This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 26th of April, with our Data Services Team Leader Claire Lockyer, PGCE QTS PC.dp. This session focused on understanding how to comply with data protection law, developing data policies and processes, knowing what staff and pupil data to keep, and good practices for preventing personal data breaches.
We are five years into GDPR and much of that initial panic at the unknown has settled. However, it is still important to understand how to operationalise data protection, so it is a living, adapting process within your school or Trust…and not just a tick box activity completed once a year.
To aid schools and Trusts, the Department for Education has released an updated toolkit: https://www.gov.uk/guidance/data-protection-in-schools
Understanding How to Comply with Data Protection Law
The best place to start is with familiarizing yourself with UK GDPR.
It’s a framework of key principles and requirements, including an Accountability Principle which requires you to take responsibility for what you do with personal data and how you comply with the other principles. In other words, you can’t just say you are meeting these requirements, you must evidence it. You can start with:
- Become familiar with the conditions and lawful basis for processing that are most relevant, e.g., public task, consent, etc.
- Understand the extra reasoning that is required to process special categories of data (these are tightly defined.)
- Understand that lawful bases are specific to processing data – the purpose you are using it for. For example, you can’t send out an email for PTA just because you have emails for emergency contact data.
- Identify the areas that do not appear to be essential to safely and efficiently run a school, as these are the areas that informed specific consent from data subjects may need to be sought if not already obtained. For example, annual school photos for parents as this is not required by the school and therefore requires consent.
Developing Data Policies and Processes
Operationalise your schools or Trust’s data protection to keep it living and functioning for you.
- Identify the range of policies required within your school to cover the procedures and processes for data protection. (We recommend five core policies to start from: Data Protection, Data Breach, Subject Access Request, Retention and Freedom of Information (FOIs are not applicable to independent schools.)
- Ensure that data protection and risk management is a core and regular part of decision making and risk management practices within your school or Trust.
- Follow the accountability principle NB: Remember you must evidence your processes.
- Be aware of ‘exemplar’ privacy notices for communicating with parents/pupils, as we don’t recommend copying policies from Google. Tailor it to your school or Trust and use your Data Protection Officer (DPO) to help with this.
Knowing What Staff and Pupil Data to Keep
Our top tips include:
- Only keep data for as long as you need.
- Check and audit data you hold annually.
- Always use safe disposal methods.
- Keep a retention policy and disposal log.
- The IRMS toolkit for schools provides good guidance on retention (An update is due in May).
Following Good Practices for Preventing Personal Data Breaches
It is important to understand what a data breach is and what you need to do about it when one occurs.
A Personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Breaches are the result of both accidental and deliberate causes. NB: Breaches include both the loss and alteration of data, which we find can often be easily forgotten.
You should minimise and assess the impact with a range of different steps then need to be taken depending upon the severity of the breach. This is where your DPO can help.
It is good practice to record and investigate every data breach, however small. For instance, a good analogy to compare it to is the ‘accident logbook’. Whilst a child grazing a knee may be minor in isolation, if each incident is reported and a trend around a piece of playground equipment is spotted, some remedial action might be appropriate. This is the same with data protection. If a particular system or process is identified as regularly having minor incidents by the DPO, the school can mitigate the risk. This is only possible if a ‘always report it’ culture exists and is encouraged.
In the event of a serious data breach involving the personal data for which the controller is responsible the DPO must report the breach to the Information Commissioner’s Office (ICO). A serious breach is a breach that interferes with the rights and freedoms of the data subject, and it must be reported within 72 hours of the breach.
- Training – Train your staff!
- Data protection is a collective effort. It’s essential to ensure that all staff members are aware of their roles and responsibilities such as recognising a breach or a data request (SARs and FOIs).
- Ensure policies and procedures are in place and publicise the location of these.
- Your DPO can help with this.
- Establish a clear data protection contact in your school or Trust who is open and approachable.
- Utilise your DPO as they are your appointed expert and are there to help.
The DfE Toolkit for Schools – https://www.gov.uk/guidance/data-protection-in-schools
The IRMS Schools Toolkit – https://irms.org.uk/page/SchoolsToolkit
Judicium also offer a range of GDPR e-learning training designed for schools. You can see current course availability here.
If you’d like to review Judicium’s forthcoming Sofa Sessions please click here
© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.