GDPR – One Year On – 6 Key Lessons for Schools?

This time last year, we were all so very concerned about May 25th and the advent of the GDPR. How was it going to change things? Would schools be inundated with data requests? What would schools have to do? Would it inhibit us from teaching?

A year further on we’ve all lot learnt a lot, many schools have made big strides, others, not so much.

At the DPO Centre we continue our work with over 120 schools and have seen that, by using a structured approach, small changes can make a big difference very cost effectively and without disrupting everyday school life.

In this blog we share six of the main lessons we’ve learnt and included simple tips you can implement in your school too.

But first, we start with a brief overview of the data schools use and what the GDPR says.

Personal dataInformation which relates to an identified or identifiable natural person.... used by schools

The first thing to recognise is that whilst you store and processA series of actions or steps taken in order to achieve a particular end.... personal data in lots of different ways, all schools face essentially the same issues – so you are not alone.

Broadly speaking, we’ve found each school processes personal data in these areas:

• Educational software – SIMs, ScholarPack Arbor etc.
• Teaching – children’s workbooks, lesson plans, wall displays and name badges
• Sensitive data – safeguarding, SEN, medication and medical data
• Management – finance, administration, employees, DBS checks

Schools also share data with other organisations and individuals including:

• Local authorities, transport providers, peripatetics, supply teachers, feeder and transition schools, employers and other institutions

And finally the GDPR also covers personal data used in other areas including:

• Marketing, communications and fundraising

In May 2018, at first sight, managing and being accountable for all this seemed a daunting task for most schools.

What does the GDPR mean?

A lot was written about the GDPR before it was enacted. There was a lot of incorrect and misleading information so it’s worth refreshing our minds about the original intent. The GDPR meant your school must:

• Be transparent in the way you process personal data
• Allow pupils, staff members, governors, parents, guardians and suppliers to:
  • Access the data you store on them
  • Ensure it is correct and modify it as necessary
  • Restrict its use or have it deleted (unless needed for legitimate reasons)
• Understand the data you have in the school, where it is stored and who has access to it
• Only use data for the stated purpose (detailed in your privacy policy)
• Keep it no longer than necessary
• Secure and protect it and only share it lawfullyIn data protection terms, it must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations....

So bearing this in mind what are the main lessons we’ve learnt?

Lesson 1 – Identifying and Handling Data SubjectAn individual who can be identified or is identifiable from data.... Access Requests (DSARs)

Parents and pupils have become more aware of their rights to ask about and access the personal data about them that you hold in the school. We’ve seen an increase in DSAR requests and, unfortunately, some parents use them to exercise their rights vexatiously or as a retaliation tool.

DSAR Format

Your staff should know how to identify DSARs and be able to advise people how to make a DSAR.

• DSARs can be made in any form – they need not specifically reference the GDPR and can be initiated based on anything from a verbal request in the classroom to a formal letter

Verification

• Make sure the requestor has a right to the information they ask for and is who they say they are. Ensure requests, particularly those made remotely by email, phone call or letter are verified before being actioned.
• Be aware of family complexities. Only people with legal guardianship or pupils themselves have a right to pupil data. Providing personal data to the wrong person is a breach
• Generally the GDPR sets a time limit of 1 month to respond to a DSAR – though the clock doesn’t start until the requestor is verified

Providing Information

Always consider what information you provide in your DSAR response. Make sure personal information relating to anyone else is removed or redacted and ensure any overriding safeguarding considerations are not compromised.

Lesson 2 – Managing ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.... and Displaying Data

Whether consent is needed when publishing personal data has been one of the most debated GDPR areas, especially for schools:

• The first point to make is some data can be published without Consent as long as an alternate lawful basis can be used.
• Where the data is needed to fulfil a school function, the lawful basis would be ‘public interest’. Exam results, for example CAN be published in the local paper without consent

However, consent is likely to be required when publishing audio recordings, pictures or video for wall displays, newsletters, press articles, social media, websites or brochures. Where required, consent must be freely given and granular before data is displayed.

Lessons we’ve learnt are that you should make sure:

• Consent is adequately recorded
• Consent forms are detailed and “granular”
• Specifically identify the activities for which consent is being given
• Avoid obtaining consent for “all activities that show the school in a good light”

And remember, consent must be able to be removed as easily as it was given.

Lesson 3 – Data RetentionIn data protection terms, a defined period of time for which information assets are to be kept....

We’ve seen many schools that collected data they don’t actually need and then hoarded it either as paper records or (as we often hear) because it can’t be deleted from SIMS.

The GDPR provides an opportunity for a good clean out, remembering that personal data must only be held for as long as it’s needed to fulfil the purpose.

So some of our lessons learned are:

• Make sure you have a clear retention policy in place
• Delete and dispose of data in line with the policy
• Don’t forget the GDPR applies to employee as well as pupil data
• Remember you can delete information from SIMS!

Implementing a retention policy and having a data clear out reduces the quantity of data you store, process and manage, makes it easier to retrieve the data you do need, reduces the overhead of responding to DSARs and minimises the potential risk should you ever experience a breach.

Lesson 4 – Sending Personal Data

It’s often stated that 80% of personal data breaches are due to human error.

The biggest potential causes of a breach are emailing data and storing data on local computers. As humans, we click the wrong buttons, get duped by phishing emails, leave PCs logged in, share logins for convenience, use simple passwords (or none at all) and send data to the wrong address by mistake – the list goes on….

School staff are increasingly inundated with internal emails, from pupils and parents. Remember email is not as secure as you think, particularly when attachments hold sensitive information.

For example sending an email from Microsoft Outlook to another Outlook user is secure but if the receiver is using a different system, it isn’t.

So simple lessons learnt about sending personal data include:

• Avoid downloading reports and storing attachments locally
• Provide file sharing links (using the likes of OneDrive) rather than using attachments
• Make sure attachments don’t contain unnecessary data
• Try to use secure portals rather than email
• Keep a training record which your DPO can monitor

Staff training makes a critical difference in reducing human error. Face-to-face training for staff and new recruits followed by at least annual refreshers is a huge help and can be delivered online, and take only 20 minutes.

Lesson 5 – General Data Security

The fifth lesson applies to organisations of all types but is no less important for your school.

Your records contain sensitive, high risk data so, whilst your school may not be “hi-tech”, general data security is still very important. Lesson 5 outlines some simple measures that schools we work with have implemented:

• Make sure your server is securely located in a physical location with restricted access
• Use encrypted, password protected databases and electronic records and ideally use systems that enable access to be logged and give a historical view of who saw what and when. Without logs you’re less likely to know if you’ve been hacked or the data accessed inappropriately
• Restrict access to only the relevant staff members
• Avoid staff downloading data from electronic records (PDF, CSV) and, if they do download, ensure files are saved to network drives rather than PCs or mobile devices
• Use secure email for attachments containing sensitive (e.g. safeguarding and SEN) data
• Shred paper copies using a minimum DIN 66399 level 3 cross cut shredder. If you use a 3rd party for shredding, request and store the certificates of destruction

Passwords are a whole subject in themselves but here are some general guidelines:

• Avoid using school passwords that all know and use
• It’s better to use use complex passwords containing letters, numbers and extended characters with password managers such as LastPass
• Rather than changing passwords regularly change passwords when staff leave

Lesson 6 – Don’t Forget your internal personal data

Understandably, in schools, the focus is put on protecting pupil data, but schools are significant employers. All HR, occupational health, finance, payroll and pensions information contains personal data (much of it sensitive) so it’s important not to forget that you need to protect it appropriately.

Because of safeguarding, schools are one of the few organisations permitted to process criminal records data. DBS / criminal records data requires specific protection so you should take extra care and ideally encrypt it.

Protecting employee data is the subject of another blog in itself but for the time being, Lesson 6 is therefore simply to remember staff data is as important as that of pupils.

Data Protection Officers and their role

Data protection isn’t a one-shot deal and it’s important to continuously monitor, reinforce and improve your data protection practices. As a public body, schools need by law to appoint a Data Protection OfficerAn independent data protection expert whose role includes the monitoring of internal compliance, advising on data protection obligations and acting as a contact point for data subjects and the supervisory authority.... (DPO) whose role it is to:

• Inform and advise
• Monitor compliance
• Ensure data protection is considered “by-design”
• Be the contact point for data subjects and regulators
• Act for the interests of the Data Subject, more so than the organisation

For many schools, the best and most cost-effective solution is to outsource the role to an expert 3rd party, rather than to appoint an in-house DPO.

Summary

The DPO Centre works with over 120 schools and educational establishments in both the state and private sectors. We also work with specialist SEN schools and several large further education colleges.

We’ve accumulated extensive knowledge in this sector and these are the top 6 lessons we’ve identified. There are others that didn’t quite make the top six including managing school websites, marketing, sharing data with third parties and taking personal data off the school site. If you have concerns in these areas then please contact us.

The good news is there is much commonality between different schools. Our schools’ service has been developed specifically with this in mind and is an extremely cost-effective way of embedding and maintaining data protection practices in your school.

If you would like to discuss more then please contact us.