Data Protection Impact Assessment

Last updated: null

Education Companion Data Protection Impact Assessment (DPIA)

Product: Education Companion Purpose: Managing and resolving school complaints Date: January 2026 Prepared by: Education Companion Ltd

DPIA Overview Question Response

  1. What is this DPIA for? This DPIA explains how Education Companion processes personal data and how privacy risks are identified and managed. It is intended to reassure schools and trusts, support Trust DPOs and governance staff, and demonstrate that data protection has been properly considered.
  2. What does Education Companion do? Education Companion is a digital platform used by schools and trusts to receive and manage complaints, communicate with parents and carers, track investigations, outcomes and timelines, and support governance and compliance. It replaces informal methods such as email chains, spreadsheets and paper files with a secure, permission-based system. Roles and Responsibilities Question Response
  3. Who is responsible for the data? Schools and trusts are the Data Controllers. Education Companion acts as a Data Processor. Education Companion processes personal data only on the documented instructions of the school or trust and in accordance with the applicable Licence Agreement and data-protection terms. Personal Data Processed Question Response
  4. Who does the data relate to? Pupils / students, parents or carers, and school, college or trust staff.
  5. What types of personal data are processed? Names and contact details, roles or relationships (e.g. staff role or parent relationship), and complaint correspondence, records and outcomes.
  6. Is special category data processed? Education Companion does not require or collect special category data by default. However, complaint content or uploaded documents may include sensitive information (e.g. SEND, health or safeguarding information). This data is provided by the school or complainant, remains under the control of the school or trust, and is processed by Education Companion only as instructed. Data Collection and Access Question Response
  7. How is data collected? Data is provided by schools or trusts, entered by authorised users, or uploaded as part of a complaint. Education Companion does not collect data directly from pupils or parents outside the complaint process.
  8. Who can access the data? Access is limited to authorised users within the relevant school or trust based on role. Education Companion staff may access data only where necessary for technical support, onboarding, troubleshooting or investigating reported issues. All access is logged, limited and subject to confidentiality obligations. Use of Data Question Response
  9. How is the data used? Personal data is used only to manage and resolve complaints, communicate with relevant parties, track timelines and outcomes, support compliance with complaints procedures, and improve the platform and service.
  10. Is there automated decision-making? No. There is no automated decision-making. AI tools may assist with drafting or summarising information, but all decisions and outcomes remain human-led and controlled by the school or trust. Retention and Storage Question Response
  11. How long is data kept? Data is retained in line with the school or trust’s own retention policies and instructions. Education Companion acts solely on the direction of the school or trust and does not impose fixed retention periods. Where data is archived, it is retained only for as long as the school or trust requires, or where retention is necessary to meet legal or regulatory obligations.
  12. Where is data stored? Data is hosted in secure cloud infrastructure. Primary processing takes place in the UK/EU. Where data is transferred outside the UK/EU, appropriate safeguards are applied in line with UK GDPR requirements. Security Measures Question Response
  13. How is data protected? Education Companion uses industry-standard security measures, including encryption in transit and at rest, role-based access controls, audit logs, secure hosting environments, and regular review of access permissions. Use of AI Question Response Is automated decision-making used? No. There is no automated decision-making within the Platform. All decisions, outcomes and judgements are made by authorised school or trust users. How is AI used in the platform? AI tools may be used to assist users with drafting, summarising or organising complaint information (for example, creating draft summaries or suggested wording). AI does not make decisions, determine outcomes, or take action without human input. All AI-assisted outputs are reviewed, edited and approved by authorised users before use. Does AI change data-controller responsibilities? No. The school or trust remains the Data Controller at all times. Education Companion uses AI tools strictly as a processing aid, under the instructions of the school or trust, and in line with applicable data-protection agreements. Privacy Risks and Mitigations Risk Mitigation Sensitive data within complaint content Schools control what data is uploaded, access is restricted by role, and full audit trails are maintained. Unauthorised access Role-based permissions, limited and logged support access, and account suspension where misuse is suspected. Data held in insecure formats The platform replaces emails, spreadsheets and paper files with a central, secure system that provides oversight and accountability. Review and Outcome Question Response
  14. How is privacy reviewed? Privacy is reviewed during onboarding, when new features are introduced, and in response to feedback from Trust DPOs or governance teams. Documentation and processes are updated where risks or concerns are identified.
  15. What is the outcome of this DPIA? The processing is necessary and proportionate. Risks are understood and mitigated. The platform improves data-protection standards compared to informal methods. No high residual risks have been identified. Contact Details

21 Woodhill Road, Portishead, Bristol, BS20 7EU support@educationcompanion.com

Schools and trusts should normally raise queries via their own DPO, who may contact Education Companion where required.

Prepared by: Jack Allen Technical Director / Co-Founder

Reviewed and approved by: Sam Flood Director

Date: January 2026

Companion-DPIA | V1.0 | Jan 2026

×