Data Protection Impact Assessment (DPIA)
Entity: miMove PA Limited
Data Processor
Contact: marcella@mimoveapp.com
Effective Date: November 2025
1. Project Overview
The miMove platform enables students to record participation in all enrichment activities, including sport, performing arts, reading, volunteering, and other pursuits that contribute to personal development. It helps schools and educational organisations understand engagement, wellbeing, and inclusion through secure data collection and reporting.
2. Description of Data
|
Data Type |
Examples |
Purpose |
Sensitivity |
|
Basic identifiers |
Name, age, gender, school, class |
User account and reporting |
Low |
|
Activity data |
Activity type, frequency, duration, enjoyment |
Participation and insight |
Low |
|
Optional demographic data |
Ethnicity, SEND (Yes/No), EAL, Pupil Premium (England only) |
Equity and inclusion monitoring |
Medium |
3. Lawful Basis
UK/EU: Article 6(1)(e) – Public task; Article 9(2)(g) – Substantial public interest (equality monitoring)
KSA PDPL: Article 6 – Lawful and fair purpose; Article 9 – Explicit consent for optional sensitive data.
4. Stakeholder Consultation
Consultation includes students, parents, school DPOs, and education partners where relevant.
5. Risk Assessment
|
Risk |
Likelihood |
Impact |
Mitigation |
|
Unauthorised access |
Low |
High |
AWS ISO27001, RBAC |
|
Inaccurate data entry |
Medium |
Low |
Teacher moderation, student guidance |
|
Breach of confidentiality |
Low |
High |
Staff NDAs, training, monitoring |
|
Retention drift |
Low |
Medium |
Automated deletion 12 months post-closure |
|
Data misuse |
Very low |
High |
Contractual limits, DPA compliance |
6. Data Retention
Active user data is retained while accounts are live. Dormant data is deleted after 12 months of inactivity. Backup data is encrypted and removed within 90 days of deletion.
7. Security Measures
Data is hosted on AWS (local data centres). Encryption AES-256 at rest, TLS 1.2+ in transit. Role-based access, SSO, is enforced. Regular security audits and penetration tests are conducted.
8. Breach Management
All incidents are reported to the Controller (school) without undue delay, regardless of risk. miMove assists schools in assessing, reporting, and mitigating incidents
9. Data Subject Rights
Students and parents can request access, correction, or deletion of their data via their school. Requests are completed within statutory timelines (30 days UK / 15 days KSA).
10. Governance and Review
DPIA Owner: miMove Data Protection Officer
Review Frequency: Annually or upon major update
Next Review: January 2027