This time last year, we were all so very concerned about May 25th and the advent of the GDPR. How was it going to change things? Would schools be inundated with data requests? What would schools have to do? Would it inhibit us from teaching?
A year further on we’ve all lot learnt a lot, many schools have made big strides, others, not so much.
At the DPO Centre we continue our work with over 120 schools and have seen that, by using a structured approach, small changes can make a big difference very cost effectively and without disrupting everyday school life.
In this blog we share six of the main lessons we’ve learnt and included simple tips you can implement in your school too.
But first, we start with a brief overview of the data schools use and what the GDPR says.
Personal data used by schools
The first thing to recognise is that whilst you store and process personal data in lots of different ways, all schools face essentially the same issues – so you are not alone.
Broadly speaking, we’ve found each school processes personal data in these areas:
Schools also share data with other organisations and individuals including:
And finally the GDPR also covers personal data used in other areas including:
In May 2018, at first sight, managing and being accountable for all this seemed a daunting task for most schools.
What does the GDPR mean?
A lot was written about the GDPR before it was enacted. There was a lot of incorrect and misleading information so it’s worth refreshing our minds about the original intent. The GDPR meant your school must:
So bearing this in mind what are the main lessons we’ve learnt?
Lesson 1 – Identifying and Handling Data Subject Access Requests (DSARs)
Parents and pupils have become more aware of their rights to ask about and access the personal data about them that you hold in the school. We’ve seen an increase in DSAR requests and, unfortunately, some parents use them to exercise their rights vexatiously or as a retaliation tool.
Your staff should know how to identify DSARs and be able to advise people how to make a DSAR.
Always consider what information you provide in your DSAR response. Make sure personal information relating to anyone else is removed or redacted and ensure any overriding safeguarding considerations are not compromised.
Lesson 2 – Managing Consent and Displaying Data
Whether consent is needed when publishing personal data has been one of the most debated GDPR areas, especially for schools:
However, consent is likely to be required when publishing audio recordings, pictures or video for wall displays, newsletters, press articles, social media, websites or brochures. Where required, consent must be freely given and granular before data is displayed.
Lessons we’ve learnt are that you should make sure:
And remember, consent must be able to be removed as easily as it was given.
Lesson 3 – Data Retention
We’ve seen many schools that collected data they don’t actually need and then hoarded it either as paper records or (as we often hear) because it can’t be deleted from SIMS.
The GDPR provides an opportunity for a good clean out, remembering that personal data must only be held for as long as it’s needed to fulfil the purpose.
So some of our lessons learned are:
Implementing a retention policy and having a data clear out reduces the quantity of data you store, process and manage, makes it easier to retrieve the data you do need, reduces the overhead of responding to DSARs and minimises the potential risk should you ever experience a breach.
Lesson 4 – Sending Personal Data
It’s often stated that 80% of personal data breaches are due to human error.
The biggest potential causes of a breach are emailing data and storing data on local computers. As humans, we click the wrong buttons, get duped by phishing emails, leave PCs logged in, share logins for convenience, use simple passwords (or none at all) and send data to the wrong address by mistake – the list goes on….
School staff are increasingly inundated with internal emails, from pupils and parents. Remember email is not as secure as you think, particularly when attachments hold sensitive information.
For example sending an email from Microsoft Outlook to another Outlook user is secure but if the receiver is using a different system, it isn’t.
So simple lessons learnt about sending personal data include:
Staff training makes a critical difference in reducing human error. Face-to-face training for staff and new recruits followed by at least annual refreshers is a huge help and can be delivered online, and take only 20 minutes.
Lesson 5 – General Data Security
The fifth lesson applies to organisations of all types but is no less important for your school.
Your records contain sensitive, high risk data so, whilst your school may not be “hi-tech”, general data security is still very important. Lesson 5 outlines some simple measures that schools we work with have implemented:
Passwords are a whole subject in themselves but here are some general guidelines:
Lesson 6 – Don’t Forget your internal personal data
Understandably, in schools, the focus is put on protecting pupil data, but schools are significant employers. All HR, occupational health, finance, payroll and pensions information contains personal data (much of it sensitive)so it’s important not to forget that you need to protect it appropriately.
Because of safeguarding, schools are one of the few organisations permitted to process criminal records data. DBS / criminal records data requires specific protection so you should take extra care and ideally encrypt it.
Protecting employee data is the subject of another blog in itself but for the time being, Lesson 6 is therefore simply to remember staff data is as important as that of pupils.
Data Protection Officers and their role
Data protection isn’t a one-shot deal and it’s important to continuously monitor, reinforce and improve your data protection practices. As a public body, schools need by law to appoint a Data Protection Officer (DPO) whose role it is to:
For many schools the best and most cost-effective solution is to outsource the role to an expert 3rd party, rather than to appoint an in-house DPO.
The DPO Centre works with over 120 schools and educational establishments in both the state and private sectors. We also work with specialist SEN schools and several large further education colleges.
We’ve accumulated extensive knowledge in this sector and these are the top 6 lessons we’ve identified. There are others that didn’t quite make the top six including managing school websites, marketing, sharing data with third parties and taking personal data off the school site. If you have concerns in these areas then please contact us.
The good news is there is much commonality between different schools. Our schools’ service has been developed specifically with this in mind and is an extremely cost-effective way of embedding and maintaining data protection practices in your school.
If you would like to discuss more then please contact us.