provided without these.

This information is collated by surveymonkey by Business Intelligence is then passed to the School Admission Manager for consideration as part of the consultation process.

The details of the respondent is not shared within the Admission Consultation report.

This information is kept securely within CYC folders with limited access to CYC staff only.

If a response is received regarding a Multi Academy Trust then the response and details are forwarded to the relevant MAT for consideration during their determination which is clearly stated in Admission Consultation information.

Hints and tips to complete this section:

The collection, use and deletion of information should be described here.

It may be useful to use a flow diagram or another visual way or data map/flow/list to explain information flows.

·         Respondent completes a surveymonkey at School Admissions Consultation 2027 to 2028 – City of York Council which requests a respondents details (but a response can be provided without these details). Details requested are name, address, email address for parent/carers/interested parties. Details requested are name, address, email address, school and role for school/MAT responses.

·         The information is collated by Business Intelligence via the surveymonkey.

·         The information is passed to Rachelle White, School Admissions Manager.

·         The information is stored on the CYC L drive with limited access

·         If a respondent provides as response relating to a change to the admission arrangements of a MAT, Rachelle will forward the response and respondents details to the relevant MAT contact vis secure email.

·         The response will be included in determination report but not the respondents details.

Provide details of personal, special category and criminal offence data being processed by checking all options that apply. Add any additional items and their description, in the ‘other’ option.

Personal data

Name

☒

NHS Number

☐

Address

☒

NI Number

☐

Post Code

☒

IP Address

☐

Date of Birth/Age/Age group

☐

Photograph

☐

Telephone Number(s)

☐

Email Address

☒

Other: Please describe

☒

If a school or MAT response their role and school is also requested

Special Category Data

Religion

☐

Ethnicity

☐

Health Information

☐

Trade Union Membership

☐

Political Opinions

☐

Sexual Orientation

☐

Biometric Data

☐

Criminal offence and/or history

☐

Other: Please describe e.g. Carer

☐

Criminal offence data

Please describe:

☐

Provide details of data subjects - checking all that apply. Add any additional items in the ‘other’ option.

Residents

☐

Customers/Clients/Citizens

☐

Children/young people

☐

Vulnerable people/groups

☐

Staff/employees/agency staff

☐

Volunteers

☐

Other: Please describe

☐

The following questions will highlight any risks associated with the principles of the UK General Data Protection Legislation (UK GDPR) and Data Protection Act 2018 (DPA) and other privacy legislation

Where a risk is identified, it should be carried forward to the table in Step 3b below, where mitigation and evaluation should be recorded.

Data protection/ privacy Issue

Response

Risk (Yes/No)

Who is the IAO and IAA?

Rachelle White

How many individuals will be affected

The number of respondents who provide a response. This is usually less than 10.

No

What is the nature of the relationship with the data subjects?

Surverymonkey respondents

No

How will information be collected and/or what is the source of the information?

Online surveymoney information provided by respondents

No

Who will have access to the information?

Rachelle White, School Admissions Manager, School Admissions Team, some members of the Inclusive Education Service area.

No

Is any information shared within CYC?

Business Intelligence to Rachelle White only

No

Is any information shared externally with other organisations?

If a response is regarding a Multi Academy Trust then the response and details are forwarded to the relevant MAT for consideration during their determination which is clearly stated in Admission Consultation information.

No

What is the lawful basis for processing personal data?

Article 6

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

What is the lawful basis for processing special categories of personal data

Article 9

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

What is the lawful basis for processing criminal conviction or offences including past criminal convictions or offences

Article 10

No

Will information be processed in a way that goes beyond an individual’s reasonable expectations?

No

Do we have any previous experience of this type of processing?

Yes

How will you tell the individuals about the use of their information?

Privacy notice is included on the surverymonkey as well as confirmation that any MAT response will be forwarded to the relevant MAT for their consideration

Does the privacy notice cover the processing activities, or does it need amending?

Yes included in the privacy notice

If you are relying on consent to process personal information, how will this be collected and what will you do if it is not given or withdrawn?

If consent is withdrawn we can remove the response, advised the respondent that the response will not be considered in any determination.

If the information has already been shared with a MAT we will advise them accordingly.

Purpose Limitation

Have you identified all the purposes at Step 1 for which you will use information?

Yes

Does the processing achieve your purpose(s)?

Yes

Is there another way to achieve the same outcome?

No a consultation is a legal requirement in the School Admissions Code 2021

How will you ensure data minimisation i.e. only collecting/processing the minimum amount for the purpose(s)?

Minimal involvement of staff members (only BI and Rachelle White)

Only essential information requested

Information passed on to designed MAT contact only.

How will you ensure there is no “function” or processing creep?

Set defined process with limited access to staff and no deviation from process

Can you ensure that the data collected is good enough for the intended purpose?

Only relevant/necessary information requested (response can be provided without the information)

Is there any information that could be removed or anonymised without compromising the purpose(s) set out at Step 1?

No

Accuracy

Can the information be amended and/or deleted if required?

Yes

How will you ensure information used will be accurate and up to date?

Yes

Have you established retention periods for the information?

Checked retention schedule with IG – no exact record type however will check the admissions code to see if it is noted in guidance.

Does the new processing/system allow you to delete information in line with the retention periods?

Yes

If there is a business need to retain information beyond the retention period, e.g. historical trend analysis, can the data be anonymised at this point?

No

Have you checked if there is there a legal or other requirement to transfer the data at the end of the retention period for permanent preservation e.g. City or National Archives? If there is, how will this be done?

Not required

How will it be destroyed/deleted or transferred?

Deleted from L drive no other copies held.

Security

If required, has the information security technical checks/questions been completed and approved by ICT/ICT security? OR

has it identified any risks?

NA

Where will the information be stored?

CYC L drive in Admissions folder with limited access

Does the new or current system/ procedure/processing provide adequate protection against security risks?

Yes

What is the current state of technology in this area and/or are there any relevant advances in technology or security?

Standard CYC security

What training and guidance is or will be given to staff?

Information processed by Rachelle White not training required of other staff

What data protection training has been undertaken by staff?

All CYC staff are required to complete regular mandatory DP and information security training – MyLo

If a third party is being used, what is the data protection relationship e.g. independent controllers, joint controllers, controller / processor, or processor/controller?

NA

If a third party is being used, is there a contract in place with the appropriate UK GDPR/DPA 2018 clauses and schedule if needed?

NA

If a third party is being used, how have you checked that their processes are UK GDPR/DPA 2018 compliant?

NA

Is the third party signed up to any approved code of conduct or certification scheme e.g.,

NA

International Transfers

Will you transfer information outside of the EEA?

No

If transferring data outside of the EEA, does the country/ organisation demonstrate an adequate level of data protection?

No

If transferring information outside of the EEA, how will you ensure that the information is transferred securely?

NA

Will you be using ‘Cloud Based’ systems to store or transfer information? If so, where is the geographical location of the server and does the system demonstrate and adequate level of data protection?

No

Rights of the Data Subject

How will you manage rights of individuals requests e.g. Subject Access Requests (SARs), request to rectify data, request to be forgotten, objection to processing, restriction?

CYC policies and procedures - information.governance@york.gov.uk

If a SAR is requested this information would be included

Does the system involve automated decision making? If so, do you have a process in place to facilitate human intervention?

No

Accountability

As a result of this new or change to processing, do you need to update entries in the Information Asset Register (IAR)/ROPA etc?

No

As a result of this new or change to processing, do you need to update any Policies or Procedures?

No

As a result of this new or change to processing, do you need to consider any Codes of Practice, regulatory guidance etc?

No

What are the risks and mitigations about data processing?

Required information: privacy risks identified, mitigation/solution, evaluation (i.e. is the risk eliminated/reduced/accepted).

Treat this in the same way as defining project risks but look at it from a customer and data point of view. It is good practice to include the risks identified here in the project or service area risk register so that they are monitored throughout the lifecycle of the project and/or service provision.

Transfer any risks identified in Step 3a above into the below table, i.e. all those where Risk is Yes.

Risk

Mitigation / Solution(s)

Evaluation

Is the risk eliminated, reduced, or accepted?

Personal/special categories data/criminal offence data transfer

·        More than is necessary

·        Not accurate / up to date

·        Not by secure methods

Only the minimum amount of information is being collected as part of the consultation

Survey Monkey is an approved tool for CYC use – no ICT security issues.

RA

Individuals/data subjects are not informed or can access their rights

Privacy notice(s) to be reviewed/updated if required

CYC policies and procedures for ROIs – information.governance@york.gov.uk

Intranet | Data Protection, Privacy, and Information Governance (york.gov.uk)

https://www.york.gov.uk/privacy/SchoolsServicesAdmissionsTransportAndAppeals

RA

Data breaches: Personal information may be exposed, leading to identity theft or fraud, financial fraud, physical harm, or other forms of malicious use e.g.

risk of data breach is low:

·        CYC ICT data security and cybersecurity measures

·        Use of passwords and logins to system(s)

·        Carry out staff training

·        Service area(s) to review their DR/BCP plans to ensure any loss of access to systems/data is covered, are efficient, and effective

RA

Breach notification obligations to ICO/NHS etc: If a data breach occurs due to insufficient security, the organisation may fail to meet its obligation to promptly notify affected individuals and relevant authorities.

CYC policies and procedures in place for the reporting of data breaches to the ICO

RA

Information could be accessed or shared without individuals' consent, violating their right to privacy.

·        CYC ICT, HR, information governance policies and procedures

·        Use of passwords and logins to system(s)

·        Carry out staff training

RA

Non-compliance with data protection and privacy legislation/regulations resulting in regulator action/sanctions including potential fines and legal action.

·        DPIA

·        DSA – covered in education general

·        Privacy notices to be drafted/ reviewed

·        Compliance monitoring e.g. through internal audits etc

RA

Improper system /records access

CYC organisational and technical measures such as

·        User designation,

·        user permissions limited based on access requirements for role

RA

Unlocked device with unauthorised access to system

CYC organisational and technical measures such as

·        Standard work policy to lock device when leaving desk.

·        Autolock

·        Rolling password changes

RA

Privacy notice does not reflect processing activity

Privacy notice has been reviewed and is already published on CYC website

RA

Retention periods are not adhered to

Query regarding retention period – ongoing

RA

IAR/ROPA is not up to date

IAR/ROPA will be updated to include all new and updated assets and new processing activities – JB to check IAR

RA

Policies and procedures do not reflect new project/new or change to processing

N/A

Financial loss from breaches and subsequent legal action and/or insurance claims from individuals could result in financial losses, including legal fees, fines, and compensation to affected individuals

Insurance policies in place

inability to access services or opportunities

No implications on school places

RA

loss of control over the use of information;

ICT security systems in place for securing the CYC network

Project/Process Sponsor             

Name

Rachelle White

Job Title

School Admissions Manager

Signature

Date

13/11/2025

Information Asset Owner

Name

Rachelle White

Job Title

School Admissions Manager

Signature

Date

13/11/2025

Data protection/information governance

Name

James Bailey

Job Title

IG Adviser

Signature

Date

13/11/2025