In this article, we explore the role of the data protection officer (DPO), whether your school needs one and who this should be.
Updated 12th January 2018 (and again 14 February)
This week, the following was proposed concerning DPOs and maintained schools as part of a reading of the Data Protection Bill.
87A Insert the following new Clause “Where a school maintained by a local authority is unable to designate a data protection officer, the relevant LA must designate a DPO for that school or any group of schools maintained by that LA”
The full document can be read here: https://t.co/Acmf254ZKK
At this stage, this is only a possibility (it didn't make it out of committee and into the final reading in the House of Lords, but may be re-proposed in the Commons - watch this space)and the terms 'unable' and 'designate' are not explained.
So we recommend that if you are a maintained school, speak to your local authority about any services they may be offering as a managed service.
Under the GDPR, do schools need a data protection officer?
The GDPR outlines three circumstances when an organisation must appoint a DPO. If you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
As a public authority, circumstance 1 applies to maintained schools and academies, meaning that you do need a data protection officer.
What about independent schools?
The terms ‘large scale’ have not been defined by the Information Commissioner’s Office (ICO), so it cannot be assumed that independent schools fall into circumstance 2. Because of the nature of the data that all schools collect and process and that your data subjects are children, it would be wise however, for independent schools to appoint a data protection officer. Indeed, appointing a DPO demonstrates that you take the data protection of your pupils seriously.
How can schools afford a data protection officer?
A data protection officer can be employed fully by you, shared across schools or you can engage in a DPO service from an external provider. Each has its merits and should be reviewed as to which is the most suitable for your school, in terms of the appropriateness for the size of your school and the types of personal data you collect and process, as well as affordability and value for money. Talk to local schools to see if there is an opportunity to share one across the group. If you are part of a trust, speak to your central office about their plans.
What does a DPO do?
The DPO takes an advisory and monitoring role and should guide your school to be GDPR compliant. It is your school’s responsibility to follow this guidance. If you choose not to, the DPO is not responsible if anything goes wrong.
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities (the ICO) and for individuals whose data is processed (employees, customers etc).
What does the GDPR say about your duties when employing a DPO?
As a school or trust, you must ensure that.
- The DPO reports to the highest management level of your school, i.e. the governing body or the trust board.
- The DPO operates independently and is not dismissed or penalised for performing their task.
- Adequate resources are provided to the enable DPO to meet their GDPR obligations.
Can we allocate the role of DPO to a member of staff?
Yes, but only if their professional duties are compatible with those of the DPO and do not lead to a conflict of interests. This means that they must be in an impartial role, report directly to the governing body and have no conflict of interest in their other duties. It is difficult to think of a role in school where there wouldn’t be a conflict of interest.
Anyone who makes decisions about which systems your school uses or how they are used, has line management responsibilities or decides what personal data is collected or processed, is not a suitable data protection officer. Remembering that this person cannot be sacked for performing their DPO role.
Can a governor be the data protection officer?
If the governor has no other responsibilities, then yes. For many schools, a governor with the right skills and authority, as well as time, would be suitable.
Does the data protection officer need specific qualifications?
Whilst the GDPR does not specify precise credentials, it does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your school carries out, taking into consideration the level of protection the personal data requires.
How we can help
Accountability and Governance, an overview from the ICO: http://bit.ly/2wMAK68