- Written by James England
Why an audit?
Our consultancy provides a detailed review of your readiness for GDPR and an action plan of what to do to ensure compliance. Whilst the audit takes several days, we need only one day in school with you and your staff.
We start with an initial telephone call to plan out the day spent with you - what information is needed and who will need to be available. This is likely to be those with operational focus, a mixture of governance staff - the Head, the IT Manager, Business Manager, possibly Chair of Governors and other members of the senior staff with an operational focus.
The day will be spent gathering information and also explaining why it's needed for GDPR compliance. It includes:
- An analysis of your school's processes and procedures relating to data management, governance and risk management
- A full review of the information management systems in place including a high-level data inventory, to log where and how personal data is stored
- A review of how well you are meeting the GDPR Data Principles:
- Collection and purpose of processing
- Quality and completeness
- Data retention
- A review if any international data transfers apply to your school
- How ready you are to respond to a data breach
- Your understanding of the Rights of Data Subjects, and your ability to respond to a subject access request
- A review of awareness training and organisation-wide data protection by design
- Roles and responsibilities, including your school's requirement for a Data Protection Officer
- Your organisation's ability to manage a large-scale compliance project
- Written by James England
During the International Association of Privacy Professional's Knowledge Net event in London on 17th October, Elizabeth Denham, the Information Commissioner was asked a question that is as appropriate to schools as it is to businesses.
Question: "What advice would you give businesses if, having tried their very best by the 25th May 2018, they are not completely compliant by this point?"
Answer: “So the law takes effect on 25th May 2018 and we will receive complaints, and there will be breaches and we will need to look at organisations. And what I’ve said to organisations is what I will be looking for is evidence of your commitment and your programme to build the compliance.
It’s not necessarily going to be perfect on the first day, but then again we have had the text for two years so it’s not a surprise about what obligations are contained in the law. The other thing is, if there is a serious contravention of the law, we’ll just look at whether or not you have done what you needed to do to prevent that breach or that contravention from happening.
So I can’t say I’m giving a grace period at all. There isn’t a grace period. But again, we are a proportionate, reasonable, risk-based regulator and there is no reason why we are suddenly going to change into a different kind of regulator because we have new tools in our regulatory toolbox.
And remember, it’s not just about fines. There are other tools that I think are really important to getting this right and developing good practice around data and what to do.”
Elizabeth Denham, Information Commissioner
So what does that mean? It means take reasonable measures to prepare and assess your risks. And where there are risks to the rights of data subjects in the way you handle data, do something about it. But excuses such as ignorance, or not doing anything because of size and budgets won't help you if something goes wrong.
- Written by The Data Protection Education Team
Are you a Data Hoarder or a Data Generator?
- Under the GDPR’s data protection principles, your school will no longer be able to keep personal data for longer than it is needed.
- The GDPR will raise the profile of data protection and the rights of data subjects, including their right to a copy of all the data you hold on them – known as a subject access request or SAR.
- Over 20% of schools we surveyed say they have had a subject access request and this is likely to rise under GDPR.
Basically, the more data you hold – no matter how old it is, the more difficult it is for you to comply with the GDPR and the bigger headache subject access requests will be.
Now is the time to review how and what data you store as well as if your school is guilty of generating more data through, for example, poor email management.
Think about what your school does with old data files, are they under the stage, in a confidential cupboard or in rows of filing cabinets? And what happens to old software and system back-ups? If the personal data is no longer needed – and unlikely to be needed, it should be securely destroyed.
Companies such as Shred-it offer on-demand shredding and hard drive destruction services and will come to your school and destroy and remove the data there and then.
Generating even more data
I recently spoke to a school that realised, following a subject access request, that it held 15,000 emails on one child. In a five-year school career, it is difficult to imagine how this many emails could be generated about one pupil but poor email management may well be the culprit. Here are two important tips to reducing the data you generate and hoard through email.
- Use CC sparingly
It is easy to get into the habit of CCing people in, especially through pre-set staff lists, but it should only be used if the other people really need to see the email. Otherwise, you are generating more and more data with each email you send.
- Delete emails
Never deleting emails is another way of hoarding data. Ask your IT department if they can automate this, train staff to only store the emails they need and add reminders to staff calendars to delete unnecessary emails at the end of each term. Getting staff into this habit will dramatically reduce the number you keep and the amount of personal data your school holds.
- Written by James England
To prepare for the General Data Protection Regulations (GDPR)
There is much you can do to begin preparing for the new regulations. In doing so, you can be confident you are meeting the current Data Protection Act (DPA) making you better prepared for the GDPR.
Both the DPA and the GDPR relate to the personal data you collect and store about pupils and their families as well as staff data.
- What data are we collecting?
Audit what data you are collecting across the school, where it is held, how it is collected and what is collected. Whilst most data is collected and held within your management information system, other software across the school collects and holds data. Delegating this to teaching and non-teaching staff will help you to identify areas of the school that need additonal support as you work towards being GDPR compliant.
- Why are we collecting it?
To meet the GDPR, all data collection must be necessary. Consider if this is the case for everything you are collecting. This also applies to historical data you hold on past pupils and staff.
- Have people consented to it being collected?
Have your pupils, parents and colleagues agreed to you collecting the personal data you hold on them? The GDPR states that consent must be explicit and you should consider how you are currently gathering consent and any gaps. This means everyone must be aware of how you are going to use the data they are providing to you and that you only use it for these reasons.
From your audit, you can begin to build an action plan to be ready for May 2018. The action plan will raise questions such as, training and development priorities, how to ensure you are asking for the correct consent and any data that you should no longer be collecting. Remembering that on the 25th May 2018, your school must be compliant and not working towards compliance.
- Written by James England
As part of the current Data Protection Act, you will already have clear policies and procedures for collecting and handling data in your school. All of this will help you to prepare for the more stringent GDPR.
This checklist has been adapted from the Information Commissioner’s Office (ICO) guidance so that it relates to your school context.
Ensure your senior team, governing body and other key people are aware that the law is changing to the GDPR. They need to be aware of the impact this is likely to have on the school and how they work. Tip: include GDPR as a fixed item on meeting agendas for governors and the senior team.
- Information you hold
Document the personal data you hold, where it came from and who you share it with. Carry out a whole-school information audit and include pupil, parent and staff information. This includes non-electronic information such as print-outs as well as information held on memory sticks and other devices. If data is held electronically, is it password protected and encrypted? If it is held on paper, is it held securely and appropriately?
- Communicating privacy information
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights
Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests
Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. Rehearse a subject access request to ensure you are able to produce one within the required 40 days.
- Legal basis for processing personal data
Look at the various types of data processing you carry out, identify and document your legal basis for carrying it out. This will include speaking to colleagues across the school.
Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
The GDPR states that consent must be obtained from parents of pupils under the age of 13, over this, the child can give their own consent. Consider how and if this will work in your school.
- Data breaches
Ensure you understand what a data breach is and that you have the right procedures in place to detect, report and investigate one. Do other people know what to do?
- Data protection by design and data protection impact assessments
Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments and how and when to implement them in your school.
- Data Protection Officer (DPO)
Designate a data protection officer or someone to take responsibility for compliance and assess where this role will sit within your school’s structure and governance. The DPO must be impartial and can be someone from outside of the school.
If your school operates internationally, you should determine which data protection supervisory authority you come under.
How we can help
At Data Protection Education, we can support your school and staff to understand their responsibilities and ensure you comply with the new regulations. We offer three levels of training and support and our gold package includes the provision of a data protection officer. Read more about the packages here or call us to talk about which package is most suitable to your school.