It’s been just over two years since the UK Data Protection law had a radical overhaul to incorporate the EU GDPR. Since then, schools have been working diligently to ensure the correct procedures are followed for the protection of their students and staff. Schools should continue with this good practice, but a lot more needs to be done.
Appointing a DPO
The first thing schools and MATs must do is appoint a Data Protection Officer (DPO). In terms of who should take on the role, it can’t be the headteacher, business manager or anyone on the senior leadership team (that would be like marking your own work). They must be an independent person who understands school personal data and potential risks.
Many people ask me if it is therefore the DPO who holds responsibility for GDPR compliance in the school or MAT. The answer is no. This is purely an advisory role; the school or MAT is the data controller, making the organisation 100% responsible for data protection. For this reason, the most senior level of governance in the organisation, whether the governing body or board of trustees, hold over all responsibility.
It’s also important that schools pay the data protection registration fee. Non-payment of this fee has already resulted in fines.
Get everyone on board
Regardless of who holds overall responsibility, it’s vital that all staff are fully trained to ensure they understand the necessary procedures and protocols. This doesn’t just apply to teachers, but includes support assistants, office staff, kitchen staff, cleaners and the caretaker. In fact, anyone who works at your school who can potentially access personal data must understand their responsibilities. But remember – training must be tailored for each individual’s role and areas of responsibility.
Secure disposal of data, whilst important, is less key than building your record of processing activity, including evidence of what you’re processing, why, where it’s stored, and so on. If anyone who shouldn’t have access to this information gains access somehow, the school’s governing body becomes liable.
At all times evidence – evidence – evidence. Evidence is vital.
The next question to ask yourself is whether you have carried out a DPIA (Data Protection Impact Assessment) of every process your school has which uses personal data. The most obvious systems that require a DPIA will include any dealing with biometrics (cashless catering and payments), recording images and audio (CCTV), behaviour and medical information (safeguarding and disclosures) and of course, your management information system or learning platform. Before any new project or process is introduced, you should carry out a DPIA – a key part of your accountability obligations under the GDPR. And don’t forget, it’s easy to consider data on all your internal school systems but don’t forget systems held by external suppliers. They are obliged to process data according to your instructions.
And finally, you’re not expected to be perfect. You will experience a data breach at your school. What’s important is that you must inform the affected individuals and investigate the breach, and this must be done within the strict time allocation of 72 hours. Looking at this positively, your school becomes a safer place because you learn from your mistakes. You should also inform the ICO, who will consider this a positive learning experience.
I hope this information gives you a little more insight into what you need to do to become and remain compliant and improve data safety in your school as part of your safeguarding procedures. If you have any questions or require further advice, please feel free to contact us at GDPR in Schools: gdpr.school/contact/.
You might also like: Britain needs a mindset shift on apprenticeships to meet productivity goals