Five things schools can learn from the ICO GDPR audits

Glen Belfield, director of data destruction company Bioteknik, breaks down the ICO’s school audits, and lists five things that can help with GDPR compliance

GDPR has now been in effect for over a year and the Information Commissioner’s Office (ICO) has released its first school audits.

Most of these audits show that schools are doing a good job at introducing GDPR awareness and working towards a robust data protection strategy. They are also in no way about penalising schools for not following regulations and instead are specific suggestions as to how schools can bring themselves in line with the regulations as restrictions tighten on non-compliance.


Related blog: Brexit and GDPR compliance in schools


From data destruction to data security, we’ve taken a look through the latest reports and come up with some suggestions as to how schools can work towards improving their audit scores for the future.

The positives

Overall, there was consistent reference to schools’ efforts to raise awareness and inform staff of correct protocol in terms of GDPR. The report mentions most schools audited were satisfactory in their distribution of information through emails, posters and online hubs where staff could find answers to their frequently asked questions.

While awareness is obviously the first step in introducing staff to correct data protection methods, schools then need to ensure that there are clear processes in place and that staff are all aware of when to follow these processes, who to contact and how to complete them properly.

Most schools already audited received a ‘reasonable’ score for training and awareness, showing that education professionals understand the expectations of the GDPR and have started to put proper procedures in place – but there is still room for improvement.

Schools need to ensure that there are clear processes in place and that staff are all aware of when to follow these processes, who to contact and how to complete them properly.

Areas of improvement

The main audit scope areas are:

  • Governance and accountability
  • Data sharing
  • Training and awareness

Each school received mixed results in each of these scope areas, but there were a couple of suggestions which were somewhat consistent. Education professionals should take these into consideration when reviewing their GDPR practices to help improve their audit scores for when the time comes.

Data sharing agreements

When sharing data with partners, the ICO noted that several schools should ensure that all data sharing agreements are logged centrally, securing the sharing of data and avoiding accidental breaches through disorganisation. The ICO recommends that this log include the data being shared, the volume, type and sensitivity of the information and who the data is being shared with.

These sharing agreements should also be regularly reviewed and updated, with responsible staff keeping track of when these reviews should take place, when the data should be destroyed and when the data needs to be retained.

Training needs analysis

The ICO regularly mentioned Training Needs Analysis (TNA) exercises, suggesting that although initial training and awareness was good, regular scrutiny of staff understanding of the regulation should be undertaken, and deeper training provided when necessary.

The ICO also recommends that refresher training be provided each year to keep staff up to date with the development of the regulations and ensure they continue to follow protocol. Key staff should have their training needs assessed and specialist training organised when required.

The ICO recommends that refresher training be provided each year to keep staff up to date with the development of the regulations and ensure they continue to follow protocol.

Training for all staff

The school audits also stress the need for training and awareness for all staff, including temporary and contract staff, who have access to personal data. Schools should agree with the providers of these staff on what level of training they come to the school with or look to provide it themselves to ensure practices are clear and properly followed by all members of staff.

Internal audit functions

Some schools already audited were advised to implement internal audit functions, along with routine compliance checks. As data protection is everyone’s responsibility, this will help ensure processes are followed between audits and that all staff and pupil data is protected to the highest level while being held by the school.

While this may seem like a high expectation for teachers who already have their work reviewed regularly, if the school has simple, clearly explained data protection processes, showing compliance shouldn’t be too much of a drain on teachers’ time.


Related news: Fewer than half of schools think they are GDPR compliant


Data protection leads at each school site

Most of the schools audited were academies with a number of sites. The ICO advise that each site in an academy has a specified data protection lead responsible for monitoring compliance. This should accompany centralised data protection processes and recording to manage the entire academy, but a specified lead at each site will help academies remain compliant by identifying individual requirements for each set of staff and pupils.

By taking the advice of the ICO and ensuring the proper processes are implemented across entire organisations, schools can ensure that their GDPR audits show improved results and the data of staff and pupils is protected, shared and disposed of correctly.