- Written by James England
To prepare for the General Data Protection Regulations (GDPR)
There is much you can do to begin preparing for the new regulations. In doing so, you can be confident you are meeting the current Data Protection Act (DPA) making you better prepared for the GDPR.
Both the DPA and the GDPR relate to the personal data you collect and store about pupils and their families as well as staff data.
- What data are we collecting?
Audit what data you are collecting across the school, where it is held, how it is collected and what is collected. Whilst most data is collected and held within your management information system, other software across the school collects and holds data. Delegating this to teaching and non-teaching staff will help you to identify areas of the school that need additonal support as you work towards being GDPR compliant.
- Why are we collecting it?
To meet the GDPR, all data collection must be necessary. Consider if this is the case for everything you are collecting. This also applies to historical data you hold on past pupils and staff.
- Have people consented to it being collected?
Have your pupils, parents and colleagues agreed to you collecting the personal data you hold on them? The GDPR states that consent must be explicit and you should consider how you are currently gathering consent and any gaps. This means everyone must be aware of how you are going to use the data they are providing to you and that you only use it for these reasons.
From your audit, you can begin to build an action plan to be ready for May 2018. The action plan will raise questions such as, training and development priorities, how to ensure you are asking for the correct consent and any data that you should no longer be collecting. Remembering that on the 25th May 2018, your school must be compliant and not working towards compliance.
- Written by James England
As part of the current Data Protection Act, you will already have clear policies and procedures for collecting and handling data in your school. All of this will help you to prepare for the more stringent GDPR.
This checklist has been adapted from the Information Commissioner’s Office (ICO) guidance so that it relates to your school context.
Ensure your senior team, governing body and other key people are aware that the law is changing to the GDPR. They need to be aware of the impact this is likely to have on the school and how they work. Tip: include GDPR as a fixed item on meeting agendas for governors and the senior team.
- Information you hold
Document the personal data you hold, where it came from and who you share it with. Carry out a whole-school information audit and include pupil, parent and staff information. This includes non-electronic information such as print-outs as well as information held on memory sticks and other devices. If data is held electronically, is it password protected and encrypted? If it is held on paper, is it held securely and appropriately?
- Communicating privacy information
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights
Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests
Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. Rehearse a subject access request to ensure you are able to produce one within the required 40 days.
- Legal basis for processing personal data
Look at the various types of data processing you carry out, identify and document your legal basis for carrying it out. This will include speaking to colleagues across the school.
Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
The GDPR states that consent must be obtained from parents of pupils under the age of 13, over this, the child can give their own consent. Consider how and if this will work in your school.
- Data breaches
Ensure you understand what a data breach is and that you have the right procedures in place to detect, report and investigate one. Do other people know what to do?
- Data protection by design and data protection impact assessments
Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments and how and when to implement them in your school.
- Data Protection Officer (DPO)
Designate a data protection officer or someone to take responsibility for compliance and assess where this role will sit within your school’s structure and governance. The DPO must be impartial and can be someone from outside of the school.
If your school operates internationally, you should determine which data protection supervisory authority you come under.
How we can help
At Data Protection Education, we can support your school and staff to understand their responsibilities and ensure you comply with the new regulations. We offer three levels of training and support and our gold package includes the provision of a data protection officer. Read more about the packages here or call us to talk about which package is most suitable to your school.