News

Transparency is about being clear, open and honest with your users about what they can expect from you.

We've had a few questions recently about parents and students recording conversations with members of staff, both covertly or overtly without seeking permission. This article only covers recordings made by external individuals, not organisations or individuals acting on behalf of an organisation.

We know the jargon can be confusing. As can the timelines for responding to the various requests that you receive.

Is it a month? Or 30 days? Are those working days?

So here's a little chart to simplify everything:

We've recently had more than one breach reported where physical files have got lost in the post.

In such cases, the sender remains the data controller and is responsible for ensuring that the optimum data security measures are in place during transfer. Where possible, consider whether a physical drop-off (and get a receipt) is a more secure option.

Do I need consent for emergency contacts?

Actually no, and here's why.

We know that we must have a lawful basis for processing any data, and consent is one of the six lawful bases that can be used.

Adapted from: The Irish Data Protection Commissioner

The UK GDPR does not prescribe the exact process for carrying out a DPIA beyond the minimum features outlined above, allowing for flexibility and scalability in line with your organisation’s needs. Although there is no one prescribed approach to take, the following steps can guide you through the process:

We have added publication scheme model templates in the FOI Best Practice area for academies as well as maintained schools.

Difference between the High Level and Detailed Publication Scheme

The Government has provided some guidance on the avoidance of disinformation online.

https://sharechecklist.gov.uk/

What is disinformation?

Disinformation is the deliberate creation or dissemination of false and/or manipulated information

In light of recent ICO reprimands to schools it is important schools remember best practice for managing photos. The formal legal warnings issued by the ICO recently to schools both related to the processing of photos where no consent had been given. 

We've just published two new drip-feeds for printing off a circulating to staff on recognising and responding to subject access requests.

The Data Protection Officer (DPO) can provide support in many areas but are you aware of what we do help with?

There are some more well-known areas of data protection that we would be called upon to advise such as subject access requests and breaches but DPO’s don’t only provide advice and support when things go wrong,

Updated operational guidance has been produced by Public Health England for local commissioners and schools on running the national child measurement programme (NCMP)

Please ensure that you register DPE as your DPO with the Information Commissioner's Office. To do so:

To add a Data Protection Officer (DPO) email This email address is being protected from spambots. You need JavaScript enabled to view it. with the subject line ‘Add a DPO’ and include:

We've released version 1 of the Compliance Manager tool.

What is it?
The Compliance Manager allows you to assign any document to staff and enable the following interactions

or

Any standard document type can be uploaded and interactions selected. Then select the users to assign the document too and a date by which the users should have responded.

From the Information Commissioner's Office blog:

A former headteacher has been fined in court for unlawfully obtaining school children’s personal data from previous schools where he worked.

 By changing the culture of email use within an organisation will not only benefit the organisation towards GDPR compliance and beyond, it will also save a significant amount of time by reducing staff workload and hopefully support staff wellbeing too.