- Written by Claire Ashton
Data Protection Walk Document
Our data protection walk is designed to take you on a journey around school to spot any data protection and handling concerns or areas that need tightening up for GDPR. Consider what is being shared, why it is being shared and if the person whose data it is - the data subject, is aware that it is being shared in this way or if they are being put at risk.
We start with reception and ask you to look at what personal information is available, both intentionally and unintentionally and whether it needs better protecting or if privacy notices need updating. We then go into the staffroom and consider who has access to the staffroom - is it locked, if recyling bins are open and how personal data is shared and secured. Other areas we consider include if offices are left open when no-one is in them, what information is available near offices and what is displayed in corridors and available in open classrooms.
The document asks you various questions and can be written on or typed directly into.
- Written by James England
Why an audit?
Our consultancy provides a detailed review of your readiness for GDPR and an action plan of what to do to ensure compliance. Whilst the audit takes several days, we need only one day in school with you and your staff.
We start with an initial telephone call to plan out the day spent with you - what information is needed and who will need to be available. This is likely to be those with operational focus, a mixture of governance staff - the Head, the IT Manager, Business Manager, possibly Chair of Governors and other members of the senior staff with an operational focus.
The day will be spent gathering information and also explaining why it's needed for GDPR compliance. It includes:
- An analysis of your school's processes and procedures relating to data management, governance and risk management
- A full review of the information management systems in place including a high-level data inventory, to log where and how personal data is stored
- A review of how well you are meeting the GDPR Data Principles:
- Collection and purpose of processing
- Quality and completeness
- Data retention
- A review if any international data transfers apply to your school
- How ready you are to respond to a data breach
- Your understanding of the Rights of Data Subjects, and your ability to respond to a subject access request
- A review of awareness training and organisation-wide data protection by design
- Roles and responsibilities, including your school's requirement for a Data Protection Officer
- Your organisation's ability to manage a large-scale compliance project
- Written by James England
During the International Association of Privacy Professional's Knowledge Net event in London on 17th October, Elizabeth Denham, the Information Commissioner was asked a question that is as appropriate to schools as it is to businesses.
Question: "What advice would you give businesses if, having tried their very best by the 25th May 2018, they are not completely compliant by this point?"
Answer: “So the law takes effect on 25th May 2018 and we will receive complaints, and there will be breaches and we will need to look at organisations. And what I’ve said to organisations is what I will be looking for is evidence of your commitment and your programme to build the compliance.
It’s not necessarily going to be perfect on the first day, but then again we have had the text for two years so it’s not a surprise about what obligations are contained in the law. The other thing is, if there is a serious contravention of the law, we’ll just look at whether or not you have done what you needed to do to prevent that breach or that contravention from happening.
So I can’t say I’m giving a grace period at all. There isn’t a grace period. But again, we are a proportionate, reasonable, risk-based regulator and there is no reason why we are suddenly going to change into a different kind of regulator because we have new tools in our regulatory toolbox.
And remember, it’s not just about fines. There are other tools that I think are really important to getting this right and developing good practice around data and what to do.”
Elizabeth Denham, Information Commissioner
So what does that mean? It means take reasonable measures to prepare and assess your risks. And where there are risks to the rights of data subjects in the way you handle data, do something about it. But excuses such as ignorance, or not doing anything because of size and budgets won't help you if something goes wrong.
- Written by Claire Ashton
We offer face-to-face events for the leadership team and e-learning awareness training for all staff. We also offer a compliance software platform called GDPR.co.uk to support your data mapping and document your compliance. This comes as part of the implementation programme or can be purchased separately.
GDPR Implementation Programme
Over six half-day sessions, we will guide you through the below topics. The cost for the whole programme is £800 for a primary school and £1,000 for a secondary school and for one delegate at each session. The programme includes a 12 month license to GDPR.co.uk and five accounts for the e-learning staff training.
Our implementation programme breaks each of the steps into six specific half-day workshops providing guidance, documentation and support. We also include twelve-month access to.
The programme is structured to help you move through the GDPR requirements for your school in a structured way to be ready by May 2018.
Step 1: Governance, planning and preparation for compliance
Step 2: Data inventory and data mapping
Step 3: Undertaking compliance actions
Step 4: Identifying and managing risk
Step 5: Organising processes and procedures
Step 6: Training and documentation
Full Day Intensive GDPR Training
This day condenses the six sessions from the implementation programme into one full day. The price is £195 per delegate or £390 for primary schools and £590 for secondary schools to include GDPR.co.uk.
Whole Staff Training
The e-learning uses real-school scenarios and is a cost-effective and easy way to train all staff in data protection. Staff work through the modules individually and central reports identify who still needs training and provide evidence for governors and inspectors. The training ensures your staff understand how to better protect personal data. There is a trial module here for you to work through. The training is priced based on school size starting at £199.
GDPR.co.uk Compliance Platform
The platform will take your school through GDPR compliance from data mapping to recording data breaches. Find out more at www.gdpr.co.uk
- Written by Claire Ashton
Are you a Data Hoarder or a Data Generator?
- Under the GDPR’s data protection principles, your school will no longer be able to keep personal data for longer than it is needed.
- The GDPR will raise the profile of data protection and the rights of data subjects, including their right to a copy of all the data you hold on them – known as a subject access request or SAR.
- Over 20% of schools we surveyed say they have had a subject access request and this is likely to rise under GDPR.
Basically, the more data you hold – no matter how old it is, the more difficult it is for you to comply with the GDPR and the bigger headache subject access requests will be.
Now is the time to review how and what data you store as well as if your school is guilty of generating more data through, for example, poor email management.
Think about what your school does with old data files, are they under the stage, in a confidential cupboard or in rows of filing cabinets? And what happens to old software and system back-ups? If the personal data is no longer needed – and unlikely to be needed, it should be securely destroyed.
Companies such as Shred-it offer on-demand shredding and hard drive destruction services and will come to your school and destroy and remove the data there and then.
Generating even more data
I recently spoke to a school that realised, following a subject access request, that it held 15,000 emails on one child. In a five-year school career, it is difficult to imagine how this many emails could be generated about one pupil but poor email management may well be the culprit. Here are two important tips to reducing the data you generate and hoard through email.
- Use CC sparingly
It is easy to get into the habit of CCing people in, especially through pre-set staff lists, but it should only be used if the other people really need to see the email. Otherwise, you are generating more and more data with each email you send.
- Delete emails
Never deleting emails is another way of hoarding data. Ask your IT department if they can automate this, train staff to only store the emails they need and add reminders to staff calendars to delete unnecessary emails at the end of each term. Getting staff into this habit will dramatically reduce the number you keep and the amount of personal data your school holds.