Back home# OMNIA — Data Protection Impact Assessment (DPIA)
**Version:** 1.1
**Last reviewed:** 2026-05-12
**Owner:** Data Protection Officer (school-side) + OMNIA platform team
---
## 1. Purpose of processing
OMNIA helps schools document Special Educational Needs and Disability (SEND)
provision: inclusion plans, behaviour plans, EAA arrangements, Personal
Emergency Evacuation Plans, parent voice, referrals, and supporting evidence.
Lawful bases relied on:
- **GDPR / UK GDPR Art. 6(1)(e) + Art. 9(2)(g)** — public interest task
(statutory SEND duties).
- **UAE PDPL Art. 5(d) + Art. 6** — necessity for performance of a contract
with the parent and compliance with KHDA / ADEK regulatory obligations.
## 2. Data categories processed
| Category | Examples | Sensitivity |
|---|---|---|
| Pupil identity | Name, DOB, photo, year group, national ID | Personal |
| SEND data | Primary need, plans, targets, specialist reports | **Special category** |
| Parent voice | Free-text responses about the child | Personal + special category |
| Staff identity | Staff name, email, role | Personal |
| Audit metadata | IPs, user agents, timestamps | Personal |
| Staff timetable assignments | Staff↔pupil↔provision links, period times, location | Personal (staff) + linked to special-category pupil data |
## 3. Data flows
```
Parent ─┐ ┌─► Inclusion team (browser, RLS-scoped)
├─► OMNIA web app ─┤
Staff ──┘ ├─► Lovable Cloud (Postgres, encrypted at rest)
├─► Microsoft Graph (optional: SharePoint discovery,
│ shared mailbox for parent links)
└─► Lovable AI Gateway (specialist-summary OCR/LLM)
```
The Staff Timetabling tool reads and writes the same Lovable Cloud (Postgres)
tables as the Resource Optimiser (`staff_allocations`, plus its own
`timetable_periods` and `staff_timetable_slots`). It introduces no new
processors and no new data egress.
## 4. Processors
| Processor | Role | Region | DPA |
|---|---|---|---|
| Lovable / Supabase | Hosting, database, storage | EU (Frankfurt) | Yes |
| Microsoft Graph | Optional SharePoint + email for parent links | School's tenant | School's existing M365 DPA |
| Lovable AI Gateway | LLM summarisation of specialist reports | Per provider | Inherited |
## 5. Risks & mitigations
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Cross-tenant data leak | Low | High | Row-Level Security on every domain table; tenant guard on every `supabaseAdmin` write; nightly schema linter |
| Parent voice link interception | Medium | Medium | 4-digit PIN gate, rate-limit + 15 min lockout after 5 attempts, single-use tokens, 30-day expiry |
| Inappropriate staff access | Low | Medium | Role-based access (admin / SENCo / teacher / read-only / peep-only), per-pupil audit trail visible to SENCo |
| LLM data exposure | Low | Medium | Specialist reports processed in-flight only, no LLM-side retention, no training opt-in |
| SharePoint over-discovery | Medium | Medium | Drive allow-list, GDPR acknowledgement gate, manual confirm before file binds to pupil |
| Stale data retention | Medium | Low | Daily retention sweep (see /docs/data-retention.md) |
| Inappropriate visibility of staff schedules | Low | Low | Premium feature flag (off by default); RLS-scoped per school; teachers see only their own + their year groups; SENCo/admin see all within school |
## 6. Data subject rights
- **Access (PDPL Art. 13 / GDPR Art. 15):** one-click DSAR pack from the
pupil page. Includes all rows + redacted security tokens + audit log.
- **Erasure (PDPL Art. 14 / GDPR Art. 17):** "Erase pupil record" admin
action with two-step confirmation. Cascade-deletes across plans, PEEPs,
referrals, parent voice, share links, discovered files, staff allocations
and timetable slots; storage folder cleared. Audit row written before
deletion.
- **Rectification:** SENCos can edit any pupil record directly.
- **Restriction / objection:** raise with school DPO; OMNIA exposes
per-pupil "mark as left" plus per-record edit/delete.
## 7. Children's data
OMNIA processes data about children only on the school's lawful basis as
above. Parents are informed via the privacy notice surfaced on every
parent-voice form before submission, and consent to that submission is
captured as `consent_given_at` on each request.
## 8. Review cadence
This DPIA is reviewed:
- annually by the school DPO,
- on any change to processors,
- on any change to the data categories above,
- after any security incident,
- on enabling the Staff Timetabling premium feature for a school.
OMNIA AssistantBeta · here to help
Hi, I'm the OMNIA Assistant. Ask me about plans, pupils, or how to use the app.