In this series of articles, we will outline practical steps to compliance, In this one, we introduce data audits.
The GDPR is the General Data Protection Regulation which is a new data protection law coming into force across the EU on May 25th 2018. The government has confirmed that leaving the EU will not affect the commencement of the GDPR. The law is changing to align with the ways we all share and process data in today’s digital world. It is an opportunity for your school to review and update the data it collects and how it is managed and secured as well as train your pupils and staff to be more careful with their data and that of others.
The most important point for your school is that you must be fully compliant on May 25th and not working towards compliance.
Auditing your data
There is much you can do to prepare for the new regulations and one of the first steps is to audit the data you hold in a spreadsheet.
What data are we collecting and processing?
List what personal data you hold across the school, where and how securely it is held, how it is collected or processed and who it is shared with. Identify which data you collect yourselves and which you receive from elsewhere, such as via the CTF or from other agencies. Adding a column about how better it can be secured is also helpful.
Ask staff what software and websites they use that gather personal data to map a complete picture across school.
Why are we collecting it?
To meet the GDPR, you must have a lawful basis for collecting and holding personal data and there are strict categories for this. From step one, identify a lawful reason for collecting or processing it, from the list below. Without a lawful basis, you should not be collecting or holding it.
The data subject has given their explicit consent for you to process their data. For children under the age of 16, this consent must be given by their parents. Consent may also be withdrawn.
Such as employment contracts for staff.
- Legal obligation
Such as collecting attendance data for the DfE.
- Protecting vital interests
Such as disclosing medical information to health professionals or information for references.
- Public interest
This applies to data collected for statutory purposes.
- Legitimate interest
Such as for marketing purposes, not relevant for most schools.
Special category data
Data about race and ethnic origin, genetics, health and biometrics (including finger printing), beliefs such as religion, political opinions and trade union membership and sex life or sexual orientation is classed as sensitive data. The rules for this information are stricter than for other personal data. The Information Commissioner’s Office outlines these here. If your school using finger printing for school lunches or attendance, you should already have sought parental permission for doing so.
What’s the risk?
It is important to understand the risk to the individual and the school if any of the data you hold is lost or accessed by those without permission, known as a data breach. RAG rating each type of data will help you to prioritise staff training and data security. For example, losing the child protection register is potentially much more devastating compared to an attendance register.