Data Protection Impact Assessment
v1.0 · Signed 18 April 2026 · Next review 18 April 2027
This is a summary of the DPIA LESSO Ltd has carried out for the processing performed by Mrs J, the LESSO AI assistant. We publish the summary because procurement diligence by a school's DPO should not need to start with a request for one. The internal long-form DPIA is available to controller customers on request to support@lesso.co.uk.
This document follows the structure recommended by the ICO and addresses the AI-specific points raised in the ICO Generative AI consultation series and in Article 35(3) UK GDPR.
1. Description of processing
Mrs J is a teacher-facing AI assistant. She:
- receives natural-language prompts and uploaded materials from a logged-in teacher;
- sends those prompts to a UK-hosted large-language model (Llama 3.1 405B served by Civo / relax.ai in LON1, with Microsoft Azure OpenAI Service in UK South as fallback);
- returns generated educational content (lesson plans, worksheets, slide decks, drafted parent emails) to the teacher for their review;
- stores the conversation, the prompt and the output in the teacher's account so Mrs J can deliver "right first time" on subsequent sessions.
No processing is done on behalf of pupils. Mrs J does not mark pupils' work, generate predicted grades, or send anything to parents without a teacher in the loop.
2. Necessity and proportionality
The lawful basis for processing the teacher's account and conversation data is set out in our Privacy Policy §5 (Contract performance under Article 6(1)(b) for service delivery; Legitimate Interests under Article 6(1)(f) for service personalisation and operational analytics, with the binding no-training commitment ring-fencing the limit).
The processing is proportionate to its purpose: the data collected is what is needed to deliver an AI assistant of reasonable quality to a teacher, no more. Data minimisation is enforced architecturally — no pupil accounts and no pupil-data ingest in the platform — and contractually, through the no-training commitment in the DPA.
3. Risks to data subjects and mitigations
| Risk | Likelihood × Impact | Mitigation |
|---|---|---|
| Unauthorised access to a teacher's account | Low × Medium | SSO / MFA support, session-revocation token versioning, audit logging, lockout on repeated failures. |
| Sub-processor breach | Low × Medium | Inherited ISO 27001 / Cyber Essentials Plus controls at Civo; Article 28-equivalent flow-down to every sub-processor; 72-hour breach-notification commitment in the DPA. |
| Teacher uploads a document containing pupil personal data | Medium × Medium | Acceptable-Use clause discourages this; school AI policy template guides staff use; long-form internal DPIA tracks heuristic detection roadmap. |
| Inaccurate AI output relied on without review | Medium × Medium | Teacher-in-the-loop on every output (Terms §6, AI Transparency); UI never auto-sends; product copy frames Mrs J as a draft author, not a decision-maker. |
| Surveillance of individual teachers by leadership | Low × High | Architectural choice: leadership reporting is aggregated and anonymised; individual transcripts are not exposed to leadership UIs. |
| Vendor model change with unintended quality regression | Medium × Low | Model versions disclosed on the AI Transparency page; rollback to previous model version is a config change, not a deploy. |
4. AI-specific section
- Model and host disclosed: Llama 3.1 405B on Civo / relax.ai (LON1); Microsoft Azure OpenAI on UK South as fallback. When the underlying model versions change, the AI Transparency page is updated.
- No training on customer content: binding contractual commitment in the DPA, flowed down to Civo / relax.ai and to Microsoft for the Azure deployment.
- No automated decision-making with legal or similarly significant effect (Article 22): Mrs J drafts; the teacher decides. Mrs J does not mark, predict grades, or evaluate learning outcomes — keeping LESSO out of the EU AI Act Annex III high-risk education category.
- Bias and fairness: public annual published audit committed from Year 2 of meaningful adoption (compliance brief §13.7); product currently mitigates by confining Mrs J to draft-and-review flows under teacher control.
- Hallucination and accuracy: teacher-review requirement is explicit in the Terms; UI prompts encourage review of citations and curriculum mapping.
5. Child-impact section
LESSO is for adults whose job is to teach children. Our minimum user age is 18, our account-creation flow is restricted to verified educators, and Mrs J is teacher-facing only — no pupil accounts, no pupil-data processing, no AI marking. There is no pupil account today and there is no plan for one. This is the principal child-impact mitigation: the platform has been designed so that children are not data subjects of the processing.
We recommend (but do not mandate) that teachers add a one-line credit when AI assisted a worksheet, slide deck, or piece of feedback. The free school AI policy generator helps schools formalise that and other staff-use guidance.
6. Consultation
This DPIA has been reviewed internally by LESSO's compliance lead (Luke, co-founder). The risks identified do not exceed the threshold that would require prior consultation with the Information Commissioner's Office under Article 36 UK GDPR. Should a controller-customer DPIA conclude differently for their specific deployment, we will support the consultation.
7. Outcome and sign-off
The residual risk after mitigation is assessed as low for adult data subjects (LESSO's only data subjects) and not applicable in the ordinary case for children, given that children are not data subjects of the processing. Processing is approved to proceed.
Signed
Luke · Co-founder, LESSO Ltd
support@lesso.co.uk
Signed 18 April 2026 · Next scheduled review 18 April 2027
LESSO Ltd | Registered in England and Wales