Data Protection Impact Assessment (DPIA) – Summary

This summary sets out the outcome of a Data Protection Impact Assessment (DPIA) carried out for the Hivelink platform. It is a platform-level (reference) assessment focused on the risks and safeguards associated with the operation of the platform itself.

Customer organisations (such as schools, clubs and activity providers) remain independent data controllers for personal data they collect and manage using the platform. They are responsible for assessing risks arising from their own configuration and use of the platform, including carrying out a separate DPIA where required.

1. Scope of this summary

This summary reflects the outcome of a DPIA undertaken by Hivelink Ltd as part of its accountability obligations under UK GDPR.

It applies to the Hivelink platform itself and describes the nature of the processing, the key risks considered and the safeguards in place at platform level. It does not replace or remove the responsibility on customer organisations to assess risks arising from their own use of the platform.

2. Why a DPIA was undertaken

A DPIA was completed as a proportionate accountability measure, reflecting the nature, scope and context of the service, including:

• processing that may involve children’s personal data;
• the potential for special category data to be processed where configured by customer organisations; and
• operation of a multi-tenant SaaS platform used by multiple organisations.

3. Roles and responsibilities

For the purposes of data protection law:

• customer organisations act as data controllers for personal data relating to parents, guardians and participants;
• Hivelink acts primarily as a data processor, processing personal data only on documented instructions from customer organisations; and
• Hivelink also acts as an independent data controller for limited platform-level purposes, including account administration, billing, platform security, fraud prevention and legal compliance.

4. High-level categories of personal data

Depending on how the platform is configured and used by customer organisations, personal data processed via the platform may include:

• administrator and account-level information;
• parent or guardian contact details;
• participant data (including children’s data) entered by adults acting on their behalf;
• booking, attendance and payment records; and
• optional special category data (such as medical or allergy information), only where configured by customer organisations.

Hivelink does not mandate or determine what personal data customer organisations collect.

5. Key risks considered

The DPIA considered a range of foreseeable data protection risks, including:

• unauthorised access to personal data;
• processing of children’s personal data;
• processing of special category data where configured by customer organisations; and
• the risk of security incidents or personal data breaches.

6. Safeguards and controls

Appropriate technical, organisational and contractual safeguards are in place, including:

• role-based access controls and organisation-managed permissions;
• logical segregation of customer data within a multi-tenant architecture;
• secure hosting environments and encrypted data transmission;
• incident and personal data breach management procedures; and
• contractual controls, including a Data Processing Agreement.

7. Outcome of the DPIA

Overall, the DPIA concluded that:

• the processing assessed is lawful, necessary and proportionate;
• appropriate technical and organisational measures are in place to mitigate identified risks; and
• no high residual risks to the rights and freedoms of individuals were identified.

As a result, prior consultation with the Information Commissioner’s Office (ICO) was not required.

8. Review and transparency

The DPIA is reviewed at least annually and where there is a material change to the platform or processing activities.

This summary is published to demonstrate transparency and accountability in relation to the operation of the Hivelink platform. The full DPIA is available to regulators or customer organisations on request, where appropriate.