GDPR: Is your school compliant? Fewer than half are!
Posted on: 23rd May 2019 by: John McCaul
New research findings released by RM Education and Trend Micro show fewer than half of UK schools and colleges (48%) believe that they are fully GDPR compliant. John McCaul, ANME Member, IT Manager & GDPR Project Lead from Holy Trinity Catholic School offers a quick-fire GDPR guide to ensure your school has a strategy in place to be fully GDPR complaint
At the time of writing this article (almost one year on to the day), it’s saddening but not shocking that according to the TES, “half of schools are not fully compliant”. Without additional resource, it’s clear Sir Bob Geldof understands the additional stress and strain compliance has put on UK schools and the education sector in general… but will the ICO, and what can you do to tackle the issue?
Never has such an important piece of legislation disrupted both the private and public sector in terms of compliance and governance. Not since the “Millennium Bug” have we seen such widespread pandemonium across all industries. The thing is, GDPR did not stop on 25th May 2018. It’s well and truly here to stay and will continue to protect us all, but at least the torrent of “can we still keep sending you emails” emails have started to subside.
In May 2018 according to Forbes.com “Over the last two years alone, 90% of the data in the world was generated” so this rapid change in technology and how data is obtained, stored, and processed has far surpassed the DPA of 1998. Whether you’re a multi-national, multi-billion corporate technology company or a small primary school down the road, the law applies to everyone. So if you’re a UK school and find yourself in the other 50% and on the wrong side of the law, hopefully, this guide will help you down the path of GDPR compliance and reach the pot of gold at the end.
“Get Data Put Right” is a great way to simplify what GDPR stands for. Like the seven stages of grief (some of your work colleagues may view GDPR as a form of this!) the following seven stages of compliance should get you well on the way to where you need to be.
|The first stage is Discover – find out where all your data (paper and electronic) is for both staff and students. Set up a working party amongst key members of staff, assign stakeholders and designate areas of responsibility. The Governors/SLT will need to decide, approve and appoint an appropriate DPO. If this is an existing member of staff, it needs to be someone who does not have any conflict of interest in their day-to-day role. Designate internal IAO’s (Information Asset Owners), e.g. Office Manager, Data Manager, DSL, Attendance Officer, IT Manager etc. to start creating IAR (Information Asset Registers) for their areas of expertise. In this modern age, data is an asset.|
|The second stage is Map – create a dataflow path for the school – where does data come into the school, where does it go out? How is it used, who handles it, and how is it processed within the school? Who does the school then share this data with, are there agreements in place and what is their GDPR policy? At this stage, investing in a tool and wrap-around service such as GDPRiS from www.gdpr.school would be a wise and recommended move (other GDPR service providers are also available!). They offer great advice on their website and have lots of useful free resources to use, including posters to place around school to help raise awareness. After discovery, get the working party to meet back up and report their findings, and focus on exactly who has access, to what data, why they have access, and how long it is required. That way, you can paint the whole-school picture and build up a dataflow map.|
|The third stage is Assess – classify your data as you see it – is it public, personal, or sensitive personal data? A significant milestone here is performing Data Protection Impact Assessments (DPIA's). These are just like risk assessments for a school trip, but instead, it relates directly to the data you hold and control in school; seek third party help from someone like GDPR in Schools above if you’re unsure. DPIA’s need to be done for old, current and new systems that you may use be them paper or electronic. Assign a risk level and know your retention periods for all data, use the IRMS Schools Toolkit from the Information and Records Management Society (IRMS). Designate people in your working party to review data they are responsible for and classify accordingly.|
|The fourth stage is Protect – ensure adequate protection is in place to secure both physical and digital data. Some examples of things to consider are software security, encryption of data, lockable filing cabinets, who has keys/access, do you implement a clear desk policy, how often do you change passwords, and are they complex enough? Don’t forget to update your CCTV policy too – restrict access to only, log all access and retrieval of footage to keep as evidence of compliance.|
|The fifth stage is Manage – once you know where all your data is, and it’s been secured, it’s essential to keep on top of it. Of all the stages this is probably the most important as it will feedback into everything you’ve done before, and everything you will do in future. Consent will also need to be obtained for using students’ and parents’ data for systems and processes in school (some but probably not all). Some mandatory data does not require consent but be careful not to overuse the “public interest/public task” legal basis and don’t forget your staff either! Statutory requirements and obligations to the DfE and LA may be included here. As mentioned before, having a support partner like GDPRis that can help and advise on these matters is extremely beneficial – a belt and braces approach to consent is never a bad thing, “It's better to ask for the earth than to take it", and the same goes for consent in GDPR. It’s also crucial that the school has an up to date privacy notice and data protection policy. GDPR compliance needs to be regularly checked, monitored and reviewed, with any data breaches immediately reported to the ICO within the new 72-hour window. Records of subject access requests (SAR) need to be kept, and it’s essential to know and apply your retention periods on data. Record the removal and deletion of data for leavers after the retention period has expired. Don’t forget this applies to paper-based “physical” data as well as “digital” data.|
|The sixth stage is Train – GDPR applies to everyone, and the ICO will want to see evidence of training for all staff, and that it has been undertaken regularly. Let new starters know what your best practice is e.g. no USB sticks without password protection, don’t take personal or sensitive data off-site in a briefcase. Educate your students or “train” them as part of the curriculum and staying safe online, GDPR is for everyone. You may also need to tailor your training for people in areas of greater responsibility; a one size fits all approach probably won’t cut it with the ICO. Some schools may prefer this as part of INSET; some may prefer to drip feed little and often, but either way, ensuring everybody knows what they need to be doing is vital. A lot of this will not be new, and some people may think you’re teaching grandma to suck eggs but “Think! GDPR!” is an excellent way to embrace it.|
|The final stage is Report – GDPR compliance is not a destination; it’s a journey! Governors and Senior Leaders need to be updated by the DPO regularly to highlight any issues or suggest improvements. Recording what you are doing and why you are doing but also where you want to be is strong evidence of due diligence and compliance, and that’s what the ICO is looking for. At the end of the day, their job is to make sure that the school is being held accountable and taking responsibility for data seriously.|
Whether you’re only just starting off on the GDPR compliance path or you think you’re almost there, it’s important to remember that all schools are unique and all schools will not be in the same place. It would be a very dull education landscape otherwise. Since GDPR came into force, and after reading the most recent ICO advisory visits and audit reports, it’s clear the ICO will not tolerate complacency or ignorance, they expect accountability. They are not here to punish schools they just want to protect everyone’s data – his, hers, yours, and mine. Approach this in the same way you would any other inventory for classroom furniture or IT equipment in school, and by the end of it you will hopefully have found the whole process very rewarding. You may even be in awe of how much data your school holds and how well you do it!
ANME Member, IT Manager & GDPR Project Lead at Holy Trinity Catholic School
Written for Education Executive