Data Protection Impact Assessment
v1.1 · Signed 19 June 2026 · Next review 19 June 2027
This is a summary of the DPIA LESSO Ltd has carried out for the processing performed by Mrs J, the LESSO AI assistant. We publish the summary because procurement diligence by a school's DPO should not need to start with a request for one. The internal long-form DPIA is available to controller customers on request to support@lesso.co.uk.
This document follows the structure recommended by the ICO and addresses the AI-specific points raised in the ICO Generative AI consultation series and in Article 35(3) UK GDPR. It has been updated to reflect the Data (Use and Access) Act 2025 (DUAA 2025) and to cover the batch assessment marking workflow introduced in the LESSO platform.
1. Description of processing
Mrs J is a teacher-facing AI assistant. She:
- receives natural-language prompts and uploaded materials from a logged-in teacher;
- sends those prompts to a suite of UK-hosted large-language models served by Civo / relax.ai in LON1 (primary: Llama 4 Maverick 17B×128E for generation; DeepSeek-V4-Pro and Kimi 2.6 for agentic tool-calling; Mistral-7B-Embedding for semantic search; Voxtral for voice), with Microsoft Azure OpenAI Service in UK South as fallback;
- returns generated educational content (lesson plans, worksheets, slide decks, drafted parent emails) to the teacher for their review;
- in the batch assessment marking workflow, produces draft marks and feedback which the teacher then reviews, edits, and approves — no mark is recorded until the teacher takes that decision;
- stores the conversation, the prompt and the output in the teacher's account so Mrs J can deliver "right first time" on subsequent sessions.
The current platform has no pupil accounts and does not process pupil personal data directly. In the batch marking workflow, teachers are responsible for ensuring that any materials they upload comply with the Acceptable Use clause; pupil personal data should not be uploaded. The teacher retains all decision-making authority throughout every workflow.
2. Necessity and proportionality
The lawful basis for processing the teacher's account and conversation data is set out in our Privacy Policy §5 (Contract performance under Article 6(1)(b) for service delivery; Legitimate Interests under Article 6(1)(f) for service personalisation and operational analytics, with the binding no-training commitment ring-fencing the limit). Processing is carried out in compliance with UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
The processing is proportionate to its purpose: the data collected is what is needed to deliver an AI assistant of reasonable quality to a teacher, no more. Data minimisation is enforced architecturally — the current platform has no pupil accounts and no pupil-data ingest — and contractually, through the no-training commitment in the DPA.
3. Risks to data subjects and mitigations
| Risk | Likelihood × Impact | Mitigation |
|---|---|---|
| Unauthorised access to a teacher's account | Low × Medium | SSO / MFA support, session-revocation token versioning, audit logging, lockout on repeated failures. |
| Sub-processor breach | Low × Medium | Inherited ISO 27001 / Cyber Essentials Plus controls at Civo; Article 28-equivalent flow-down to every sub-processor; 72-hour breach-notification commitment in the DPA. |
| Teacher uploads a document containing pupil personal data | Medium × Medium | Acceptable-Use clause prohibits this; school AI policy template guides staff use; UI carries inline reminder in the batch marking workflow; long-form internal DPIA tracks heuristic detection roadmap. |
| Batch marking — draft AI mark treated as final without teacher review | Low × Medium | Workflow architecture requires explicit teacher approval before any mark is recorded; UI presents all AI output as draft; no grade is written to any system until the teacher confirms it. Teacher-in-the-loop is mandatory by design, keeping LESSO outside Article 22 automated decision-making. |
| Inaccurate AI output relied on without review | Medium × Medium | Teacher-in-the-loop on every output (Terms §6, AI Transparency); UI never auto-sends; product copy frames Mrs J as a draft author, not a decision-maker. |
| Surveillance of individual teachers by leadership | Low × High | Architectural choice: leadership reporting is aggregated and anonymised; individual transcripts are not exposed to leadership UIs. |
| Vendor model change with unintended quality regression | Medium × Low | Model versions disclosed on the AI Transparency page; rollback to previous model version is a config change, not a deploy. |
4. AI-specific section
- Model stack and host disclosed: Primary generation — Llama 4 Maverick 17B×128E on Civo / relax.ai (LON1); agentic tool-calling — DeepSeek-V4-Pro and Kimi 2.6; semantic search — Mistral-7B-Embedding; voice — Voxtral. Fallback: Microsoft Azure OpenAI Service on UK South. When the underlying model versions change, the AI Transparency page is updated.
- No training on customer content: binding contractual commitment in the DPA, flowed down to Civo / relax.ai and to Microsoft for the Azure deployment.
- Batch assessment marking — outside Article 22: Mrs J produces draft marks and feedback for the teacher's review. The teacher reviews, edits, and approves each mark before it is recorded; no automated final decision is made. This keeps LESSO outside the EU AI Act Annex III high-risk education category and outside Article 22 UK GDPR automated decision-making. Mrs J assists the teacher; the teacher decides.
- No automated decision-making with legal or similarly significant effect (Article 22) for any other workflow: Mrs J drafts; the teacher decides. UI never auto-sends.
- Bias and fairness: public annual published audit committed from Year 2 of meaningful adoption (compliance brief §13.7); product currently mitigates by confining Mrs J to draft-and-review flows under teacher control.
- Hallucination and accuracy: teacher-review requirement is explicit in the Terms; UI prompts encourage review of citations and curriculum mapping.
5. Child-impact section
LESSO is for adults whose job is to teach children. Our minimum user age is 18, our account-creation flow is restricted to verified educators, and Mrs J is teacher-facing only — the current platform has no pupil accounts and does not directly process pupil personal data. This is the principal child-impact mitigation: the current platform has been designed so that children are not data subjects of the processing.
Should LESSO ever introduce a pupil-facing surface in the future, that change will trigger a full updated DPIA, a Children's Code (AADC) compliance assessment, a separate Article 28 DPA addendum covering pupil data processing, and at least 30 days' advance notice to all contracted schools before activation. This commitment is reflected in our DPA. Any such future product development remains subject to those safeguards.
We recommend (but do not mandate) that teachers add a one-line credit when AI assisted a worksheet, slide deck, or piece of feedback. The free school AI policy generator helps schools formalise that and other staff-use guidance.
6. Consultation
This DPIA has been reviewed internally by LESSO's compliance lead (Luke, co-founder). The risks identified do not exceed the threshold that would require prior consultation with the Information Commissioner's Office under Article 36 UK GDPR. Should a controller-customer DPIA conclude differently for their specific deployment, we will support the consultation.
7. Outcome and sign-off
The residual risk after mitigation is assessed as low for adult data subjects (teachers and school staff — LESSO's current data subjects). Children are not direct data subjects of the current platform's processing; should that change in future, the safeguards in Section 5 apply. Processing is approved to proceed.
Signed
Luke · Co-founder, LESSO Ltd
support@lesso.co.uk
Signed 19 June 2026 · Next scheduled review 19 June 2027
LESSO Ltd | Registered in England and Wales